Quarterly research

Identity incidents — Q3 2026.

Quarterly analysis of publicly-disclosed identity-vector breaches. Patterns, blast-radius data, and the 3 lessons most programs should action this quarter.

Full incident pattern datasetResearch RSS

Three lessons

What every program should action this quarter.

Lesson 01
Helpdesk + MFA reset flow
Replace knowledge-based caller verification with a registered-device or video-verification factor for privileged accounts.
Lesson 02
Refresh-token rotation hours
Rotate within 1-2 hours for any scope that crosses tenant or partner boundaries.
Lesson 03
Federation-trust quarterly review
Audit + retire federation trusts whose anchor relationships ended 90+ days ago.

Catalog

Incidents we tracked this quarter.

Incident · 012026-03-04
Mid-tier US health system (HIPAA-covered)
Vector
Helpdesk social engineering → MFA reset → privileged account takeover
Scope
~2.1M patient records; 11-day dwell time
Lesson
Helpdesk MFA-reset flows that depend on knowledge-based caller verification are the most-exploited weak point in healthcare programs.
Incident · 022026-03-19
Series-D B2B SaaS
Vector
OAuth consent phishing of staff using a clone of an internal tool
Scope
Mailbox + Drive scope on 14 accounts; data exfiltration detected at day 6
Lesson
Cloud-app governance still under-instrumented. Most programs catch OAuth phish only after a third party reports the impact.
Incident · 032026-04-02
US municipal government (10K employees)
Vector
Legacy AD service account credential abuse
Scope
Domain controller compromise; 4-day operational outage; ~$8M recovery cost
Lesson
Service accounts older than 5 years almost universally lack rotation and continue to authenticate via NTLM.
Incident · 042026-04-15
European retail (DORA-scoped)
Vector
Stored OAuth refresh token theft from compromised developer endpoint
Scope
Partner-API tokens stolen; downstream impact on 3 supply-chain partners
Lesson
Refresh-token rotation policies should be measured in hours, not days, especially when scoped beyond the issuing tenant.
Incident · 052026-04-29
US financial services (NYDFS-regulated)
Vector
SIM swap on a privileged user with SMS-fallback MFA
Scope
Wire-fraud attempt detected within 12 hours; ~$0 loss; reportable event
Lesson
SMS-fallback MFA on privileged accounts is now a finding-by-default at NYDFS examinations.
Incident · 062026-05-08
Higher-education research institution
Vector
Compromised contractor account with stale federation trust
Scope
Research data unauthorized access; ~3K student records
Lesson
Federation trusts with departing partners frequently outlive the contract by months. Quarterly federation-trust review is the cheapest control gain.
Incident · 072026-05-21
Mid-tier energy utility
Vector
Stolen privileged session via session-hijack on contractor laptop
Scope
OT network reconnaissance; no operational impact reported
Lesson
PAM that records but does not actively bind sessions to device posture is increasingly tested by intrusion sets.

Quarterly research

Identity incidents — Q3 2026.

Quarterly analysis of publicly-disclosed identity-vector breaches. Patterns, blast-radius data, and the 3 lessons most programs should action this quarter.

Full incident pattern datasetResearch RSS

Three lessons

What every program should action this quarter.

Lesson 01
Helpdesk + MFA reset flow
Replace knowledge-based caller verification with a registered-device or video-verification factor for privileged accounts.
Lesson 02
Refresh-token rotation hours
Rotate within 1-2 hours for any scope that crosses tenant or partner boundaries.
Lesson 03
Federation-trust quarterly review
Audit + retire federation trusts whose anchor relationships ended 90+ days ago.

Catalog

Incidents we tracked this quarter.

Incident · 012026-03-04
Mid-tier US health system (HIPAA-covered)
Vector
Helpdesk social engineering → MFA reset → privileged account takeover
Scope
~2.1M patient records; 11-day dwell time
Lesson
Helpdesk MFA-reset flows that depend on knowledge-based caller verification are the most-exploited weak point in healthcare programs.
Incident · 022026-03-19
Series-D B2B SaaS
Vector
OAuth consent phishing of staff using a clone of an internal tool
Scope
Mailbox + Drive scope on 14 accounts; data exfiltration detected at day 6
Lesson
Cloud-app governance still under-instrumented. Most programs catch OAuth phish only after a third party reports the impact.
Incident · 032026-04-02
US municipal government (10K employees)
Vector
Legacy AD service account credential abuse
Scope
Domain controller compromise; 4-day operational outage; ~$8M recovery cost
Lesson
Service accounts older than 5 years almost universally lack rotation and continue to authenticate via NTLM.
Incident · 042026-04-15
European retail (DORA-scoped)
Vector
Stored OAuth refresh token theft from compromised developer endpoint
Scope
Partner-API tokens stolen; downstream impact on 3 supply-chain partners
Lesson
Refresh-token rotation policies should be measured in hours, not days, especially when scoped beyond the issuing tenant.
Incident · 052026-04-29
US financial services (NYDFS-regulated)
Vector
SIM swap on a privileged user with SMS-fallback MFA
Scope
Wire-fraud attempt detected within 12 hours; ~$0 loss; reportable event
Lesson
SMS-fallback MFA on privileged accounts is now a finding-by-default at NYDFS examinations.
Incident · 062026-05-08
Higher-education research institution
Vector
Compromised contractor account with stale federation trust
Scope
Research data unauthorized access; ~3K student records
Lesson
Federation trusts with departing partners frequently outlive the contract by months. Quarterly federation-trust review is the cheapest control gain.
Incident · 072026-05-21
Mid-tier energy utility
Vector
Stolen privileged session via session-hijack on contractor laptop
Scope
OT network reconnaissance; no operational impact reported
Lesson
PAM that records but does not actively bind sessions to device posture is increasingly tested by intrusion sets.

Identity incidents — Q3 2026.

What every program should action this quarter.

Helpdesk + MFA reset flow

Refresh-token rotation hours

Federation-trust quarterly review

Incidents we tracked this quarter.

Mid-tier US health system (HIPAA-covered)

Series-D B2B SaaS

US municipal government (10K employees)

European retail (DORA-scoped)

US financial services (NYDFS-regulated)

Higher-education research institution

Mid-tier energy utility

Identity incidents — Q3 2026.

What every program should action this quarter.

Helpdesk + MFA reset flow

Refresh-token rotation hours

Federation-trust quarterly review

Incidents we tracked this quarter.

Mid-tier US health system (HIPAA-covered)

Series-D B2B SaaS

US municipal government (10K employees)

European retail (DORA-scoped)

US financial services (NYDFS-regulated)

Higher-education research institution

Mid-tier energy utility