Skip to content
Tech News
← Back to articles

Regular Password Resets Aren’t as Safe as You Think

2026-04-23 | original
read original get YubiKey Security Key → more articles
Why This Matters

This article highlights the vulnerabilities in traditional password reset processes, which remain a prime target for social engineering attacks capable of leading to significant data breaches and operational disruptions. For the tech industry and consumers, it underscores the urgent need for more secure authentication and reset mechanisms to prevent costly breaches and protect sensitive information.

Key Takeaways

Research from Forrester estimates that every password reset costs around $70. As one of the most common helpdesk requests, many organizations have introduced self-service password reset (SSPR) tools to reduce the load. However, despite these tools, helpdesk teams still handle a significant number of password resets, whether it’s supporting SSPR enrollment or dealing with edge cases.

That password resets a natural target for attackers, who know that if they can convince an agent to reset a password, they can bypass multi-factor authentication (MFA) and walk straight into an account. As such, locking down the password reset process starts with understanding where it can go wrong.

How one reset can lead to full compromise

The April 2025 attack on UK retailer Marks & Spencer (M&S) disrupted operations nationwide, leading to a 5-day suspension of online sales that equated to an average of £3.8 million ($5.1 million) in daily losses.

Attackers linked to the hacking group Scattered Spider are believed to have gained initial access by impersonating an M&S employee and contacting a third-party service desk. A password reset was carried out, giving them legitimate credentials thereby removing the need to exploit any technical vulnerability.

From there, the attackers exploited Active Directory to extract the NTDS.dit file, the database storing password hashes for all domain users. Scattered Spider was able to crack those hashes offline to recover additional credentials.

With valid accounts and escalating privileges, the attackers moved laterally using standard tools and normal login activity, expanding access over several weeks. Once they had sufficient privileges, they deployed ransomware, encrypting systems supporting payments, e-commerce, and logistics. M&S was forced to take services offline, disrupting operations and customer transactions.

Securing the service desk

The challenge with social engineering attacks like the M&S breach is that they don’t appear suspicious. From the helpdesk’s perspective, it’s just another user asking for a password reset.

That’s exactly why the service desk is such a target, and why relying on basic checks isn’t enough to secure the reset process. Without a reliable way to verify who’s on the other end of the call, it’s easy for a routine request to become a point of entry.

... continue reading

Explore topics: forrester microsoft ntds.dit scattered spider active directory
Related:
Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia
How the Tech World Turned Evil
Microsoft is reportedly offering voluntary buyouts to up to 7 percent of its employees
Leak reveals new Xbox Game Pass ‘Starter Edition’ that’s part of Discord Nitro
Microsoft is making this first-ever move to cut workforce size amid the AI shift

© 2026 GoKawiil

About | Editorial Policy | Contact