Hacking is hard. Well, sometimes.
Other times, you just call up a company's IT service desk and pretend to be an employee who needs a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset... and it's done. Without even verifying your identity.
So you use that information to log in to the target network and discover a more trusted user who works in IT security. You call the IT service desk back, acting like you are now this second person, and you request the same thing: a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset. Again, the desk provides it, no identity verification needed.
So you log in to the network with these new credentials and set about planting ransomware or exfiltrating data in the target network, eventually doing an estimated $380 million in damage. Easy, right?
According to The Clorox Company, which makes everything from lip balm to cat litter to charcoal to bleach, this is exactly what happened to it in 2023. But Clorox says that the "debilitating" breach was not its fault. It had outsourced the "service desk" part of its IT security operations to the massive services company Cognizant—and Clorox says that Cognizant failed to follow even the most basic agreed-upon procedures for running the service desk.
In the words of a new Clorox lawsuit, Cognizant's behavior was "all a devastating lie," it "failed to show even scant care," and it was "aware that its employees were not adequately trained."
"Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," says the lawsuit, using italics to indicate outrage emphasis. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal—no authentication questions asked."
Can I have a password reset?
From 2013 through 2023, Cognizant had helped "guard the proverbial front door" to Clorox's network by running a "service desk" that handled common access requests around passwords, VPNs, and multifactor authentication (MFA) such as SMS codes.
When a purported Clorox employee called the service desk, protocol demanded that the employee use an internal verification and self-reset password tool called MyID. If that wasn't possible, the service desk should have verified the person's identity using their manager's name and the user's MyID username, after which the password could be reset but the manager and employee would both be notified by email.
Instead, says Clorox, this happened on August 11, 2023:
Cybercriminal: I don’t have a password, so I can’t connect.
Cognizant Agent: Oh, ok. Ok. So let me provide the password to you ok?
Cybercriminal: Alright. Yep. Yeah, what’s the password?
Cognizant Agent: Just a minute. So it starts with the word "Welcome"...
When this worked, and the caller had a working password, he moved on to asking about an MFA reset:
Cybercriminal: My Microsoft MFA isn’t working.
Cognizant Agent: Oh, ok...
Cybercriminal: Can you reset my MFA? It’s on my old phone ... [inaudible] old phone.
Cognizant Agent: [Following a brief hold]. So thanks for being on hold, Alex. So multifactor authentication reset has been done now. Ok. So can you check if you’re able to login ...
Cybercriminal: Alright. It let me sign in now. Thank you.
After adopting the ID of a second Clorox user in IT security and calling back later that same day, the hacker tried all the same tricks again. And they worked, even across multiple Cognizant agents.
Cognizant Agent: How can I help you today?
Cybercriminal: Um my password on Okta was not working ...
Cognizant Agent: I’m going to have your password reset from my end right away. Ok. And we’ll see how it’s going to work. Ok. [Following a brief hold] Thank you ... I’m extremely sorry for the long hold. So ... password is going to be Clorox@123.
Cybercriminal: What’s that?
Cognizant Agent: Yeah it was Clorox@123...Ok.
Cybercriminal: Yep.
Cognizant Agent: Want me to wait over the phone while you are trying it?
Cybercriminal: Yes, yes, please.
Cognizant Agent: Sure ... sure.
Clorox says that it held regular meetings with Cognizant to ensure that everyone was following the same playbook. Cognizant gave "explicit acknowledgments and consistent reassurance that it was following Clorox's credential support procedures." But the cybercriminal calls in 2023 showed this to be a "blatant lie," says Clorox.
The new lawsuit, filed in California state courts, wants Cognizant to cough up millions of dollars to cover the damage Clorox says it suffered after weeks of disruption to its factories and ordering systems. (You can read a brief timeline of the disruption here.)
Our request for comment to Cognizant's PR email address was returned with an "access denied" error.
A PR agency representing Cognizant issued the following statement: "It is shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack. Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed. Cognizant did not manage cybersecurity for Clorox."