What would happen if someone got hold of one of your employees’ passwords from years ago?
Not a password they’re using today. Not one they even remember. Just an old one that was never properly retired.
It sounds unlikely — but this is exactly how a recent global data theft campaign unfolded.
A cyber security investigation revealed that sensitive business data from dozens of organisations was quietly harvested and later sold on the dark web. These organisations spanned industries, countries, and sizes — but they all shared one critical weakness:
They relied on usernames and passwords alone to protect access to important systems.
No second step. No additional verification. Just a password.
What Is MFA — and Why Does It Matter?
Multi-Factor Authentication (MFA) adds an extra layer of security by requiring more than just a password to log in.
Typically, it combines:
- Something you know (your password)
- Something you have (a mobile device or authentication app)
- Something you are (biometric data like a fingerprint or facial recognition)
Even if a password is compromised, MFA acts as a second barrier — preventing unauthorised access.
According to the National Cyber Security Centre, enabling MFA is one of the most effective ways to protect accounts from compromise.
How Attackers Exploited a Simple Weakness
In this campaign, MFA simply wasn’t enforced.
So how did attackers gain access?
They used infostealing malware – a type of malicious software that quietly collects:
- Saved passwords
- Browser data
- Login credentials
- Session cookies
Once captured, this data is sent back to cybercriminals and often sold via underground marketplaces.
Sophos, one of our many trusted partners, explain how infostealers operate and why they are so effective.
The Real Problem: Time Doesn’t Erase Risk
Here’s where it gets more concerning.
Some of the passwords used in these attacks were years old.
That tells us two important things:
- Passwords weren’t being updated or rotated regularly
- Old credentials were still valid long after they should have been revoked
This is what security professionals refer to as a “latency risk” — a threat that sits dormant, waiting for the right opportunity.
A device infected years ago can still expose your business today.
It also highlights a broader issue: employees often log into work systems from multiple devices — home laptops, personal machines, even shared computers. If any one of those devices is compromised, your business could be exposed without realising it.
Why MFA Would Have Stopped These Attacks
In every case, the attackers had valid login credentials.
But they didn’t have the second factor.
No authentication app. No approval notification. No biometric confirmation.
That single missing layer would have stopped the attack entirely.
“But MFA Is Inconvenient…”
It’s a common objection — and not an unreasonable one.
Yes, MFA adds a small step to the login process.
But compare that to:
- Data breaches
- Financial loss
- Reputational damage
- Regulatory consequences (especially under GDPR)
The trade-off is clear.
A few extra seconds at login versus the potential cost of a cyber incident.
Practical Steps to Strengthen Your Security Today
If you’re not already enforcing MFA across your organisation, here’s where to start:
1. Enforce Multi-Factor Authentication for Business
Focus on:
- Email systems (e.g. Microsoft 365, Google Workspace)
- Cloud platforms
- CRM and finance systems
- Remote access tools
2. Eliminate Legacy Authentication
Older systems and protocols often bypass MFA entirely. These should be disabled wherever possible.
3. Review and Retire Old Accounts
Audit user accounts regularly:
- Remove inactive users
- Revoke access for former employees
- Disable outdated credentials
4. Educate Your Team
Security awareness is critical. Help staff understand:
- The risks of password reuse
- How phishing and malware work
- Why MFA is essential
5. Combine MFA with Strong Endpoint Security
MFA is powerful — but it’s not a silver bullet. Pair it with:
- Endpoint detection and response (EDR)
- Regular patching and updates
- Secure device policies
One Extra Lock Makes All the Difference
Passwords on their own are no longer enough.
They can be stolen, reused, forgotten — and still exploited years later.
Multi-Factor Authentication turns a compromised password into a dead end.
And in today’s threat landscape, that extra layer isn’t overkill — it’s essential.
Need Help Implementing MFA?
If you’re unsure where to start, or want to ensure MFA is properly enforced across your systems, we can help.
From setup to policy design and ongoing security management, Aztek works with businesses across the UK to strengthen their cyber resilience.
Get in touch to start securing your business today.
