TL;DR: A help desk breach can turn password reset workflows into a credential theft path when callers are not properly authenticated, as shown in the Clorox versus Cognizant dispute over a $380M claim and alleged exposure of passwords and Okta MFA credentials. The real problem is not the reset itself, but the trust model behind it, which assumes the support agent will enforce identity proofing every time.
NHIMG editorial — based on content published by FastPassCorp covering the Clorox versus Cognizant help desk breach: who is responsible for the alleged credential theft
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: What breaks when help desk identity verification is weak?
A: Weak verification turns password reset into an authentication bypass.
Q: Why do outsourced service desks increase identity risk?
A: Outsourced service desks increase risk when the delegation chain is unclear and verification standards are inconsistent.
Q: How do security teams know if help desk recovery controls are working?
A: Look for proofing completion rates, reset exception volume, MFA factor change frequency, and whether users or managers are notified after recovery actions.
Practitioner guidance
- Harden password and MFA recovery paths Require verified identity proofing before any password or factor reset, and make the workflow non-bypassable for service desk staff.
- Separate support convenience from authentication authority Remove the ability for first-line agents to reset credentials without escalation when the caller cannot be proven through approved channels.
- Use dynamic user-specific proofing data Build verification steps around internal, time-sensitive data from HR, ITSM, asset, or directory systems instead of static knowledge questions.
What's in the full article
FastPassCorp's full post covers the operational detail this post intentionally leaves for the source:
- A transcript-based breakdown of the help desk call sequence and the alleged verification failures that followed.
- The article's proposed verification workflow for password and MFA resets, including how to reduce social engineering success.
- Practical examples of dynamic proofing data drawn from internal systems such as directory, ITSM, HR, and asset records.
- The author’s discussion of how to design support workflows that balance usability with caller verification.
👉 Read FastPassCorp's analysis of the Clorox help desk breach and identity verification failures →
Help desk verification failures: what IAM teams need to fix?
Explore further
Credential recovery is a privileged access workflow, not a customer service convenience. The article shows what happens when support teams treat password and MFA resets as low-risk administration. Once an attacker can steer the workflow through persuasion, the control boundary has already failed. Practitioners should treat recovery paths as high-risk identity operations that deserve the same scrutiny as privileged access.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when a support desk resets the wrong identity?
A: The business remains accountable for the identity control outcome, even when a third party executes the workflow. Service providers can be responsible for following the process, but the owning organisation must define the proofing standard, authorize the access model, and retain audit visibility. Accountability cannot disappear in a vendor handoff.
👉 Read our full editorial: Help desk credential resets expose the identity verification gap