TL;DR: High-profile 2022 breaches at Toyota, Cash App, and Cloudflare all stemmed from credential exposure, third-party access, or phishing, with the Toyota issue persisting nearly five years before detection, according to Axiad’s security bulletin. The lesson is that identity governance fails when access outlives oversight, especially across contractors, former employees, and password-based workflows.
At a glance
What this is: Axiad’s security bulletin reviews several 2022 data breaches and shows that exposed credentials, third-party access, and phishing drove the outcomes.
Why it matters: It matters because IAM, NHI, and human identity teams all have to govern who can create, keep, and use credentials before those credentials become breach paths.
By the numbers:
- Toyota said its server credentials were exposed through September 2022 after a subcontractor published source code credentials on GitHub in December 2017.
- Cloudflare said at least 76 employees and family members received SMS phishing messages during the 2022 phishing spree.
👉 Read Axiad's bulletin on 2022 data breaches and credential exposure
Context
Credential exposure remains one of the most persistent breach patterns because identity controls are often weaker than the systems they protect. In these cases, the failure was not only technical compromise, but also delayed revocation, poor third-party control, and reliance on credentials that were easy to steal or reuse.
The article is really about how identity governance breaks across human users, contractors, and service access when credentials escape their intended boundary. That makes it relevant to NHI governance, human IAM, and the operational handoffs that connect them.
Key questions
Q: What breaks when exposed credentials are not revoked quickly?
A: Exposed credentials create a standing access window that attackers can exploit before defenders notice. The danger is not limited to the original leak. Any system that trusts the credential can become reachable until the secret is rotated, downstream access is closed, and the exposure path is fully removed.
Q: Why do former employees create identity risk after offboarding?
A: Former employees remain risky when application access, report access, or delegated permissions are not removed at the same pace as employment status changes. The problem is lifecycle drift, where the identity relationship ends on paper but the access path still exists in systems that matter.
Q: How do security teams reduce phishing risk for privileged users?
A: Security teams reduce phishing risk by making passwords insufficient on their own for access. Hardware-backed authentication, device binding, and strict session controls limit what an attacker can do with stolen credentials. Training helps, but the decisive control is authentication that cannot be replayed from a text message.
Q: What is the difference between access review and offboarding verification?
A: Access review checks whether access still looks appropriate, while offboarding verification proves the access is gone. In breach-prone environments, both are needed, but offboarding verification is the stronger control because it closes the entitlement rather than only recording that it should have been removed.
Technical breakdown
Third-party credentials published in public code repositories
When a contractor exposes source code credentials in a public repository, the breach path begins long before the attacker touches production. Public code hosting collapses the trust boundary because secrets, keys, and embedded access tokens can be indexed, copied, and reused at scale. The technical failure is not only exposure, but also the absence of compensating controls such as secret scanning, repository hygiene, and credential provenance tracking. In Toyota’s case, the exposed credentials remained usable for years, which turns a single mistake into a long-lived access path.
Practical implication: enforce secret scanning and repository controls that block public exposure before credentials ever leave source control.
Former employee access after offboarding
Offboarding is supposed to end the authority to retrieve data, but data-access pathways often survive employment changes. In the Cash App example, the former employee could still access reports after leaving, which indicates a failure in entitlement removal, access lifecycle closure, or report-level authorization design. This is a governance issue as much as an access issue, because the data retrieval path remained available when the identity relationship had already ended. The technical lesson is that access reviews alone do not close stale access paths unless deprovisioning is complete and verifiable.
Practical implication: tie offboarding to verified entitlement removal, not just HR status changes.
Phishing resistance depends on the sign-in factor, not the username
Cloudflare’s case shows a classic credential-harvest pattern where SMS messages mimic a legitimate login flow and collect usernames and passwords. The important technical point is that passwords alone are not a control boundary if the attacker can socially engineer the login step. Hardware keys changed the outcome because they bound authentication to a device and made the captured password insufficient for access. This is why phishing-resistant authentication is a control against credential replay, not just a user-experience upgrade.
Practical implication: use phishing-resistant sign-in methods for high-risk accounts and treat passwords as recoverable, not authoritative.
Threat narrative
Attacker objective: The objective is to reach systems or reports through compromised credentials and then extract customer data, account data, or internal access value.
- Entry occurred when a subcontractor published source code credentials to GitHub, when a former employee retained access to reports after leaving, and when attackers used SMS phishing to collect login details.
- Credential access followed through exposed secrets, lingering post-employment access, or captured usernames and passwords that could be replayed against protected systems.
- Impact ranged from unauthorized server access and customer data exposure to blocked credential reuse that still demonstrated how quickly attackers exploit identity weaknesses.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Exposed credentials are not a point-in-time event, they are an access lifecycle failure. The Toyota example shows that a credential can remain dangerous for years if no one closes the loop between publication, discovery, and revocation. That turns secrets governance into an ongoing control problem rather than a one-time cleanup exercise. Practitioners should treat every exposed secret as evidence that lifecycle control has already failed.
Vendor access without lifecycle offboarding is the named failure mode this article exposes. Cash App’s case shows what happens when an identity relationship ends but data access does not. The governance assumption was that employment termination automatically ends report access, and that assumption did not hold. The implication is not merely tighter process, but a rethink of how offboarding is proven.
Password-based trust collapses once phishing moves faster than human response. Cloudflare’s case shows that stolen credentials are only decisive when the sign-in stack still treats them as sufficient proof. Hardware-key enforcement broke the attacker path because the captured password was not enough on its own. Practitioners should read this as a boundary issue, not a user training issue.
Credential exposure now spans human IAM and NHI governance in the same attack chain. The same breach mechanics that affect employee sign-in, contractor repositories, and offboarding also affect service credentials and API secrets. That is why identity programs cannot keep human and non-human access in separate silos when the failure mode is credential reuse. The practitioner conclusion is to govern the whole credential estate as one attack surface.
Identity attack surface expansion: This article shows how one public mistake, one stale entitlement, or one phished login can create a breach path that outlives the original event. The recurring pattern is not sophistication, but unmanaged identity persistence. The field should treat that persistence as the core security problem to measure and reduce.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
- That scale makes cross-actor identity governance urgent, which is why practitioners should also consult 52 NHI Breaches Analysis for recurring failure patterns and response lessons.
What this signals
Credential persistence is the common denominator across human and machine identity failures. The programme lesson is not to separate contractor access, employee sign-in, and service credentials into different risk conversations. A governance model that cannot prove revocation, containment, and downstream removal will keep missing the same breach pattern in different forms.
The recurring issue is not only compromise, but unresolved trust in credentials that should no longer be trusted. That is why identity teams need to measure closure, not just issuance, and to tie repository hygiene, offboarding, and authentication strength into one control view. For deeper context, see the Ultimate Guide to NHIs , Key Challenges and Risks.
For practitioners
- Track exposed credentials as lifecycle events Create an incident workflow that starts when a secret appears in public code, file sharing, or logs and ends only after revocation is verified in every connected system. Include source control, cloud access, and downstream service accounts in the review.
- Bind offboarding to entitlement removal Require evidence that data-access roles, report permissions, tokens, and delegated access have been removed before an employee or contractor is marked fully offboarded. HR closure alone is not enough.
- Prioritise phishing-resistant authentication Use hardware-backed or equivalent phishing-resistant sign-in for privileged and high-value accounts so captured passwords cannot be replayed. This is especially important where attackers target email, admin portals, and support tooling.
- Scan contractor and partner touchpoints for secret leakage Extend secret scanning and access review coverage to third-party repositories, shared workspaces, and external delivery channels. The Toyota case shows that subcontractor mistakes can become enterprise exposure.
Key takeaways
- These 2022 breaches show that credential exposure, stale access, and phishing remain breach enablers even when the underlying systems are not fully compromised.
- The scale matters: one case persisted for nearly five years, another affected more than eight million users, and a third showed how quickly attackers target login flows.
- The control that changes outcomes is verified lifecycle closure, paired with phishing-resistant authentication and secret scanning across third parties.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Public secret exposure and stale credentials map directly to NHI lifecycle control failures. |
| NIST CSF 2.0 | PR.AC-4 | These breaches hinge on weak access restriction and incomplete entitlement removal. |
| NIST Zero Trust (SP 800-207) | AC-5 | Phishing and credential replay show why strong continuous authentication is needed. |
Inventory exposed secrets, rotate them immediately, and verify downstream revocation across all connected systems.
Key terms
- Credential Exposure Window: The period during which a leaked secret, password, token, or key can still be used before defenders revoke it everywhere it matters. In practice, the window is shaped by discovery speed, rotation discipline, and whether downstream systems trust the old credential.
- Offboarding Verification: The proof step that confirms access has actually been removed after an employee, contractor, or partner relationship ends. It goes beyond checking HR status by validating that applications, reports, delegated permissions, and tokens no longer work.
- Phishing-Resistant Authentication: An authentication method that cannot be easily replayed after a user is tricked into revealing credentials. It usually relies on device-bound or hardware-backed factors, which makes a stolen password insufficient for account access.
- Third-Party Access Drift: The gradual mismatch between the access a contractor, partner, or supplier should have and the access they still retain. It often appears when permissions are granted once, but review, revocation, and evidence of closure do not keep pace with the relationship.
Deepen your knowledge
Credential exposure, offboarding verification, and phishing-resistant authentication are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is trying to close the gap between identity issuance and identity revocation, it is worth exploring.
This post draws on content published by Axiad: 2022 Data Breaches, What Happened and What Did We Learn? Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
