Why Enforcing MFA Matters More Than Ever

What would happen if someone gained access to an employee’s old password?

• A password the employee no longer uses.

• A password they may not even remember.

• A password that still works inside your systems.

This situation occurred during a recent data theft campaign that impacted businesses, including IT companies in Long Island and across New York.

A Cybersecurity investigation found that sensitive business data from many organizations worldwide was quietly collected and later placed for sale on the dark web.

The affected organizations came from different industries, countries, and sizes.

Investigators identified a common gap: access to important cloud systems required only a username and password. No additional verification was involved.

When attackers obtained a valid password, they could access the system.

Understanding Multi-Factor Authentication

Multi-factor authentication (MFA) adds another step to confirm a user’s identity during login.

It combines at least two different factors:

• Something you know, such as a password

• Something you have, such as an authentication app or code

• Something you are, such as a fingerprint or facial recognition

With MFA enabled, a password by itself cannot grant access.

In the organizations studied in this investigation, MFA was not enforced.

That absence allowed attackers to use stolen credentials.

How the Passwords Were Stolen

The attackers used infostealing malware.

This software installs quietly on a device and collects data such as:

• Saved browser passwords.

• Login credentials.

• Session cookies.

• Autofill information.

The data is then transmitted to the attackers.

In many cases, the infected devices were personal or shared systems used to log into work accounts.

If login details were saved on those devices, the malware could collect them.

The Risk of Long-Lived Passwords

Investigators found that several of the passwords used were multiple years old.

This finding points to two key security issues:

• Password rotation was inconsistent or missing

• Some older credentials stayed active longer than intended

An infected device from years ago can still expose information that remains valid today.

This delay between data theft and use is often referred to as a latency problem.

Stolen credentials can sit unused for long periods before being exploited.

The Impact of MFA

In these incidents, attackers had valid passwords.

MFA would have required a second step, such as phone confirmation or a verification code.

Without that step, they could not have completed the login process.

Why Organizations Enforce MFA

Cybersecurity practices adapt as attackers change their methods.

Password-only authentication allows unnecessary exposure.

Credentials can be taken through malware, phishing, or previous data breaches.

MFA adds another checkpoint before a system grants access.

If a password is compromised, the additional verification prevents most unauthorized logins.

A Simple Security Improvement

Old credentials can remain active longer than planned.

Multi-factor authentication provides an extra barrier that limits the risk of stolen passwords.

Implementing MFA across important systems is an effective step toward increasing organizational security.