TL;DR: High-profile breaches at Uber, Intercontinental Hotel Group, and American Airlines show how phishing, MFA fatigue, hardcoded credentials, weak vault passwords, and poor privilege management still turn basic access flaws into enterprise-wide compromise, according to Securden. The lesson is that password hygiene, privileged access controls, and visibility into orphaned accounts remain decisive controls, not background tasks.
NHIMG editorial — based on content published by Securden: Data breaches - The month that was
By the numbers:
- This can prevent over 99% of identity compromises when compared with passwords alone.
- Security experts have predicted a data breach to occur every second by the year 2035.
Questions worth separating out
Q: What breaks when password hygiene is weak in enterprise identity systems?
A: Weak password hygiene breaks more than sign-in security.
Q: Why do phishing and MFA fatigue still lead to major breaches?
A: Phishing and MFA fatigue work because they exploit trust in the authentication flow, not because the attacker has stronger technology.
Q: What do security teams get wrong about password vaults?
A: Teams often treat vaults as storage systems instead of high-value access gateways.
Practitioner guidance
- Eliminate hardcoded secrets from scripts and shared files Scan PowerShell, CI/CD jobs, runbooks, and internal repositories for embedded credentials, then replace them with managed retrieval from a controlled vault or workload identity path.
- Tighten MFA challenge handling and approval logic Investigate repeated push prompts, legacy approval flows, and any sign-in path where a user can approve access without strong context.
- Review vault access as a privileged entitlement Treat vault authentication as a high-risk access path and remove broad employee access where possible.
What's in the full analysis
Securden's full analysis covers the operational detail this post intentionally leaves for the source:
- Step-by-step breakdown of the Uber, IHG, and American Airlines attack paths and how each privilege failure unfolded.
- Specific password-management and PAM countermeasures the source recommends for reducing credential reuse and shared vault risk.
- The article's full incident-by-incident discussion of phishing, hardcoded secrets, and destructive follow-on impact.
- Practical examples of how to monitor password activity logs and route them into SIEM workflows.
👉 Read Securden's analysis of recent breaches and password hygiene failures →
Password hygiene failures and privilege creep: what teams are missing?
Explore further
Password hygiene is still an identity control, not an end-user nuisance. These incidents show that breaches often begin with weak authentication discipline, then expand because access paths are not tightly governed. Password policy, prompt protection, and secret storage are only effective when they are treated as part of identity architecture rather than user inconvenience. Practitioners should read these cases as a governance failure in the access layer.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when orphan accounts are still active after a breach?
A: Accountability sits with the identity and system owners who failed to retire the account, remove the token, or verify the business need during access review. Orphan accounts are a lifecycle governance failure, not just an operations mistake. Frameworks such as NIST CSF and privileged access governance both expect ownership, review, and timely removal of stale access.
👉 Read our full editorial: Password hygiene failures keep turning breaches into privilege loss