By NHI Mgmt Group Editorial TeamPublished 2026-05-26Domain: Breaches & IncidentsSource: Securden

TL;DR: High-profile breaches at Uber, Intercontinental Hotel Group, and American Airlines show how phishing, MFA fatigue, hardcoded credentials, weak vault passwords, and poor privilege management still turn basic access flaws into enterprise-wide compromise, according to Securden. The lesson is that password hygiene, privileged access controls, and visibility into orphaned accounts remain decisive controls, not background tasks.


At a glance

What this is: The article argues that recurring breaches still start with basic password and privilege failures, then expand into lateral movement and sensitive-data exposure.

Why it matters: IAM, PAM, and NHI teams need to treat credential hygiene, access vaulting, and privileged account visibility as breach-prevention controls, not just housekeeping.

By the numbers:

👉 Read Securden's analysis of recent breaches and password hygiene failures


Context

Password hygiene failures are not a mature problem solved by more tooling, they are a governance problem that keeps reappearing at the point of access. In the article’s examples, phishing, MFA fatigue, hardcoded credentials, and weak vault passwords all create the same outcome: attackers move from initial compromise into privileged internal resources.

For IAM and PAM teams, the core issue is not that controls are absent in theory, but that they are inconsistently enforced across human accounts, privileged access paths, and credential storage. The article’s breach set is typical of environments where access review, password policy, and privilege containment have not been operationalised tightly enough to block lateral movement.


Key questions

Q: What breaks when password hygiene is weak in enterprise identity systems?

A: Weak password hygiene breaks more than sign-in security. It allows attackers to reuse stolen credentials, abuse shared vault access, and pivot into privileged systems that were never meant to be reachable from a single compromised account. The practical result is a larger blast radius, longer dwell time, and a much harder containment problem for IAM and PAM teams.

Q: Why do phishing and MFA fatigue still lead to major breaches?

A: Phishing and MFA fatigue work because they exploit trust in the authentication flow, not because the attacker has stronger technology. When users can approve repeated prompts or open malicious content that leads to a valid session, the identity boundary is bypassed through behaviour rather than code. Security teams need to control the approval path, not just the password field.

Q: What do security teams get wrong about password vaults?

A: Teams often treat vaults as storage systems instead of high-value access gateways. If vault credentials are weak, shared too widely, or left unreviewed, the vault becomes a central compromise point that turns ordinary secrets into enterprise-wide access. Governance must cover who can open the vault, how they authenticate, and whether that access is still justified.

Q: Who is accountable when orphan accounts are still active after a breach?

A: Accountability sits with the identity and system owners who failed to retire the account, remove the token, or verify the business need during access review. Orphan accounts are a lifecycle governance failure, not just an operations mistake. Frameworks such as NIST CSF and privileged access governance both expect ownership, review, and timely removal of stale access.


Technical breakdown

Phishing and MFA approval fatigue as an entry path

The entry problem in these incidents is not sophisticated malware. It is trust abuse at the authentication boundary, where an attacker persuades a user to approve a prompt or open a malicious attachment, then converts that interaction into a foothold. Once initial access exists, the attacker no longer needs to defeat the perimeter in one step. The real weakness is that authentication success is treated as proof of legitimate intent, even when the sign-in path is noisy, repeated, or socially engineered.

Practical implication: reduce prompt abuse with stronger approval controls, user awareness, and anomaly detection on repeated MFA challenges.

Hardcoded credentials and shared vault passwords

Hardcoded secrets in scripts and weak passwords on vaults collapse the boundary between ordinary support tooling and privileged access. A script that contains an administrator password is effectively a credential distribution mechanism, not a support asset. The same is true when a password vault is accessible with a trivial shared secret. In both cases, the security model assumes secrets remain hidden and hard to reuse, but the implementation makes them easy to discover, copy, and replay.

Practical implication: remove embedded secrets from scripts and treat vault access credentials as high-value identities that require strict governance.

Orphan accounts and lateral movement through over-privilege

Once attackers have a foothold, they look for accounts, tokens, and shared resources that were never intended to be part of the attack path. Orphaned accounts, stale admin tokens, and over-privileged service access extend the blast radius far beyond the initial endpoint. This is where password management becomes privilege management. If an attacker can pivot from one compromised account into cloud consoles, collaboration tools, and internal reports, the problem is no longer authentication alone. It is uncontrolled privilege propagation.

Practical implication: inventory privileged identities, remove orphan accounts, and review whether each token or account can reach more systems than its job requires.


Threat narrative

Attacker objective: The objective is to turn a single compromised identity into broad internal access, then steal or destroy sensitive data before defenders can contain the session.

  1. Entry occurred through phishing, repeated MFA approval prompts, or a malicious attachment that gave the attacker a first foothold inside the enterprise.
  2. Escalation followed when attackers found hardcoded administrator credentials or weak vault access, then reused those secrets to reach cloud consoles and internal collaboration systems.
  3. Impact came from lateral movement into sensitive internal resources, exposure of classified data, and in one case destructive wiper activity that disrupted operations.
  • IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Password hygiene is still an identity control, not an end-user nuisance. These incidents show that breaches often begin with weak authentication discipline, then expand because access paths are not tightly governed. Password policy, prompt protection, and secret storage are only effective when they are treated as part of identity architecture rather than user inconvenience. Practitioners should read these cases as a governance failure in the access layer.

Hardcoded credentials create identity debt that attackers can cash immediately. A script, shared vault password, or embedded administrator token converts ordinary operational material into a reusable access grant. That is not just poor hygiene, it is a durable control failure because the secret can be copied once and reused many times. The practitioner conclusion is simple: anything that behaves like a credential should be governed like one.

Shared vault access is a privilege design problem, not a storage problem. If a password vault can be opened by large employee populations or with weak credentials, the vault becomes a central breach accelerator. The same pattern appears in NHI environments when service credentials are over-shared or reused across systems. Teams should assume the vault is part of the attack surface and design accordingly.

Identity blast radius: the real failure is not initial compromise, it is how far the compromised identity can travel afterward. These examples show that one stolen login can reach cloud consoles, collaboration tools, and internal reports when privilege boundaries are too loose. That pattern aligns with OWASP-NHI thinking and with Zero Trust principles: containment matters as much as authentication. Practitioners should measure how much damage one identity can do before they assume the breach is under control.

Orphan accounts and dormant access are the hidden multipliers in breach dwell time. The article points to accounts and credentials that remain available long after they should have been removed or restricted. That is a lifecycle failure across IAM and PAM, and it becomes especially dangerous when attackers are willing to wait. Teams should prioritise removal of unused access as a breach-reduction measure, not a tidy-up task.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
  • The governance pattern behind these breaches points forward to the Ultimate Guide to NHIs , Key Challenges and Risks, where visibility gaps and over-privilege are treated as structural issues rather than edge cases.

What this signals

Identity blast radius should become a first-class programme metric. Once an attacker can move from a single compromised login into cloud consoles, support tools, and internal reports, the question is no longer whether authentication worked. The question is how much access the compromised identity carried, and whether your programme can prove that the blast radius is bounded.

Orphaned access is the breach residue that keeps paying attackers back. When accounts, tokens, and vault credentials outlive their owners or their business purpose, dwell time becomes an access-management problem rather than a detection problem. This is where lifecycle governance, not just incident response, determines whether a breach stays contained.

With 52 NHI breaches analysed across real incidents, the pattern is consistent: once privilege is over-shared, attackers need very little sophistication to convert access into impact. That makes secret hygiene, ownership, and review cadence the controls to watch first.


For practitioners

  • Eliminate hardcoded secrets from scripts and shared files Scan PowerShell, CI/CD jobs, runbooks, and internal repositories for embedded credentials, then replace them with managed retrieval from a controlled vault or workload identity path. Prioritise scripts that can reach admin consoles, cloud accounts, or collaboration tools.
  • Tighten MFA challenge handling and approval logic Investigate repeated push prompts, legacy approval flows, and any sign-in path where a user can approve access without strong context. Add step-up checks for unusual device, location, or frequency patterns before approval completes.
  • Review vault access as a privileged entitlement Treat vault authentication as a high-risk access path and remove broad employee access where possible. Enforce strong unique credentials, scoped administrative roles, and separate control of the vault from general IT convenience access.
  • Remove orphan accounts and stale privileged tokens Run a targeted access review for accounts that no longer have a current owner, business purpose, or lifecycle record. Prioritise admin tokens, shared service accounts, and any identity that can reach cloud consoles or sensitive internal data.
  • Measure identity blast radius per account Map what each high-value identity can access after a single compromise, including internal tools, support systems, and cloud services. Use that mapping to identify where privilege boundaries are too porous for realistic incident containment.

Key takeaways

  • These breaches keep recurring because weak passwords, weak vaults, and over-shared privilege still create the easiest path into enterprise systems.
  • The evidence in the article shows that one compromised identity can pivot into cloud services, collaboration tools, and destructive follow-on impact when governance is loose.
  • The most effective prevention is not a single tool, but disciplined control of secrets, vault access, MFA approvals, and dormant privileged accounts.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Hardcoded credentials and weak vault access map directly to improper secret lifecycle control.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe article centers on credential theft followed by internal pivoting.
NIST CSF 2.0PR.AC-1Identity proofing and access control failures are the common thread in the breaches.
NIST SP 800-53 Rev 5IA-5Authenticator management is central to password rotation and secret protection.
NIST Zero Trust (SP 800-207)Zero Trust is relevant because the article shows how one trust failure can expand across systems.

Reconcile access assignments against owners and business need, then remove standing access that cannot be justified.


Key terms

  • Identity Blast Radius: The amount of damage a single compromised identity can cause before containment. In practice, it is shaped by role scope, token reach, vault access, and whether the account can pivot into cloud, collaboration, or administrative systems.
  • Password Vault: A controlled system for storing and retrieving sensitive credentials, tokens, and files. Its security depends on strong access governance, unique authentication, and tight entitlement review, because a weak vault effectively concentrates the organisation’s most dangerous secrets.
  • Orphan Account: An account that no longer has a clear owner, business purpose, or lifecycle record. These identities often persist after job changes, vendor changes, or project completion, creating hidden access paths that attackers can exploit long after the original need has passed.
  • MFA Fatigue: A social engineering technique that overwhelms a user with repeated multifactor prompts until one is approved. It exploits human reaction to prompt noise, so the control failure is not MFA itself but weak challenge handling and insufficient signal on repeated approvals.

What's in the full analysis

Securden's full analysis covers the operational detail this post intentionally leaves for the source:

  • Step-by-step breakdown of the Uber, IHG, and American Airlines attack paths and how each privilege failure unfolded.
  • Specific password-management and PAM countermeasures the source recommends for reducing credential reuse and shared vault risk.
  • The article's full incident-by-incident discussion of phishing, hardcoded secrets, and destructive follow-on impact.
  • Practical examples of how to monitor password activity logs and route them into SIEM workflows.

👉 The full Securden article covers the breach examples, privilege gaps, and password controls in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org