Hackers Asked for a Password... and Got It?

Episode 43

This week’s cybersecurity stories aren’t about elite hackers or advanced tools. They’re about people making very human mistakes. A helpdesk that handed over access without checking. A single weak password that brought down a century-old company. A startup selling stolen data like it’s just another subscription service. And tech giants pushing privacy boundaries in the name of progress.

Let’s start with Clorox. They’ve filed a lawsuit after being breached by the Scattered Spider hacking group. The attackers didn’t use malware. They didn’t exploit a vulnerability. They just called the helpdesk and asked for a password reset. That was it. According to the court documents, the support agent said, “Let me provide a password to you,” and handed it over. The result was $380 million in damages. Product shelves sat empty, systems were disrupted, and everything ground to a halt. It’s a perfect example of how dangerous it can be when frontline teams aren’t supported with the right training or processes. Social engineering is alive and well, and it’s often as easy as picking up the phone.

Then there’s the story of KNP Logistics, a UK transport company that had been operating for over 150 years. It shut down after ransomware hit their systems. The attackers got in using a single weak employee password. Once inside, they encrypted everything and demanded a ransom the company couldn’t pay. Hundreds of jobs were lost. The director said he knows whose account was used but hasn’t told them. And honestly, what good would it do? The damage was already done. These aren’t hypothetical risks. This is what a single password can cost.

Meanwhile, a US startup called Farnsworth Intelligence is selling data stolen from infected machines. Through their site, anyone can pay fifty dollars to search through browser autofill data, login credentials, and saved passwords. It’s marketed as “open-source intelligence” for debt collectors and investigators, but there are no real checks. This isn’t public data. It’s the result of infostealer malware pulling private information straight from people’s devices. If your system has ever been compromised, your data could be in there. No dark web, no hidden forums. Just a clean, modern website and a checkout page.

On the tech front, Microsoft is pushing forward with Copilot Vision. It’s a new feature in Windows 11 that takes continuous screenshots of your screen and sends them to Microsoft servers for AI processing. It’s opt-in, they say. It’s not used for advertising, they say. But the idea of your screen being watched in real time doesn’t sit well with many users. Especially in a business setting, where sensitive information is always at risk. For anyone with a bring-your-own-device policy, this could quietly introduce a serious problem.

Old software is also in the spotlight. Microsoft’s older, on-premise versions of SharePoint are being actively targeted after a flawed patch left them vulnerable. The exploit had already been shown publicly, yet many organisations remained exposed. Some even applied the patch and still got hit. This is what happens when patching is treated as a checkbox instead of a process. Older systems are harder to manage and often get ignored, but that just makes them more attractive to attackers.

And while the future is meant to be passwordless, passkeys still aren’t delivering the seamless experience they promise. Users are running into vague error messages, mismatched devices, and confusing prompts. Recovery is a nightmare if you change or lose your device. Until companies like Google and Apple improve the user experience, passkeys will remain a source of frustration. And when people get locked out of their accounts, it’s the IT teams who have to clean up the mess.

Put all these stories together and you see the same pattern. The biggest risks aren’t coming from some shadowy cybercrime syndicate. They’re coming from poor password practices, rushed technology rollouts, and simple, preventable human errors. A phone call. A missed patch. A forgotten process. That’s all it takes. And if you work in cybersecurity, these stories should be more than headlines. They’re warnings.

US Startup Sells Stolen Data for $50
Watch | Read

Weak Password Sinks 158-Year-Old Company
Watch | Read

Clorox Hackers Got In Just by Asking
Watch | Read

Hackers Exploit Old SharePoint Patch
Watch | Read

Copilot Vision Watches Your Screen
Watch | Read

Passkeys Still a Mess for Users
Watch | Read

UK Age Verification Now Enforced
Watch | Read

AI Tool Deletes Company Database
Watch | Read

The Login Alliance Rant (ft. Lance Spitzner)
Watch | Read

Reddit is Running Malware Ads
Watch | Read

QR Code Link Switched to an Ad
Watch | Read

Scammer Uses Netstat Scam with ISP Ruse
Watch | Read