Credential theft through social engineering allowed Lapsus$ to reach high-value internal systems at Microsoft, Samsung, and Ubisoft. At Microsoft the accounts provided access to Windows source code. At Samsung the same approach yielded roughly 190 GB of Galaxy device and chipset material. At Ubisoft the stolen credentials enabled data exfiltration and service disruptions. No zero-day exploits were required; the attackers simply satisfied or evaded the second-factor checks already in place.
The pattern matches findings in the Verizon 2023 Data Breach Investigations Report and IBM Cost of a Data Breach Report 2023: once an account passes authentication, additional defenses rarely stop further activity. The incidents succeeded because the credentials and factors remained usable after the initial compromise.
How Reusable Credentials Allowed Lateral Movement
Lapsus$ relied on stolen session tokens, real-time phishing of approval prompts, and weaknesses in SMS and push-notification delivery. These factors travel across the network or can be approved under social pressure, giving attackers immediate access to repositories and development environments. Because the factors were reusable or relayable, the same credentials continued to work after the first successful login.
Even when organizations had deployed FIDO2 or WebAuthn for initial login, recovery and help-desk processes often fell back to email or SMS. This reintroduced interceptable material at later stages of the identity lifecycle, allowing attackers to reset or extend access without further technical barriers.
Device-Bound Public-Key Credentials Change the Outcome
MFA 2.0 replaces reusable credentials with device-bound public-key cryptography. Private keys never leave the enrolled hardware and never enter a central database. Authentication occurs through challenge-response on the same device, so stolen passwords, session tokens, or relayed one-time codes provide no value.
High-privilege actions such as source-code access require fresh cryptographic proof from the enrolled device. An attacker who obtains a username and password still cannot satisfy that proof from a different context. Session tokens lose utility when they are cryptographically bound to the original device identity.
This approach covers the full identity lifecycle—registration, device onboarding, authorization, authentication, and decommissioning—without issuing any phishable secret at any stage. Revocation of a lost device occurs through cryptographic means alone, and replacement enrollment follows the same device-bound process.
Why Prevention Outperforms Post-Compromise Defenses
Traditional multi-factor setups layer factors that each remain susceptible to interception or fatigue. Once any factor is captured, the account behaves as if the legitimate user is present. Device-bound credentials remove that class of secrets entirely, so the attack path Lapsus$ used simply does not exist.
The same public-key model already protects payments in Apple Pay and Google Pay. Applying it consistently to identity prevents the initial theft from escalating rather than attempting to detect misuse after credentials have already been misused. Organizations that adopt this model close the gaps that allowed Lapsus$ to move from a single compromised account to source-code repositories and internal data stores.
