Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Help desk impersonation and verification gaps: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Help desk and service desk social engineering drove a long run of breaches from Roblox and Twitter to MGM, Caesars, MoneyGram, and Qantas, with attackers using impersonation, MFA fatigue, and weak verification to reset credentials and expand access, according to FastPassCorp. The pattern shows that identity controls fail when support processes become the easiest path around them.

NHIMG editorial — based on content published by FastPassCorp: Social Engineering Breaches via Help Desk Attacks (2020 to 2025)

Questions worth separating out

Q: What breaks when help desk verification is too weak?

A: Weak verification turns the support desk into an identity issuance channel for attackers.

Q: Why do help desk attacks create such a large identity risk?

A: Help desks often have authority to change identity state across many users and systems.

Q: How do security teams know support-channel abuse is occurring?

A: Look for repeated reset requests, rapid changes after ticket closure, unusual MFA re-enrolment, and support actions that are followed by fresh logins or privilege escalation.

Practitioner guidance

  • Harden support-channel identity proofing Require step-up verification for every password reset, MFA reset, device rebind, and account unlock request.
  • Reduce support desk blast radius Separate lookup, reset, and admin functions so no single support workflow can both verify and change identity state.
  • Instrument recovery abuse detection Alert on repeated MFA prompts, unusual reset volume, rapid privilege changes after a support ticket, and successful logins from sessions created immediately after help desk intervention.

What's in the full article

FastPassCorp's full article covers the operational detail this post intentionally leaves for the source:

  • Chronological breach-by-breach notes showing how each help desk compromise unfolded
  • Named incident summaries with the specific credentials, tools, or systems abused in each case
  • Per-breach impact details, including what data was exposed or what operational disruption followed
  • Source citations for each case so practitioners can trace the reporting behind the timeline

👉 Read FastPassCorp's chronology of help desk social engineering breaches →

Help desk impersonation and verification gaps: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Help desk verification is now part of identity security, not a separate service function. These breaches show that support personnel act as implicit identity issuers when they reset accounts, rebind MFA, or approve recovery requests. That means governance models that stop at the authentication stack miss the real control point. Practitioners should treat support-channel verification as a first-class IAM control domain.

A few things that frame the scale:

  • strong>From our research: 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to the 2024 ESG Report: Managing Non-Human Identities.
  • Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one identity failure can repeat across environments.

A question worth separating out:

Q: Who is accountable when a third-party help desk is tricked into granting access?

A: The enterprise remains accountable for the access it delegates, even when a third-party desk performs the action. Outsourcing does not outsource identity risk. Governance, verification standards, audit rights, and offboarding responsibilities need to be defined contractually and enforced operationally.

👉 Read our full editorial: Help desk social engineering is driving major identity breaches



   
ReplyQuote
Share: