Stolen Credentials Delivered 1.3 Terabytes of Passenger Data from Sabre

Data breaches linked to compromised credentials now average $4.88 million in direct costs, with organizations requiring 258 days to detect and contain them. The Sabre incident followed this exact pattern. Attackers obtained valid credentials for a privileged account, located data repositories, and removed roughly 1.3 terabytes of ticket sales records, passenger names, contact details, payment information, and internal employee files without exploiting zero-day vulnerabilities or deploying malware.

The Dunghill Leak group claimed responsibility. Once the account was under their control, no additional evasion was necessary; normal access paths remained open for an extended period.

Why Credential Reuse Allowed Extended Data Access

Travel platforms store durable personal and financial records that retain value long after initial collection. In this case the attackers did not need to break encryption or exploit unpatched systems. They authenticated with stolen or reused credentials and operated within the expected boundaries of the account. Because authentication was not cryptographically bound to a specific device, the session appeared legitimate throughout the exfiltration window.

Limits of Traditional Multi-Factor Approaches

Many existing multi-factor systems still depend on factors that can be intercepted, phished, or reused. SMS codes, one-time passwords, and push notifications introduce a transferable element at the moment of use. Once captured, these factors let an attacker satisfy checks without possessing the original device. In the Sabre breach, the initial account takeover proved sufficient because later actions did not require fresh cryptographic proof tied exclusively to hardware the legitimate user controls.

Device-Bound Public-Key Credentials as Prevention

MFA 2.0 replaces every phishable factor with public-key cryptography generated and stored only on the user's device. The service holds only the corresponding public key. Each authentication becomes a challenge that only the private key on that specific device can answer. No shared secret crosses the network, and no database of reusable credentials exists for an attacker to target. The same binding applies at provisioning, recovery, and privileged operations.

This approach differs from standards that protect only the login ceremony. FIDO2 and passkeys still assume an earlier stage where weaker credentials or recovery methods may have been used. Hardware security keys or passkeys would have stopped the Sabre breach only if every account with data access had been required to use them from the moment of provisioning, with no fallback to phishable methods.

MFA 2.0 is prevention-focused rather than detection-focused. Because there are no credentials to compromise, the attack cannot succeed in the first place. The same public-key methods already used in consumer payment flows such as Apple Pay and Google Pay make this approach practical at enterprise scale without requiring a second device for most users. AuthN by IDEE represents one implementation of these principles, demonstrating that device-bound authentication can be applied consistently across registration, authorization, and ongoing access.