Why MFA matters more than ever
What would happen if a cyber criminal got hold of one of your employees’ passwords from years ago?
Not someone’s current password. Not one they actively use. Just an old password that was never updated.
Because that’s exactly how a recent, large‑scale data theft campaign succeeded.
A cyber security investigation recently revealed a new hacking operation where sensitive business information from dozens of organisations worldwide was quietly harvested and later sold on the dark web.
Different sectors. Different countries. Different sizes of business.
But there was one consistent weakness: Every affected organisation allowed users to access critical cloud systems with just a username and password. No second step. No extra verification. Enter the password and you’re in.
This is where MFA makes all the difference.
Multi‑factor authentication means proving your identity using more than one factor. Typically, it’s a password combined with something else, such as a one‑time code on your phone, a push notification, or biometric verification like a fingerprint.
So even if a password is compromised, access is still blocked.
In these incidents, MFA was simply not enforced.
So how were the passwords stolen in the first place?
The attackers used info-stealing malware. This is malicious software that can infect a device without the user realising anything is wrong. Once installed, it quietly gathers stored passwords, login details and other sensitive data, then sends it back to criminals.
And this isn’t limited to office computers. Home PCs, personal laptops, and any device ever used to access work systems can be affected.
What’s more concerning is that stolen credentials aren’t always used immediately. Some of the passwords involved in this campaign were several years old.
That highlights two serious issues:
- Passwords were not being changed regularly
- Old credentials were still accepted long after they should have been disabled
In short, a device compromised years ago can suddenly become today’s security incident.
Security experts describe this as a “latency” problem. The threat lies dormant in the background. Time alone doesn’t remove risk.
In every one of these cases, MFA would have stopped the attack. The criminals had valid passwords. What they didn’t have was the second factor. No phone. No authenticator app. No approval request. That single extra step would have stopped access completely.
This is why IT security professionals keep repeating the same message: passwords on their own are no longer enough.
Yes, MFA adds a small extra step to logging in. And yes, it can feel inconvenient. But compare that brief delay to the consequences of an old, forgotten password still opening the door to confidential systems. Files copied. Data sold. Breaches discovered months later.
MFA turns a stolen password into something useless. That’s why enforcing it isn’t overkill anymore, it’s common sense.
If there’s one clear takeaway, it’s this: passwords don’t expire just because time passes. Adding one more lock to the door makes a real, measurable difference.
If you want help enforcing MFA or strengthening your organisation’s IT security, contact GZD for advice tailored to your business.
