Breach Radar

Major Breaches, Analyzed Through an Identity Lens

Most breach coverage stops at what happened. These teardowns map each incident to the specific IAM controls that failed, the same 37 controls the AXIS assessment scores, and show what maturity level would have changed the outcome. Every analysis is grounded in public disclosures and regulatory findings.

2026
Telecommunications

What Caused the Charter Communications Breach?

Vishing for Entra credentials, then bulk Salesforce export

On April 1, 2026, a member of the ShinyHunters extortion group phoned a Charter employee and talked them into sharing credentials for a Microsoft Entra account. That single conversation gave the attackers a path into Charter’s Salesforce environment, where they exported millions of customer records and later published a large portion when no ransom was paid.

Auth/SSOCloudSecurity
Read the teardown
2025
Retail
1 domino control hit

What Caused the Marks & Spencer Breach?

Impersonation call to an outsourced IT help desk

Over Easter weekend 2025, ransomware crippled Marks & Spencer. The intrusion did not start inside M&S at all: attackers phoned the retailer’s outsourced IT help desk, impersonated an employee convincingly enough to get a reset on an account, and worked from there to ransomware that kept online ordering down for six weeks and wiped an estimated £300 million from operating profit.

Auth/SSOGovernanceSecurity
Read the teardown
2025
Cross-industry (SaaS supply chain)
2 domino controls hit

What Caused the Salesloft Drift Breach?

Stolen OAuth tokens from a chatbot integration

In August 2025, attackers used OAuth tokens stolen from Salesloft’s Drift chatbot to walk into the Salesforce environments of hundreds of companies, including several major security vendors. No password was phished and no MFA was bypassed. The tokens belonged to a machine, and almost nobody was watching what that machine could do.

CloudPAMSecurity
Read the teardown
2024
Healthcare
3 domino controls hit

What Caused the Change Healthcare Breach?

Stolen credentials on an MFA-less remote access portal

The largest healthcare data breach ever reported to US regulators started with one set of stolen credentials used against a remote access portal that had no multi-factor authentication. That single gap became a nationwide outage of pharmacy and claims processing and, per HHS, a breach affecting roughly 192.7 million people.

Auth/SSOSecurityPAM
Read the teardown
2024
Technology
2 domino controls hit

What Caused the Microsoft Midnight Blizzard Breach?

Password spray on a legacy tenant, over-privileged OAuth app

A Russian state actor read Microsoft senior leadership email for about two months. The entry point, per Microsoft’s own disclosure: a password spray against a legacy, non-production test tenant account with no MFA, and a legacy OAuth application whose elevated permissions bridged that forgotten tenant into the corporate environment.

Auth/SSOCloudSecurity
Read the teardown
2024
Cross-industry (SaaS data platform)
2 domino controls hit

What Caused the Snowflake Customer Breaches?

Years-old infostealer credentials, no MFA on SaaS accounts

The 2024 campaign against Snowflake customers was not a breach of Snowflake’s platform. Per Mandiant, attackers logged in to roughly 165 customer instances using credentials stolen by infostealer malware, some dating back to 2020. The credentials still worked because the accounts had no MFA, no network restrictions, and passwords that had never been rotated.

Auth/SSOIGASecurity
Read the teardown
2023
Consumer Genomics
1 domino control hit

What Caused the 23andMe Breach?

Credential stuffing amplified by data-sharing features

Attackers logged in to roughly 14,000 23andMe accounts using passwords reused from other breaches, about 0.1% of customers. The product’s relative-matching features then amplified those footholds into scraped profile data for approximately 6.9 million people. For customer identity programs, this is the case that proves authentication strength and data blast radius cannot be assessed separately.

CIAMCIAM × DataSecurity
Read the teardown
2023
Hospitality & Gaming
2 domino controls hit

What Caused the MGM Resorts Breach?

Help-desk vishing to an identity-provider super admin

The MGM Resorts attack is the case every help-desk security conversation now references. Attackers reportedly impersonated an employee on a phone call to IT support, obtained a credential reset, and escalated to super administrator access in the identity provider. Slot machines, room keys, and reservations went down for days, and MGM reported roughly $100 million in impact.

Auth/SSOPAMSecurity
Read the teardown
2023
Technology (Identity)
2 domino controls hit

What Caused the Okta Support System Breach?

Service account credential exposed via a personal browser profile

An attacker used a stolen service account credential to access Okta’s customer support case system and harvest session tokens from HAR files customers had uploaded for troubleshooting. The root cause, per Okta: the service account’s username and password had been saved into an employee’s personal Google profile on an Okta-managed laptop.

CloudAuth/SSOPAMSecurity
Read the teardown
2022
Technology / Mobility
2 domino controls hit

What Caused the Uber Breach?

MFA fatigue, then hardcoded PAM admin credentials on a share

The 2022 Uber intrusion chained two classic identity failures. An MFA-fatigue attack wore down a contractor into approving a push prompt, and a PowerShell script on an internal network share contained hardcoded administrator credentials for the privileged access management platform, the vault holding the keys to everything else.

Auth/SSOPAMSecurity
Read the teardown
2019
Financial Services
2 domino controls hit

What Caused the Capital One Breach?

SSRF to an over-permissioned cloud IAM role

The Capital One breach remains the reference case for cloud identity failure. A server-side request forgery against a misconfigured web application firewall yielded temporary credentials for an IAM role, and that role’s permissions reached hundreds of S3 buckets it had no business touching. Data on roughly 106 million credit applicants followed.

CloudSecurity
Read the teardown

Method

How These Teardowns Work

Each incident is reconstructed from public sources, then mapped to the AXIS question bank of 37 controls across 9 identity domains. Failed controls that are domino controls (foundational capabilities that cap an organization's overall maturity score when weak) are flagged, because real attacks compound the same way the scoring model does: through the weakest foundational link.

37

Controls in the AXIS bank

9

Identity domains

9

Domino (foundational) controls

Would Your Program Have Caught These?

Every control in these teardowns is a question in the AXIS assessment. Run it and see where your organization stands against the failure modes that keep ending up in breach reports. No signup required to start.