Publicly-disclosed breaches when identity was the vector.
Each entry cites a primary disclosure — 8-K, breach notification, CISA advisory, or authoritative reporting. Practitioner lessons are short and concrete; no speculation on attribution. Subscribe to the RSS feed to see new entries when they land.
Tracked
8 incidents
Newest: Jun 2, 2024
- Cross-industryDisclosed Jun 2, 2024Occurred Apr–Jun 2024#snowflake-customer-credential-reuse-2024
Snowflake customer credential reuse breach (UNC5537, 2024)
Multiple Snowflake customers (Ticketmaster / Live Nation, AT&T, Santander, Neiman Marcus, LendingTree, Advance Auto Parts, Bausch Health, and others)
UNC5537 (tracked by Mandiant) used credentials harvested by infostealer malware — some dating to November 2020 — to access at least 160 Snowflake customer environments. Mandiant found 79.7% of compromised accounts had credentials previously stolen via infostealer campaigns. The Snowflake platform itself was not compromised — every affected tenant had at least one user with valid credentials and no MFA enabled.
- Identity vector
- Stolen / reused credentials
- Records affected
- At least 160 Snowflake customer environments compromised; downstream disclosures included Ticketmaster (560M records), AT&T (~109M), Santander, and many others
- Estimated cost
- AT&T reportedly paid ~$370K to attempt data deletion. Combined customer impact across SEC filings runs into the $B range.
- Regulatory action
- Multiple SEC investigations; class actions in US and Canada; Senate inquiry
Practitioner lesson
Tenant-level mandatory MFA — not as an optional per-user toggle — would have eliminated the entire incident class. Snowflake responded by making MFA mandatory by default in subsequent product changes.
- HealthcareDisclosed Feb 21, 2024Occurred Feb 2024#change-healthcare-blackcat-2024
Change Healthcare ransomware via stolen Citrix credentials (2024)
Change Healthcare (UnitedHealth Group subsidiary)
BlackCat / ALPHV affiliates gained initial access through stolen Citrix portal credentials on an account that did not have MFA enabled. The intrusion led to a full ransomware deployment, halting US healthcare-claims processing for weeks.
- Identity vector
- Stolen / reused credentials
- Records affected
- ~190 million Americans (UnitedHealth final disclosure, Jan 2025) — the largest medical-data breach in US history. Oct 2024 OCR filing was 100M; revised upward as notifications were sent.
- Estimated cost
- ~$2.45B in direct response costs (UnitedHealth FY24 10-Q)
- Regulatory action
- HHS-OCR investigation; multiple class actions; Congressional testimony from UnitedHealth CEO
Practitioner lesson
Single-factor remote access portals on PHI-adjacent infrastructure are the textbook standing-privilege-and-no-MFA failure mode. Phishing-resistant MFA on all remote-access surfaces is non-negotiable for HIPAA-regulated entities.
- TechnologyDisclosed Oct 20, 2023Occurred Sep 28 – Oct 17, 2023#okta-support-system-2023
Okta support-system breach via stolen service account credentials (2023)
Okta (and downstream customers including 1Password, Cloudflare, BeyondTrust)
Attacker accessed Okta customer support system using a service account whose credentials had been saved to an Okta employee's personal Google account. The compromise enabled HAR-file harvesting from open customer support cases, leaking session tokens the threat actor then used to hijack legitimate Okta sessions for 5 downstream customers (BeyondTrust and Cloudflare confirmed publicly).
- Identity vector
- Service account / non-human identity
- Records affected
- 134 Okta customers (<1% of customer base) had files accessed; 5 confirmed session-hijacks via stolen HAR file tokens
- Estimated cost
- Okta stock dropped ~11% on disclosure; downstream customers absorbed credential-rotation cost
- Regulatory action
- No public regulatory action; multiple class actions
Practitioner lesson
Service-account credentials saved to personal browser profiles are a recurring leak channel. Treat support-system access as a privileged surface — full PAM coverage, no Google-account-saved passwords, mandatory phishing-resistant MFA.
- RetailDisclosed Sep 11, 2023Occurred Sep 2023#mgm-vishing-2023
MGM Resorts vishing-driven IT-helpdesk compromise (Scattered Spider, 2023)
MGM Resorts International
Scattered Spider members researched MGM employees on LinkedIn, then voice-phished MGM's IT help desk while impersonating an employee. The help desk reset login credentials, which were rapidly escalated by ALPHV/BlackCat affiliates into a ransomware deployment — taking down hotel and casino operations across MGM properties for ~10 days.
- Identity vector
- Phishing / social engineering
- Records affected
- ~10.6M loyalty-program records (MGM 8-K) plus multi-day operational disruption across properties
- Estimated cost
- $110M total — $100M lost business + $10M one-time response cost (MGM Q3 2023 10-Q)
- Regulatory action
- SEC investigation; multiple class actions
Practitioner lesson
IT help desk is the most common reset-driven MFA-bypass surface. Out-of-band verification on every help-desk credential / MFA reset is now table-stakes for any organization above mid-market.
- TechnologyDisclosed Jan 19, 2024Occurred Nov 2023 – Jan 2024#midnight-blizzard-microsoft-2024
Midnight Blizzard — Microsoft corporate email via legacy OAuth app (2024)
Microsoft (corporate environment); downstream impact on US federal agencies
Russian state actor (Midnight Blizzard / APT29) used password spraying to gain access to a legacy non-production test tenant, then leveraged a legacy OAuth application with elevated access to read corporate email — including senior leadership and security staff.
- Identity vector
- OAuth / API key theft
- Records affected
- Senior-exec mailbox content; downstream US federal email exposure later disclosed by CISA
- Regulatory action
- CISA Emergency Directive 24-02 issued April 2024
Practitioner lesson
Legacy OAuth applications carry standing privilege that nobody re-attests. Audit the OAuth grant graph as deliberately as the human-identity graph. Non-production / test tenants are a recurring soft underbelly.
- HealthcareDisclosed Oct 6, 2023Occurred May 1 – Oct 1, 2023#23andme-credential-stuffing-2023
23andMe credential stuffing — DNA Relatives genealogy leak (2023)
23andMe
Threat actor used credential-stuffing against 23andMe accounts (no MFA enforcement, password reuse against credentials leaked elsewhere). Compromised accounts then leveraged the DNA Relatives feature to scrape and expose data of millions of related users who themselves had no compromised credential. Specific datasets targeting Ashkenazi Jewish and Chinese genetic ancestry were sold on the dark web.
- Identity vector
- Credential stuffing
- Records affected
- ~6.9M total (1.4M direct credential stuffing, 5.5M via DNA Relatives feature scraping)
- Estimated cost
- Up to $62M data-breach settlement (revised during Chapter 11; final approval Jan 20, 2026) — initial $30M settlement was revised upward during bankruptcy proceedings. Up to $1,500 per claimant with documented expenses. Company assets sold to TTAM Research Institute (a California nonprofit led by Anne Wojcicki) for $305M.
- Regulatory action
- UK ICO + Canadian OPC joint investigation; US class-action settlement final-approved Jan 20, 2026. 23andMe filed Chapter 11 on Mar 23, 2025; plan confirmed Dec 5, 2025; remaining debtor entity renamed Chrome Holding Co.
Practitioner lesson
Mandatory MFA on consumer surfaces with high-sensitivity data (genetic, financial, medical) is the table stakes — not an optional preference. Relationship-graph features amplify the blast radius from a few compromised accounts to a population-scale leak.
- TechnologyDisclosed Mar 22, 2022Occurred Jan 21, 2022 (25-minute control window)#lapsus-okta-2022
LAPSUS$ — Okta third-party support engineer compromise (2022)
Sitel (Okta sub-processor); 2 Okta customer tenants confirmed impacted
LAPSUS$ compromised a workstation belonging to a Sitel support engineer with elevated privileges into Okta customer tenants. Initial disclosure raised concerns over up to 366 customers (~2.5% of Okta base); final forensic conclusion confirmed only a 25-minute control window and 2 actually-impacted customer tenants. The actor could not perform MFA/password resets or impersonate users. The incident remained controversial primarily for the 2-month gap between detection and customer disclosure.
- Identity vector
- Supply chain — identity provider
- Records affected
- Initially feared 366 customers; final forensic conclusion confirmed only 2 customer tenants actually impacted
- Estimated cost
- Okta stock declined ~11% on disclosure; downstream customer audit-log scrutiny and trust impact difficult to quantify
Practitioner lesson
Identity-provider supply chains are themselves a privileged surface. Sub-processor / support-vendor access should be vaulted, session-recorded, and time-bound — not standing. Disclosure timing also matters: the 2-month gap between detection and customer notification became the larger story.
- TelecomDisclosed Jan 19, 2023Occurred Nov 25, 2022 – Jan 5, 2023 (~6 weeks)#tmobile-api-token-2023
T-Mobile API credential exposure (2023)
T-Mobile US
Attacker abused a single API endpoint, retrieving data on ~37M postpaid + prepaid customer accounts over a 6-week window. T-Mobile detected the anomaly Jan 5, 2023 and patched within a day. Exposed: name, billing address, email, phone, DOB, account number, plan features. Not exposed: payment cards, SSNs, government IDs, or passwords.
- Identity vector
- OAuth / API key theft
- Records affected
- ~37M postpaid and prepaid customer accounts (T-Mobile 8-K)
- Estimated cost
- T-Mobile previously settled the 2021 breach for $350M; class actions filed for this incident
- Regulatory action
- FCC investigation; CPNI rule scrutiny
Practitioner lesson
API tokens with broad scopes and no rate-limit anomaly detection are the most under-managed identity surface. Tokens should be scoped per-call, monitored at the egress, and rotated on schedule.
Cite this page
Reference our benchmarks in your reporting.
These benchmarks are licensed under CC BY 4.0 — free to cite, quote, and link to with attribution. Pick a format below.
askmeidentity. (2026). The State of Identity, live (v2026.05). Retrieved 2026-06-04 from https://askmeidentity.com/resources/identity-incidents/
"The State of Identity, live." askmeidentity, v2026.05, https://askmeidentity.com/resources/identity-incidents/. Accessed 2026-06-04.
@misc{askmeidentity_state_of_identity_2026_05, title = {The State of Identity, live}, author = {{askmeidentity}}, year = {2026}, note = {Version 2026.05, retrieved 2026-06-04}, url = {https://askmeidentity.com/resources/identity-incidents/} }
Most of these were preventable. Specifically.
Every incident above has a well-understood identity countermeasure that, if deployed, would have meaningfully reduced blast radius. We help regulated enterprises put those countermeasures in production.