ABOUT
WHAT OUR CLIENTS SAYEDUCATION CENTREBLOGCONTACT
MANAGED IT
MANAGED IT SUPPORT
SECURITY
PROTECT MY 365M365 MDRM365 TENANT PROTECTIONHUNTRESS MANAGED EDRCYBER ESSENTIALSCYBER AWARENESS TRAININGIRONSCALES EMAIL SECURITYSENTINELONEDNS FILTERDARK WEB MONITORING
CLOUD
HOSTED DESKTOPMICROSOFT 365WAVE TELEPHONY3CX PHONE SYSTEM
BACKUP
DATA BACKUP & DRMICROSOFT 365 BACKUPXERO BACKUPSALESFORCE BACKUPGOOGLE WORKSPACE BACKUP
0161 850 2471
ABOUT
WHAT OUR CLIENTS SAYEDUCATION CENTREBLOGCONTACT
MANAGED IT
MANAGED IT SUPPORT
SECURITY
PROTECT MY 365M365 MDRM365 TENANT PROTECTIONHUNTRESS MANAGED EDRCYBER ESSENTIALSCYBER AWARENESS TRAININGIRONSCALES EMAIL SECURITYSENTINELONEDNS FILTERDARK WEB MONITORING
CLOUD
HOSTED DESKTOPMICROSOFT 365WAVE TELEPHONY3CX PHONE SYSTEM
BACKUP
DATA BACKUP & DRMICROSOFT 365 BACKUPXERO BACKUPSALESFORCE BACKUPGOOGLE WORKSPACE BACKUP
0161 850 2471

Another good reason to enforce MFA

Michael Tunstall

April 4, 2026

Another good reason to enforce MFA

What would happen if someone logged into your systems using a password from years ago?

Not one your team uses today.
Not one anyone remembers.

Just an old password that was never properly invalidated.

That’s exactly how a recent large-scale data theft campaign worked.

A common weakness across multiple businesses

A recent cyber security investigation uncovered a campaign affecting organisations across different industries and countries.

The pattern was consistent.

Every affected business allowed access to key cloud systems using just a username and password.

No second step. No additional check.

Once attackers had the password, they were in.

How the passwords were exposed

The attackers didn’t guess the passwords.

They collected them.

Using infostealing malware, they were able to quietly extract:

  • Saved passwords

  • Login credentials

  • Other sensitive data

This type of malware can sit undetected on a device, capturing information without the user realising.

And it’s not limited to office machines.

It can affect:

  • Home computers

  • Personal laptops

  • Any device that has been used to access work systems

The part most businesses miss

Some of the passwords used in these attacks were years old.

That highlights two common issues:

  • Old credentials were never properly removed or reset

  • Systems continued to trust logins long after they should have been invalidated

This creates a “delayed risk”.

A device compromised years ago can still lead to a breach today.

Where MFA changes everything

Multi-factor authentication (MFA) adds a second step to the login process.

That could be:

  • A code from an authenticator app

  • A push notification

  • Biometric verification

Even if a password is exposed, access is blocked without that second factor.

In these cases, MFA wasn’t enforced.

If it had been, the attackers would have had the passwords - but no way in.

Why passwords alone are no longer enough

Passwords can be:

  • Stolen

  • Reused

  • Forgotten but still active

On their own, they’re no longer a reliable defence.

MFA changes the equation.

It turns a stolen password into something that can’t be used.

A small step with a big impact

Yes, MFA adds an extra step.

But compared to the impact of a breach - lost data, downtime, reputational damage - it’s a minimal trade-off.

One extra layer can stop an attack completely.

Keep it simple

Old passwords don’t expire on their own.

Access needs to be controlled, reviewed, and protected with more than just a single login.

MFA is one of the simplest ways to do that.

If you’re not sure where MFA is (or isn’t) enforced across your business, it’s worth checking.

<All Posts