Regular Password Resets Aren’t as Safe as You Think
A 2025 attack on UK retailer Marks & Spencer (M&S) resulted in a 5-day suspension of online sales, with daily losses of £3.8 million ($5.1 million), after attackers impersonated an employee to reset a password. The attackers, linked to Scattered Spider, exploited Active Directory and deployed ransomware, encrypting systems supporting payments, e-commerce, and logistics.
Research estimates that every password reset costs around $70, making it a target for attackers who can bypass multi-factor authentication (MFA) by convincing an agent to reset a password. In April 2025, UK retailer Marks & Spencer (M&S) was attacked, disrupting operations nationwide and resulting in a 5-day suspension of online sales. Attackers linked to Scattered Spider impersonated an M&S employee and contacted a third-party service desk to carry out a password reset, gaining legitimate credentials. They exploited Active Directory to extract the NTDS.dit file, cracked password hashes offline, and deployed ransomware, encrypting systems supporting payments, e-commerce, and logistics. To secure the service desk, solutions like Specops Secure Service Desk can confirm user identity before any reset takes place by triggering a one-time code to a trusted device or using existing identity providers. Verizon's Data Breach Investigation Report found that stolen credentials are involved in 44.7% of breaches.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.