Back in August 2023, attackers tied to the Scattered Spider group didn’t exploit a zero-day vulnerability to hack Clorox. They simply called the service desk (run by Cognizant), claimed to be locked-out employees, and asked for password and MFA resets.
According to court filings and reporting, the attacker repeatedly phoned Cognizant’s service desk, obtained repeated resets without meaningful verification, and used the resulting access to move quickly toward domain-admin footholds.
Clorox says the attack ultimately led to roughly $380 million in damages, including about $49 million in remedial costs and “hundreds of millions” in business-interruption losses. We’ll walk through what happened, how to secure third-party service desks, and show how to enforce verification with the right technology.
How did the attack play out?
Social engineering attacks succeed by targeting human fallibility. Attackers carry out reconnaissance (collecting names, titles, recent hires, internal ticket references), then use a calm, scripted phone call that mimics legitimate user behavior. They want the service desk agent to feel pressured and skip security processes.
In Clorox’s case, the legal complaint alleges frontline agents were convinced over the phone to reset credentials and MFA without escalating or performing out-of-band verification. They claim this went against the agreed procedure with Cognizant that agents should never reset anyone's credentials without properly authenticating them first.
The result: a single compromised identity became a pivot for lateral movement and major disruption.
Secure your Active Directory passwords with Specops Password Policy Verizon’s Data Breach Investigation Report found stolen credentials are involved in 44.7% of breaches.
Effortlessly secure Active Directory with compliant password policies, blocking 4+ billion compromised passwords, boosting security, and slashing support hassles! Try it for free
... continue reading