{"$id":"https://askmeidentity.com/resources/identity-incidents/data.json","name":"Identity Incident Tracker","description":"Chronological tracker of publicly-disclosed breaches where identity was the initial vector — credential reuse, MFA bypass, OAuth abuse, privileged-supply-chain compromise. Each entry cites a primary disclosure. Subscribe via RSS for new entries.","publisher":{"name":"askmeidentity","url":"https://askmeidentity.com"},"license":"CC-BY-4.0","licenseUrl":"https://creativecommons.org/licenses/by/4.0/","version":"2026.05","datePublished":"2026-05-01","dateModified":"2024-06-02","pageUrl":"https://askmeidentity.com/resources/identity-incidents/","incidents":[{"id":"snowflake-customer-credential-reuse-2024","slug":"snowflake-customer-credential-reuse-2024","title":"Snowflake customer credential reuse breach (UNC5537, 2024)","organization":"Multiple Snowflake customers (Ticketmaster / Live Nation, AT&T, Santander, Neiman Marcus, LendingTree, Advance Auto Parts, Bausch Health, and others)","sector":{"key":"cross-industry","label":"Cross-industry"},"disclosedAt":"2024-06-02","occurredAt":"Apr–Jun 2024","identityVector":{"key":"stolen-credentials","label":"Stolen / reused credentials"},"vectorDescription":"UNC5537 (tracked by Mandiant) used credentials harvested by infostealer malware — some dating to November 2020 — to access at least 160 Snowflake customer environments. Mandiant found 79.7% of compromised accounts had credentials previously stolen via infostealer campaigns. The Snowflake platform itself was not compromised — every affected tenant had at least one user with valid credentials and no MFA enabled.","recordsAffected":"At least 160 Snowflake customer environments compromised; downstream disclosures included Ticketmaster (560M records), AT&T (~109M), Santander, and many others","estimatedCost":"AT&T reportedly paid ~$370K to attempt data deletion. Combined customer impact across SEC filings runs into the $B range.","regulatoryAction":"Multiple SEC investigations; class actions in US and Canada; Senate inquiry","source":{"name":"Mandiant — UNC5537 Targets Snowflake Customer Instances","url":"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion"},"secondarySources":[{"name":"Snowflake official statement","url":"https://www.snowflake.com/en/blog/detecting-unc5537-targeted-instance-compromises/"},{"name":"CISA — Snowflake customer security recommendations","url":"https://www.cisa.gov/news-events/alerts/2024/06/03/snowflake-customer-security-recommendations"},{"name":"Wikipedia — Snowflake data breach","url":"https://en.wikipedia.org/wiki/Snowflake_data_breach"}],"practitionerLessons":"Tenant-level mandatory MFA — not as an optional per-user toggle — would have eliminated the entire incident class. Snowflake responded by making MFA mandatory by default in subsequent product changes.","anchor":"https://askmeidentity.com/resources/identity-incidents/#incident-snowflake-customer-credential-reuse-2024"},{"id":"change-healthcare-bcg-2024","slug":"change-healthcare-blackcat-2024","title":"Change Healthcare ransomware via stolen Citrix credentials (2024)","organization":"Change Healthcare (UnitedHealth Group subsidiary)","sector":{"key":"healthcare","label":"Healthcare"},"disclosedAt":"2024-02-21","occurredAt":"Feb 2024","identityVector":{"key":"stolen-credentials","label":"Stolen / reused credentials"},"vectorDescription":"BlackCat / ALPHV affiliates gained initial access through stolen Citrix portal credentials on an account that did not have MFA enabled. The intrusion led to a full ransomware deployment, halting US healthcare-claims processing for weeks.","recordsAffected":"~190 million Americans (UnitedHealth final disclosure, Jan 2025) — the largest medical-data breach in US history. Oct 2024 OCR filing was 100M; revised upward as notifications were sent.","estimatedCost":"~$2.45B in direct response costs (UnitedHealth FY24 10-Q)","regulatoryAction":"HHS-OCR investigation; multiple class actions; Congressional testimony from UnitedHealth CEO","source":{"name":"UnitedHealth Group 8-K (Feb 2024) + CEO Congressional testimony (May 2024)","url":"https://www.unitedhealthgroup.com/newsroom/2024/2024-02-22-uhg-statement-change-healthcare.html"},"secondarySources":[{"name":"HHS Cybersecurity press briefing","url":"https://www.hhs.gov/about/news/2024/03/05/hhs-cybersecurity-services-following-change-healthcare-incident.html"},{"name":"CISA — ALPHV BlackCat advisory","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a"}],"practitionerLessons":"Single-factor remote access portals on PHI-adjacent infrastructure are the textbook standing-privilege-and-no-MFA failure mode. Phishing-resistant MFA on all remote-access surfaces is non-negotiable for HIPAA-regulated entities.","anchor":"https://askmeidentity.com/resources/identity-incidents/#incident-change-healthcare-blackcat-2024"},{"id":"okta-support-system-2023","slug":"okta-support-system-2023","title":"Okta support-system breach via stolen service account credentials (2023)","organization":"Okta (and downstream customers including 1Password, Cloudflare, BeyondTrust)","sector":{"key":"technology","label":"Technology / SaaS"},"disclosedAt":"2023-10-20","occurredAt":"Sep 28 – Oct 17, 2023","identityVector":{"key":"service-account","label":"Service account / non-human identity"},"vectorDescription":"Attacker accessed Okta customer support system using a service account whose credentials had been saved to an Okta employee's personal Google account. The compromise enabled HAR-file harvesting from open customer support cases, leaking session tokens the threat actor then used to hijack legitimate Okta sessions for 5 downstream customers (BeyondTrust and Cloudflare confirmed publicly).","recordsAffected":"134 Okta customers (<1% of customer base) had files accessed; 5 confirmed session-hijacks via stolen HAR file tokens","estimatedCost":"Okta stock dropped ~11% on disclosure; downstream customers absorbed credential-rotation cost","regulatoryAction":"No public regulatory action; multiple class actions","source":{"name":"Okta — Tracking Unauthorized Access to Our Support System","url":"https://sec.okta.com/articles/2023/10/tracking-unauthorized-access-our-support-system"},"secondarySources":[{"name":"Cloudflare disclosure","url":"https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/"},{"name":"BeyondTrust disclosure","url":"https://www.beyondtrust.com/blog/entry/okta-support-unit-breach"}],"practitionerLessons":"Service-account credentials saved to personal browser profiles are a recurring leak channel. Treat support-system access as a privileged surface — full PAM coverage, no Google-account-saved passwords, mandatory phishing-resistant MFA.","anchor":"https://askmeidentity.com/resources/identity-incidents/#incident-okta-support-system-2023"},{"id":"mgm-vishing-2023","slug":"mgm-vishing-2023","title":"MGM Resorts vishing-driven IT-helpdesk compromise (Scattered Spider, 2023)","organization":"MGM Resorts International","sector":{"key":"retail","label":"Retail / commerce"},"disclosedAt":"2023-09-11","occurredAt":"Sep 2023","identityVector":{"key":"phishing","label":"Phishing / social engineering"},"vectorDescription":"Scattered Spider members researched MGM employees on LinkedIn, then voice-phished MGM's IT help desk while impersonating an employee. The help desk reset login credentials, which were rapidly escalated by ALPHV/BlackCat affiliates into a ransomware deployment — taking down hotel and casino operations across MGM properties for ~10 days.","recordsAffected":"~10.6M loyalty-program records (MGM 8-K) plus multi-day operational disruption across properties","estimatedCost":"$110M total — $100M lost business + $10M one-time response cost (MGM Q3 2023 10-Q)","regulatoryAction":"SEC investigation; multiple class actions","source":{"name":"MGM Resorts International — 8-K filing","url":"https://www.sec.gov/Archives/edgar/data/789570/000119312523236362/d531117d8k.htm"},"secondarySources":[{"name":"CISA — Scattered Spider advisory","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a"}],"practitionerLessons":"IT help desk is the most common reset-driven MFA-bypass surface. Out-of-band verification on every help-desk credential / MFA reset is now table-stakes for any organization above mid-market.","anchor":"https://askmeidentity.com/resources/identity-incidents/#incident-mgm-vishing-2023"},{"id":"midnight-blizzard-microsoft-2024","slug":"midnight-blizzard-microsoft-2024","title":"Midnight Blizzard — Microsoft corporate email via legacy OAuth app (2024)","organization":"Microsoft (corporate environment); downstream impact on US federal agencies","sector":{"key":"technology","label":"Technology / SaaS"},"disclosedAt":"2024-01-19","occurredAt":"Nov 2023 – Jan 2024","identityVector":{"key":"oauth-api-key","label":"OAuth / API key theft"},"vectorDescription":"Russian state actor (Midnight Blizzard / APT29) used password spraying to gain access to a legacy non-production test tenant, then leveraged a legacy OAuth application with elevated access to read corporate email — including senior leadership and security staff.","recordsAffected":"Senior-exec mailbox content; downstream US federal email exposure later disclosed by CISA","regulatoryAction":"CISA Emergency Directive 24-02 issued April 2024","source":{"name":"Microsoft Security Response Center — Midnight Blizzard","url":"https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/"},"secondarySources":[{"name":"CISA Emergency Directive 24-02","url":"https://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-system"}],"practitionerLessons":"Legacy OAuth applications carry standing privilege that nobody re-attests. Audit the OAuth grant graph as deliberately as the human-identity graph. Non-production / test tenants are a recurring soft underbelly.","anchor":"https://askmeidentity.com/resources/identity-incidents/#incident-midnight-blizzard-microsoft-2024"},{"id":"23andme-credential-stuffing-2023","slug":"23andme-credential-stuffing-2023","title":"23andMe credential stuffing — DNA Relatives genealogy leak (2023)","organization":"23andMe","sector":{"key":"healthcare","label":"Healthcare"},"disclosedAt":"2023-10-06","occurredAt":"May 1 – Oct 1, 2023","identityVector":{"key":"credential-stuffing","label":"Credential stuffing"},"vectorDescription":"Threat actor used credential-stuffing against 23andMe accounts (no MFA enforcement, password reuse against credentials leaked elsewhere). Compromised accounts then leveraged the DNA Relatives feature to scrape and expose data of millions of related users who themselves had no compromised credential. Specific datasets targeting Ashkenazi Jewish and Chinese genetic ancestry were sold on the dark web.","recordsAffected":"~6.9M total (1.4M direct credential stuffing, 5.5M via DNA Relatives feature scraping)","estimatedCost":"Up to $62M data-breach settlement (revised during Chapter 11; final approval Jan 20, 2026) — initial $30M settlement was revised upward during bankruptcy proceedings. Up to $1,500 per claimant with documented expenses. Company assets sold to TTAM Research Institute (a California nonprofit led by Anne Wojcicki) for $305M.","regulatoryAction":"UK ICO + Canadian OPC joint investigation; US class-action settlement final-approved Jan 20, 2026. 23andMe filed Chapter 11 on Mar 23, 2025; plan confirmed Dec 5, 2025; remaining debtor entity renamed Chrome Holding Co.","source":{"name":"UK ICO + Canadian OPC joint investigation report","url":"https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/06/ico-and-canadian-counterpart-to-investigate-23andme-cyber-incident/"},"secondarySources":[{"name":"Paul, Weiss — Chapter 11 Plan confirmed Dec 5, 2025","url":"https://www.paulweiss.com/insights/client-news/23andme-obtains-court-approval-of-chapter-11-plan"},{"name":"Bloomberg Law — data-breach deal approval in bankruptcy court","url":"https://news.bloomberglaw.com/bankruptcy-law/23andme-scores-approval-of-data-breach-deal-in-bankruptcy-court"},{"name":"Kroll restructuring portal — Chrome Holding Co. (f/k/a 23andMe)","url":"https://restructuring.ra.kroll.com/23andMe/"}],"practitionerLessons":"Mandatory MFA on consumer surfaces with high-sensitivity data (genetic, financial, medical) is the table stakes — not an optional preference. Relationship-graph features amplify the blast radius from a few compromised accounts to a population-scale leak.","anchor":"https://askmeidentity.com/resources/identity-incidents/#incident-23andme-credential-stuffing-2023"},{"id":"lapsus-okta-2022","slug":"lapsus-okta-2022","title":"LAPSUS$ — Okta third-party support engineer compromise (2022)","organization":"Sitel (Okta sub-processor); 2 Okta customer tenants confirmed impacted","sector":{"key":"technology","label":"Technology / SaaS"},"disclosedAt":"2022-03-22","occurredAt":"Jan 21, 2022 (25-minute control window)","identityVector":{"key":"supply-chain-idp","label":"Supply chain — identity provider"},"vectorDescription":"LAPSUS$ compromised a workstation belonging to a Sitel support engineer with elevated privileges into Okta customer tenants. Initial disclosure raised concerns over up to 366 customers (~2.5% of Okta base); final forensic conclusion confirmed only a 25-minute control window and 2 actually-impacted customer tenants. The actor could not perform MFA/password resets or impersonate users. The incident remained controversial primarily for the 2-month gap between detection and customer disclosure.","recordsAffected":"Initially feared 366 customers; final forensic conclusion confirmed only 2 customer tenants actually impacted","estimatedCost":"Okta stock declined ~11% on disclosure; downstream customer audit-log scrutiny and trust impact difficult to quantify","source":{"name":"Okta — Investigation of the January 2022 Compromise","url":"https://www.okta.com/blog/company-and-culture/oktas-investigation-of-the-january-2022-compromise/"},"secondarySources":[{"name":"BleepingComputer — Lapsus$ breach lasted 25 minutes","url":"https://www.bleepingcomputer.com/news/security/okta-lapsus-breach-lasted-only-25-minutes-hit-2-customers/"}],"practitionerLessons":"Identity-provider supply chains are themselves a privileged surface. Sub-processor / support-vendor access should be vaulted, session-recorded, and time-bound — not standing. Disclosure timing also matters: the 2-month gap between detection and customer notification became the larger story.","anchor":"https://askmeidentity.com/resources/identity-incidents/#incident-lapsus-okta-2022"},{"id":"tmobile-api-2023","slug":"tmobile-api-token-2023","title":"T-Mobile API credential exposure (2023)","organization":"T-Mobile US","sector":{"key":"telecom","label":"Telecom"},"disclosedAt":"2023-01-19","occurredAt":"Nov 25, 2022 – Jan 5, 2023 (~6 weeks)","identityVector":{"key":"oauth-api-key","label":"OAuth / API key theft"},"vectorDescription":"Attacker abused a single API endpoint, retrieving data on ~37M postpaid + prepaid customer accounts over a 6-week window. T-Mobile detected the anomaly Jan 5, 2023 and patched within a day. Exposed: name, billing address, email, phone, DOB, account number, plan features. Not exposed: payment cards, SSNs, government IDs, or passwords.","recordsAffected":"~37M postpaid and prepaid customer accounts (T-Mobile 8-K)","estimatedCost":"T-Mobile previously settled the 2021 breach for $350M; class actions filed for this incident","regulatoryAction":"FCC investigation; CPNI rule scrutiny","source":{"name":"T-Mobile 8-K filing — January 19, 2023","url":"https://www.sec.gov/Archives/edgar/data/1283699/000119312523011817/d426736d8k.htm"},"secondarySources":[],"practitionerLessons":"API tokens with broad scopes and no rate-limit anomaly detection are the most under-managed identity surface. Tokens should be scoped per-call, monitored at the egress, and rotated on schedule.","anchor":"https://askmeidentity.com/resources/identity-incidents/#incident-tmobile-api-token-2023"}],"counts":{"total":8}}