2022 breach patterns show why identity controls still fail

At a glance

What this is: This is a security bulletin on three 2022 data breaches that exposed persistent identity-control weaknesses across third-party access, leaver access, and phishing resistance.

Why it matters: It matters because the same failure modes can affect NHI, autonomous, and human identity programmes when credentials, access revocation, and authentication assurance are not governed as lifecycle controls.

By the numbers:

• Three 2022 breaches illustrate how one exposed credential path, one leaver access failure, and one phishing campaign can produce very different outcomes.
• More than eight million users could be affected in the Cash App data breach disclosed in April 2022.
• At least 76 company employees and some of their family members received SMS phishing messages during the Cloudflare attack.

👉 Read Axiad's analysis of 2022 data breach patterns and identity failures

Context

Credential exposure remains one of the most reliable ways into an environment because access paths often outlive the trust assumptions behind them. This bulletin uses three 2022 breaches to show how third-party code exposure, departed-worker access, and phishing all become identity failures once governance slips.

For IAM, PAM, and NHI teams, the lesson is that breach prevention is not just about stronger passwords or better awareness. It is about controlling who can create, keep, use, and lose access across the full lifecycle, including contractors, former employees, and accounts protected only by weak sign-in assumptions.

Key questions

Q: What breaks when third-party credentials are published in source code?

A: A public code leak becomes an access event when secrets remain valid after exposure. The breach risk is not limited to the repository. It extends to whatever server, cloud account, or API the secret unlocks. Teams need secret scanning, rapid revocation, and separate handling for third-party code contributions.

Q: Why do leaver access failures create so much identity risk?

A: Because the identity no longer has a valid business reason to exist, yet the access can still function. When offboarding is slow or incomplete, former employees and contractors can reach reports, systems, or data long after departure. That turns lifecycle debt into data exposure.

Q: How do you know if phishing resistance is actually working?

A: Test whether a stolen password alone can still complete sign-in. If any login flow accepts replayable credentials without a phishing-resistant second factor, the control is not working consistently. Strong authentication must hold across every privileged and employee entry point, not just the preferred one.

Q: Who is accountable when a former employee can still access sensitive reports?

A: Accountability sits with the organisation that failed to close access when the employment relationship ended. HR, IAM, and system owners all share responsibility for offboarding, but the control failure is lifecycle enforcement. If access persists after termination, the identity programme has not matched governance to reality.

Technical breakdown

Third-party credentials in public code repositories

A public repository becomes dangerous when source code, secrets, or access tokens are uploaded with it. In the Toyota case, a subcontractor exposed credentials in GitHub, and those credentials remained valid long enough for an attacker to find and use them. The architectural issue is not simply repository visibility. It is that access material and trust decisions were coupled to code handling practices instead of being isolated through secret scanning, repository controls, and rapid revocation. When credentials are distributed through development workflows, one mistake can become a server-level compromise.

Practical implication: separate secrets from code and verify that exposed credentials can be revoked quickly.

Leaver access and post-employment entitlement drift

Leaver risk appears when a person retains access to reports, systems, or data after the employment relationship ends. In the Cash App case, a former employee could still access customer reports and download them after departure. That points to lifecycle failure, not just insider misuse. Access should expire with role change or termination, and high-risk reporting paths should be tied to current employment state. Without offboarding discipline, the identity boundary no longer matches the organisational boundary, and data exposure can continue after accountability should have ended.

Practical implication: tie termination events to immediate access removal and review sensitive reporting paths for residual entitlement.

Phishing resistance depends on the second factor actually being enforced

Phishing succeeds when stolen usernames and passwords are enough to complete authentication. Cloudflare's case shows the value of hardware keys because the company required a factor that the attacker could not replay from a fake login page. The technical lesson is that authentication strength is determined by the weakest accepted path, not by policy language. If some sign-in flows still rely on password-plus-SMS or reusable credentials, phishing remains viable. Strong authentication must be enforced consistently across all login surfaces, not only the preferred ones.

Practical implication: require phishing-resistant authentication on every privileged and employee sign-in path.

Threat narrative

Attacker objective: The attacker objective was to turn exposed or residual identity access into unauthorised access to systems and customer data.

1. Entry occurred when a third-party subcontractor published source code credentials to a public GitHub repository, creating an exposed access path.
2. Escalation happened when an attacker used the exposed credentials to reach a Toyota server and when a former employee at Cash App used lingering report access after employment ended.
3. Impact was limited in the Cloudflare case because hardware-key enforcement blocked account takeover, while Toyota and Cash App still saw sensitive data exposure.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Leaver access that survives employment is a governance failure, not an insider anomaly. Cash App shows what happens when access remains usable after the relationship that justified it has ended. That pattern belongs in lifecycle governance, not only incident response. The implication is that offboarding must be treated as an access boundary, not an HR afterthought.

Public-code credential exposure creates identity blast radius far beyond the repository itself. Toyota illustrates how a single mistaken upload can expose server access for years if secrets are embedded in development artifacts. The real issue is that code handling and credential handling were allowed to diverge. Practitioners should treat source repositories as potential identity distribution points, not just software storage.

Phishing resistance fails when the fallback path still accepts replayable credentials. Cloudflare's containment worked because hardware keys blocked the attacker after credential theft, showing that authentication strength depends on the least resistant accepted method. The lesson for human IAM is that strong controls only matter when they are universal across all sign-in paths.

Identity attack surface is a lifecycle problem: these breaches show that access becomes dangerous when creation, delegation, and removal are not governed as one control plane. Third parties, leavers, and employees all produced the same outcome through different paths. The practitioner conclusion is that identity programmes need one view of entitlement age, ownership, and revocation state.

Credential exposure window is the named failure mode here. The Toyota example shows that the assumption of short-lived exposure did not hold because the credentials remained usable from 2017 to 2022. That assumption was designed for prompt detection and revocation, but it fails when secrets live inside public development artifacts. The implication is that teams must rethink how long an exposed credential can remain trusted at all.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one identity weakness can repeat across systems.
• Read 52 NHI Breaches Analysis for the breach patterns that help teams map exposed credentials to lifecycle failure.

What this signals

Identity programmes are now judged by how quickly they can close trust, not just how well they can prove it. The practical standard is shifting from authentication strength in theory to revocation speed in reality. For teams managing contractors, employees, and machine identities together, the operating question is whether an exposed credential can still be used before controls catch up.

The same lifecycle discipline that closes human access gaps also matters for NHI credentials and service accounts, especially where secrets travel through repositories, tickets, and shared tooling. A failure to track entitlement age and ownership leaves every access path vulnerable to the same pattern: access persists longer than the business relationship that justified it.

Identity attack surface is now a measurable governance boundary. When organisations cannot tell which credentials are still active, who owns them, or how fast they can be revoked, they are managing inventory instead of risk. The next maturity step is to connect revocation, logging, and ownership data across human and non-human identities in one programme view.

For practitioners

• Inventory credentials in public development assets Scan repositories, build artefacts, and shared code locations for embedded secrets, then confirm whether any exposed value still grants access. Prioritise locations where third parties contribute code or where repositories have changed visibility settings.
• Bind offboarding to access revocation Remove human, contractor, and vendor access at the same time a relationship ends, and verify that report access, admin access, and API access all close together. Use the termination event as the control trigger, not a manual follow-up.
• Enforce phishing-resistant sign-in for privileged access Require hardware-based or equivalent phishing-resistant authentication for employees who can reach sensitive systems, and remove fallback paths that still accept replayable passwords or weak second factors.
• Shorten the lifetime of exposed secrets Set rapid rotation and revocation procedures for any credential that might appear in code, tickets, chat, or shared files, and test whether the environment can invalidate it before an attacker can use it.

Key takeaways

• The core risk is not just breach volume, but identity control that lags behind how access is created, shared, and withdrawn.
• The evidence spans three different failure modes, from exposed source-code credentials to stale post-employment access and defeated phishing attempts.
• The practical fix is lifecycle governance that closes secrets, leaver access, and authentication fallback paths as one control problem.

Key terms

• Credential Exposure Window: The time between when a secret, token, or password is exposed and when it is actually revoked or rendered useless. In identity security, the danger is not the leak alone but how long the leaked value can still authenticate and unlock systems.
• Leaver Access: Access that should end when a person leaves a role, team, or organisation but may continue if offboarding is incomplete. It is a governance issue across human and NHI programmes because the business reason for access has expired even if the credential still works.
• Phishing-resistant Authentication: A sign-in method that cannot be reused by an attacker after stealing a password or session prompt. In practice, it relies on proof bound to the device or cryptographic key, so replay attacks and fake login pages cannot complete authentication.
• Identity Blast Radius: The amount of damage that can follow from one compromised identity, credential, or entitlement. The blast radius expands when secrets are reused, access is overbroad, or revocation is slow, because a single mistake can reach many systems and data sets.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: 2022 Data Breaches, What Happened and What Did We Learn? Read the original.