Nvidia followed a familiar pattern when Lapsus$ extracted more than 71,000 employee password hashes along with unreleased graphics designs and DLSS source code, totaling roughly one terabyte of data. The financial impact of semiconductor intellectual-property losses routinely reaches eight figures, according to IBM’s 2025 Cost of a Data Breach Report.
Lapsus$ obtained initial access through vishing and pretexting that yielded working corporate credentials. With those credentials the group moved laterally, located an internal store of password hashes, and reached source repositories and file shares. Verizon’s 2023 Data Breach Investigations Report shows that credentials had become the leading initial-access vector for the preceding five years, with pretexting and business-email compromise driving more than half of social-engineering incidents. Authentication paths accepted factors an attacker could obtain or coerce.
Reusable Credentials as the Entry Point
Once an attacker held working corporate logins, subsequent steps required no additional technical sophistication. Lateral movement and privilege escalation succeeded because the identity system continued to treat any presentation of the original credentials—or a session derived from them—as legitimate. The exfiltrated hash file simply extended the same attack surface to internal repositories and administrative tools.
Phishable Factors and Incomplete Coverage
Accounts protected by push notifications or one-time codes remained reachable because those factors could be replayed or approved under social pressure. When an attacker obtained both the password and a live session token, the authentication decision appeared valid to the server. The same exposure existed in account-recovery flows, device-enrollment processes, and internal admin interfaces—any step that still relied on a transferable secret created an open path.
Device-Bound Public-Key Authentication as Prevention
MFA 2.0 replaces every reusable secret with public-key cryptography anchored to the specific hardware the user already carries. During onboarding the device registers its public key; the private key never leaves the secure enclave. Authentication reduces to a challenge-response exchange: the server issues a nonce, the device signs it, and the server validates the signature. An attacker who obtains a password or persuades someone to approve a push cannot generate a valid signature from an unregistered machine.
Because the keys are device-bound and never transmitted, no central credential database exists for theft and no out-of-band channel can be hijacked. The same cryptographic flow governs registration, recovery, and decommissioning, so no later stage reintroduces a phishable secret. FIDO2 and WebAuthn already demonstrate public-key verification at login; MFA 2.0 applies the identical mechanism across every stage of the identity lifecycle.
FIDO2 or WebAuthn deployed only on login portals would have blocked initial use of stolen credentials on covered systems. Lapsus$ succeeded by pivoting through support flows, device enrollment, and internal repositories that still accepted weaker approvals. Full coverage across every stage closes those remaining routes. Revocation of a lost or stolen device occurs by removing its specific registered key; no password reset or OTP is required, eliminating the social-engineering vector that would otherwise exist. The private key resides in the secure enclave of the employee’s existing work device, and integration with directories and gateways is handled at the identity-provider layer for cloud, on-premises, and hybrid environments.
For engineers committing code to internal repositories, device-bound keys become mandatory on those paths. The credential material Lapsus$ exfiltrated would never have existed in usable form.
