In April 2025, the Co-op Group, the UK’s fifth-largest food retailer with over 2,500 stores and 70,000 employees, fell victim to a sophisticated social engineering attack by the DragonForce ransomware group, operating with the tactics and techniques associated with Scattered Spider. An attacker called the Co-op’s IT helpdesk, impersonated an employee, and convinced support staff to reset their password. That single social engineering call gave the attacker access to Active Directory. They then executed a credential dump of the NTDS.dit file, extracting credentials for all accounts in the domain. ShinyHunters, a partner threat actor, subsequently claimed to have stolen data belonging to 20 million Co-op members including names, addresses, dates of birth, and membership details.
What Happened
The Co-op Group breach is part of the same Scattered Spider/DragonForce attack wave that also hit Marks and Spencer and Harrods in the same period, collectively representing the most damaging series of retail cyberattacks in UK history.
The attack chain:
- April 2025: Attacker contacts Co-op IT helpdesk, social engineers a password reset for an employee account, impersonating the employee convincingly enough to pass helpdesk verification
- April 2025: Using reset credentials, attacker gains Active Directory access
- April 2025: NTDS.dit credential dump executed — extracting hashed passwords for all domain accounts
- April 2025: Lateral movement using harvested credentials across Co-op internal systems
- Late April 2025: DragonForce ransomware deployed across systems; Co-op detects and responds
- May 2025: ShinyHunters claims to hold data on 20 million Co-op members, posting samples as proof
- May 2025 onwards: Co-op confirms significant data theft, customer notification programme
- 2025-2026: Arrests — four Scattered Spider suspects arrested in coordinated law enforcement action across multiple jurisdictions
The data confirmed or claimed stolen includes 20 million Co-op member records: names, email addresses, postal addresses, dates of birth, and membership account details. The breach is considered the largest UK retail data breach on record.
How It Happened
The Co-op breach followed the same playbook Scattered Spider used at MGM Resorts and Caesars Entertainment in 2023, and again at Marks and Spencer in 2025: social engineer the IT helpdesk to reset an employee account, then use that foothold to reach Active Directory and execute a credential dump.
The specific NHI failure is the NTDS.dit dump. The NTDS.dit file is the Active Directory database. It contains the hashed credentials of every account in the domain, every user, every service account, every computer account. An attacker who can execute a shadow copy of NTDS.dit and extract it has effectively stolen every non-human identity credential in the Active Directory environment in a single operation. The attacker does not need to compromise each service account individually. They harvest the entire credential database simultaneously.
From an NHI perspective, this is the worst possible outcome: the entire domain credential inventory exfiltrated in one action. Every service account, API key-adjacent system account, and machine credential is compromised. The recovery operation is not rotating one credential, it is rotating every credential in the domain.
The social engineering entry point, a helpdesk call convincing enough to pass verification, reflects a fundamental weakness in identity verification for account recovery operations. Most helpdesk password reset processes rely on knowledge-based verification: the caller provides employee ID, a date of birth, a manager’s name, or other details that can be researched or guessed. These are not adequate verification for an action that provides access to corporate systems.
What This Means for NHI Governance
The NTDS.dit dump pattern has become the defining NHI credential threat in the Scattered Spider attack wave. Understanding it is essential for any organisation running Active Directory:
NTDS.dit is the NHI credential inventory. Every service account in your Active Directory environment — every account used by applications, services, scheduled tasks, and integrations — has its credential hash in NTDS.dit. An attacker who dumps NTDS.dit does not just have domain administrator access. They have the credentials for every non-human identity in the domain. That includes the accounts used by backup software, monitoring agents, application servers, database services, and every other automated process in the environment.
The recovery from a NTDS.dit dump requires mass NHI credential rotation. This is not a task that most organisations have a playbook for. Human account password resets are a standard IT operation. Rotating every service account in the domain simultaneously — without breaking the services that depend on those accounts — is a complex, high-risk operation that requires knowing every service account’s dependencies. Most organisations do not have that inventory.
Helpdesk social engineering is now a documented, repeatable attack vector. Scattered Spider has used the same approach at multiple major organisations. The control that defeats it is identity verification that cannot be replicated over a phone call: government-issued ID verification, biometric liveness checks, or a callback to a pre-registered number. Knowledge-based verification is insufficient.
Recommendations
- Implement phishing-resistant verification for all IT helpdesk password reset requests. Knowledge-based verification (employee ID, date of birth) can be researched. Require in-person verification, manager co-authorisation, or cryptographically-bound identity verification for any account reset that would provide access to corporate systems.
- Build an inventory of all service accounts and their dependencies before you need it. A complete, documented inventory of every Active Directory service account — what it is, what it accesses, which services depend on it, and its current credential state — is the prerequisite for rapid mass rotation after a NTDS.dit dump.
- Restrict access to Domain Controller volumes and shadow copies. NTDS.dit dumps require either direct DC access or shadow copy creation. Restrict these operations with PAM controls and alert on any attempt to create shadow copies of Domain Controller volumes.
- Detect and alert on NTDS.dit dump indicators. NTDSDump, volume shadow copy creation against domain controllers, vssadmin activity, and ntdsutil commands should all generate immediate security alerts.
- Rotate all service account credentials after any confirmed helpdesk social engineering incident. If an attacker succeeded in obtaining a password reset via social engineering, assume the environment is compromised and begin mass credential rotation immediately, prioritising accounts with domain privilege.
- Segment Active Directory to limit blast radius. Service accounts used by applications should have minimum necessary permissions and should not have domain administrative rights. Tiering Active Directory to prevent lateral movement from a single compromised account to NTDS.dit access reduces the breach impact.
How NHI Mgmt Group Can Help
Securing Non-Human Identities (NHIs) including AI Agents, is becoming increasingly crucial as attackers discover and target service accounts, API keys, tokens, secrets, and OAuth credentials during breaches. These NHIs often hold extensive permissions that can be exploited, making their security a priority for any organisation focused on protecting their digital assets.
Take our NHI Foundation Level Training Course, the most comprehensive in the industry, that will empower you and your organisation with the knowledge needed to manage and secure these non-human identities effectively.
Final Thoughts
The Co-op breach is one data point in a pattern that has now claimed M&S, Harrods, MGM Resorts, Caesars Entertainment, and several other major organisations. The entry point in every case was social engineering of a helpdesk or IT support function. The high-value target in every case was Active Directory and the credential database it holds.
For NHI governance practitioners, the NTDS.dit dump is the scenario that exposes the full cost of not having a service account inventory: when every credential in the domain is simultaneously compromised, the organisations that recover fastest are the ones that knew exactly what they had to rotate and what depended on it.
