Notifications
Clear all
Topic starter
12/06/2026 10:06 pm
TL;DR: Three 2022 breaches show how exposed credentials, post-employment access, and phishing can still bypass enterprise controls, according to Axiad. The common failure is not just user error but weak identity governance over third parties, leavers, and authentication paths.
NHIMG editorial — based on content published by Axiad: 2022 Data Breaches, What Happened and What Did We Learn?
By the numbers:
- Three 2022 breaches illustrate how one exposed credential path, one leaver access failure, and one phishing campaign can produce very different outcomes.
- More than eight million users could be affected in the Cash App data breach disclosed in April 2022.
- At least 76 company employees and some of their family members received SMS phishing messages during the Cloudflare attack.
Questions worth separating out
Q: What breaks when third-party credentials are published in source code?
A: A public code leak becomes an access event when secrets remain valid after exposure.
Q: Why do leaver access failures create so much identity risk?
A: Because the identity no longer has a valid business reason to exist, yet the access can still function.
Q: How do you know if phishing resistance is actually working?
A: Test whether a stolen password alone can still complete sign-in.
Practitioner guidance
- Inventory credentials in public development assets Scan repositories, build artefacts, and shared code locations for embedded secrets, then confirm whether any exposed value still grants access.
- Bind offboarding to access revocation Remove human, contractor, and vendor access at the same time a relationship ends, and verify that report access, admin access, and API access all close together.
- Enforce phishing-resistant sign-in for privileged access Require hardware-based or equivalent phishing-resistant authentication for employees who can reach sensitive systems, and remove fallback paths that still accept replayable passwords or weak second factors.
What's in the full article
Axiad's full blog post covers the incident detail this post intentionally leaves at the pattern level:
- The full timeline for the Toyota, Cash App, and Cloudflare cases, including what was exposed and when each issue was discovered.
- The specific response steps each organisation took, including credential resets, access removal, and containment actions.
- The article's own interpretation of what these breaches suggest about password reliance and authentication design.
- The wording of Axiad's closing recommendations for organisations reviewing breach exposure and sign-in controls.
👉 Read Axiad's analysis of 2022 data breach patterns and identity failures →
2022 data breach patterns: what identity teams missed?
Explore further
13/06/2026 12:38 am
Leaver access that survives employment is a governance failure, not an insider anomaly. Cash App shows what happens when access remains usable after the relationship that justified it has ended. That pattern belongs in lifecycle governance, not only incident response. The implication is that offboarding must be treated as an access boundary, not an HR afterthought.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one identity weakness can repeat across systems.
A question worth separating out:
Q: Who is accountable when a former employee can still access sensitive reports?
A: Accountability sits with the organisation that failed to close access when the employment relationship ended. HR, IAM, and system owners all share responsibility for offboarding, but the control failure is lifecycle enforcement. If access persists after termination, the identity programme has not matched governance to reality.
👉 Read our full editorial: 2022 breach patterns show why identity controls still fail
