2022 data breaches and credential exposure: what IAM teams missed

TL;DR: High-profile 2022 breaches at Toyota, Cash App, and Cloudflare all stemmed from credential exposure, third-party access, or phishing, with the Toyota issue persisting nearly five years before detection, according to Axiad’s security bulletin. The lesson is that identity governance fails when access outlives oversight, especially across contractors, former employees, and password-based workflows.

NHIMG editorial — based on content published by Axiad: 2022 Data Breaches, What Happened and What Did We Learn?

By the numbers:

• Toyota said its server credentials were exposed through September 2022 after a subcontractor published source code credentials on GitHub in December 2017.
• Cloudflare said at least 76 employees and family members received SMS phishing messages during the 2022 phishing spree.

Questions worth separating out

Q: What breaks when exposed credentials are not revoked quickly?

A: Exposed credentials create a standing access window that attackers can exploit before defenders notice.

Q: Why do former employees create identity risk after offboarding?

A: Former employees remain risky when application access, report access, or delegated permissions are not removed at the same pace as employment status changes.

Q: How do security teams reduce phishing risk for privileged users?

A: Security teams reduce phishing risk by making passwords insufficient on their own for access.

Practitioner guidance

• Track exposed credentials as lifecycle events Create an incident workflow that starts when a secret appears in public code, file sharing, or logs and ends only after revocation is verified in every connected system.
• Bind offboarding to entitlement removal Require evidence that data-access roles, report permissions, tokens, and delegated access have been removed before an employee or contractor is marked fully offboarded.
• Prioritise phishing-resistant authentication Use hardware-backed or equivalent phishing-resistant sign-in for privileged and high-value accounts so captured passwords cannot be replayed.

What's in the full article

Axiad's full security bulletin covers the operational detail this post intentionally leaves for the source:

• Chronology and case-by-case narrative for the Toyota, Cash App, and Cloudflare breaches
• The article’s own explanation of why each breach path succeeded, including the sequence of identity failures
• Source-specific remediation actions and response notes that go beyond the analytical summary here
• The vendor’s framing of how passwordless and authentication changes relate to the breach patterns

👉 Read Axiad's bulletin on 2022 data breaches and credential exposure →

2022 data breaches and credential exposure: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →