Scattered Lapsus$ Hunters and account takeover: what teams need to know

TL;DR: Scattered Lapsus$ Hunters and related crews have repeatedly bypassed endpoint-first defenses by starting with account takeover, then using stolen credentials, social engineering, OAuth abuse, and help desk manipulation to reach SaaS, SSO, and ransomware-impacting systems, according to Push Security. The control problem is not malware resistance but identity governance that still assumes access paths are stable, reviewable, and contained.

NHIMG editorial — based on content published by Push Security: Scattered Lapsus$ Hunters breaches and the evolution of identity-led attack TTPs

By the numbers:

• The MGM hack resulted in a 36-hour outage, a $100M hit to its Q3 results, one-time cyber consulting fees in the region of $10M, and a class-action lawsuit later settled for $45M.
• Attackers claim to have stolen over 1.5 billion records from 1000+ companies across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.

Questions worth separating out

Q: What breaks when attackers use stolen credentials instead of malware to start a breach?

A: When attackers begin with valid credentials, traditional endpoint and perimeter controls lose much of their value because the login looks legitimate.

Q: Why do stolen sessions and OAuth grants increase breach risk so quickly?

A: Stolen sessions and delegated app grants let an attacker operate inside normal workflows without repeatedly proving identity.

Q: What do security teams get wrong about help desk identity resets?

A: They often treat support resets as routine service rather than privileged security events.

Practitioner guidance

• Harden identity recovery paths Require separate verification and approval for MFA resets, device registration, federation changes, and privileged account recovery.
• Audit delegated app access Review OAuth grants, connected apps, and session persistence for excessive scope, stale consent, and ghost logins.
• Unify cloud and identity monitoring Correlate SaaS login events, browser session signals, support desk changes, and downstream data exports so suspicious legitimate access can be investigated as one chain.

What's in the full article

Push Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Named breach-by-breach breakdown of Scattered Lapsus$ Hunters tactics across Caesars, MGM, Snowflake, and Salesforce.
• Detailed attack-path mapping from phishing and help desk abuse to cloud exfiltration and ransomware deployment.
• Specific examples of how session cookies, OAuth grants, and compromised support workflows were used in practice.
• The article's commentary on how the broader criminal ecosystem is interlinked across groups and service providers.

👉 Read Push Security's analysis of Scattered Lapsus$ Hunters breach patterns →

Scattered Lapsus$ Hunters and account takeover: what teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →