- Email: info@clearinfosec.com
- 1800 760 5656
Modern cyberattacks have evolved far beyond firewalls and malware. Instead of brute-forcing their way into networks, attackers are slipping through the cracks using something far more subtle: legitimate credentials and over-permissioned identities.
In the past year, high-profile retail giants such as Adidas, The North Face, Dior, Victoria’s Secret, and others have become targets of identity-centric attacks. These aren’t incidents driven by sophisticated zero-days or ransomware payloads. Instead, they highlight a chilling trend: your greatest vulnerability may already be inside your system — and logged in.
Let’s examine five critical patterns showing how identity is being exploited—and what organizations can do to defend against this stealthy new wave of cyberattacks.
One of the most effective attack vectors today doesn’t involve attacking your infrastructure directly—it’s about hitting your vendors. In the case of Adidas, attackers infiltrated through a third-party partner who had retained access to internal systems, long after the initial contract had ended.
Because vendors often hold access tokens to your SaaS applications and are not required to follow your internal MFA policies, they present a soft target. Worse still, these credentials often have elevated access privileges that go unmonitored.
What you should do:
Regularly audit all third-party access.
Ensure all vendor accounts expire after contract termination.
Require MFA and token rotation even for external collaborators.
The attack on The North Face wasn’t through malware. It was through credential stuffing—a tactic where attackers use previously leaked usernames and passwords to log into systems. Because many users still reuse passwords across platforms, one old breach can open the door to another.
This form of attack is fast, automated, and incredibly difficult to detect, especially when the login is coming from a legitimate IP or device.
What you should do:
Enforce unique passwords and implement account lockout thresholds.
Use anomaly-based login monitoring.
Educate customers and employees on the risks of password reuse.
You’d think Multi-Factor Authentication (MFA) would stop most attacks. But threat actors have found a way around that too. Using SIM swapping, attackers convince telecom providers to port a user’s number to their own SIM card. Once in control, they intercept SMS-based OTPs and reset credentials.
In other cases, attackers impersonate employees and trick helpdesks into resetting login credentials, effectively bypassing MFA altogether.
What you should do:
Avoid SMS-based MFA; opt for app-based or hardware token solutions.
Train support staff to verify all identity reset requests with multi-layer verification.
Monitor for unusual password resets or SIM change behavior in your logs.
Imagine someone gaining access not to a file—but to your entire cloud environment. That’s what happened to Victoria’s Secret, where the breach of a single over-permissioned admin account led to operational shutdowns both online and in physical stores.
SaaS platforms often lack granular role controls, and admin accounts are rarely audited for excessive permissions. Once compromised, attackers can reconfigure systems, disable monitoring, or exfiltrate sensitive data undetected.
What you should do:
Apply the principle of least privilege across all admin roles.
Implement just-in-time access for privileged accounts.
Monitor and log all admin-level activities for anomalies.
Support platforms and CRMs hold goldmines of sensitive customer information. In breaches involving luxury brands like Dior and Cartier, attackers didn’t hack into databases—they simply accessed support portals using valid user sessions or API tokens, which often go unmonitored.
APIs, tokens, and session IDs tied to these platforms can persist far beyond intended lifespans and, if compromised, provide unfettered access to customer profiles, communications, and order history.
What you should do:
Use short-lived session tokens and regularly revoke idle ones.
Secure API endpoints with behavioral analytics and rate limiting.
Continuously review role-based access in customer-facing platforms.
The lesson is clear: identity is no longer just a user attribute—it’s the frontline of your security strategy. Attackers aren’t trying to break in through firewalls anymore; they’re logging in through the front door.
Organizations must shift from device-centric or network-centric models to identity-first security architectures, which include:
Stronger authentication: Go beyond MFA to adopt phishing-resistant standards like FIDO2 and passkeys.
Continuous monitoring: Detect anomalous behavior tied to session reuse, geo-velocity, or sudden permission escalations.
Access governance: Audit users, roles, and service accounts frequently. Remove unused accounts proactively.
Zero Trust enforcement: Validate every user, device, and action continuously—especially within SaaS platforms.
Dedicated ITDR tools: Leverage Identity Threat Detection and Response systems to spot lateral movement via accounts.
Identity-based threats represent the next frontier in cybersecurity—one where trust, not technology, becomes the weakest link. These attacks are stealthy, persistent, and devastatingly effective. Whether it’s a compromised vendor, a hijacked session, or a socially engineered support desk, attackers are playing the long game with stolen identities as their primary weapon.
To defend against this evolving threat landscape, businesses must stop treating identity as just another checkbox. It must become the core lens through which all risk is assessed and all access is granted.