Breach Radar
Major Breaches, Analyzed Through an Identity Lens
Most breach coverage stops at what happened. These teardowns map each incident to the specific IAM controls that failed, the same 37 controls the AXIS assessment scores, and show what maturity level would have changed the outcome. Every analysis is grounded in public disclosures and regulatory findings.
What Caused the Charter Communications Breach?
Vishing for Entra credentials, then bulk Salesforce export
On April 1, 2026, a member of the ShinyHunters extortion group phoned a Charter employee and talked them into sharing credentials for a Microsoft Entra account. That single conversation gave the attackers a path into Charter’s Salesforce environment, where they exported millions of customer records and later published a large portion when no ransom was paid.
What Caused the Marks & Spencer Breach?
Impersonation call to an outsourced IT help desk
Over Easter weekend 2025, ransomware crippled Marks & Spencer. The intrusion did not start inside M&S at all: attackers phoned the retailer’s outsourced IT help desk, impersonated an employee convincingly enough to get a reset on an account, and worked from there to ransomware that kept online ordering down for six weeks and wiped an estimated £300 million from operating profit.
What Caused the Salesloft Drift Breach?
Stolen OAuth tokens from a chatbot integration
In August 2025, attackers used OAuth tokens stolen from Salesloft’s Drift chatbot to walk into the Salesforce environments of hundreds of companies, including several major security vendors. No password was phished and no MFA was bypassed. The tokens belonged to a machine, and almost nobody was watching what that machine could do.
What Caused the Change Healthcare Breach?
Stolen credentials on an MFA-less remote access portal
The largest healthcare data breach ever reported to US regulators started with one set of stolen credentials used against a remote access portal that had no multi-factor authentication. That single gap became a nationwide outage of pharmacy and claims processing and, per HHS, a breach affecting roughly 192.7 million people.
What Caused the Microsoft Midnight Blizzard Breach?
Password spray on a legacy tenant, over-privileged OAuth app
A Russian state actor read Microsoft senior leadership email for about two months. The entry point, per Microsoft’s own disclosure: a password spray against a legacy, non-production test tenant account with no MFA, and a legacy OAuth application whose elevated permissions bridged that forgotten tenant into the corporate environment.
What Caused the Snowflake Customer Breaches?
Years-old infostealer credentials, no MFA on SaaS accounts
The 2024 campaign against Snowflake customers was not a breach of Snowflake’s platform. Per Mandiant, attackers logged in to roughly 165 customer instances using credentials stolen by infostealer malware, some dating back to 2020. The credentials still worked because the accounts had no MFA, no network restrictions, and passwords that had never been rotated.
What Caused the 23andMe Breach?
Credential stuffing amplified by data-sharing features
Attackers logged in to roughly 14,000 23andMe accounts using passwords reused from other breaches, about 0.1% of customers. The product’s relative-matching features then amplified those footholds into scraped profile data for approximately 6.9 million people. For customer identity programs, this is the case that proves authentication strength and data blast radius cannot be assessed separately.
What Caused the MGM Resorts Breach?
Help-desk vishing to an identity-provider super admin
The MGM Resorts attack is the case every help-desk security conversation now references. Attackers reportedly impersonated an employee on a phone call to IT support, obtained a credential reset, and escalated to super administrator access in the identity provider. Slot machines, room keys, and reservations went down for days, and MGM reported roughly $100 million in impact.
What Caused the Okta Support System Breach?
Service account credential exposed via a personal browser profile
An attacker used a stolen service account credential to access Okta’s customer support case system and harvest session tokens from HAR files customers had uploaded for troubleshooting. The root cause, per Okta: the service account’s username and password had been saved into an employee’s personal Google profile on an Okta-managed laptop.
What Caused the Uber Breach?
MFA fatigue, then hardcoded PAM admin credentials on a share
The 2022 Uber intrusion chained two classic identity failures. An MFA-fatigue attack wore down a contractor into approving a push prompt, and a PowerShell script on an internal network share contained hardcoded administrator credentials for the privileged access management platform, the vault holding the keys to everything else.
What Caused the Capital One Breach?
SSRF to an over-permissioned cloud IAM role
The Capital One breach remains the reference case for cloud identity failure. A server-side request forgery against a misconfigured web application firewall yielded temporary credentials for an IAM role, and that role’s permissions reached hundreds of S3 buckets it had no business touching. Data on roughly 106 million credit applicants followed.
Method
How These Teardowns Work
Each incident is reconstructed from public sources, then mapped to the AXIS question bank of 37 controls across 9 identity domains. Failed controls that are domino controls (foundational capabilities that cap an organization's overall maturity score when weak) are flagged, because real attacks compound the same way the scoring model does: through the weakest foundational link.
37
Controls in the AXIS bank
9
Identity domains
9
Domino (foundational) controls
Would Your Program Have Caught These?
Every control in these teardowns is a question in the AXIS assessment. Run it and see where your organization stands against the failure modes that keep ending up in breach reports. No signup required to start.