Stolen credentials for internal systems gave attackers sustained access to customer records at a major ticketing provider, including names, addresses, phone numbers, and partial payment details. The entry point required no malware or novel exploit—only valid username-password pairs that had been obtained elsewhere and tested until they worked.
Once inside, the attackers enumerated permissions and moved data without triggering session revocation or secondary-device challenges. Reusable credentials remained valid for the duration of the activity, allowing extended reconnaissance and extraction. IBM’s 2025 Cost of a Data Breach Report places the average impact of such incidents at $4.44 million, while Verizon’s 2025 DBIR notes that 54 percent of organizations whose domains appeared in credential dumps later faced data-related breaches.
How Credential Reuse Created the Initial Foothold
The attackers relied on username-password combinations harvested from prior incidents, employee device compromises, or simple reuse across services. These pairs granted access to administrative or internal portals because the authentication system treated them as sufficient proof of identity. Once the first factor succeeded, any second factor that could be relayed, intercepted, or socially engineered added little friction. The absence of a device-bound control meant the session could be initiated from attacker-controlled infrastructure using the same privileges as a legitimate employee.
Why SMS, Push, and App-Based Factors Did Not Block Exfiltration
Traditional second factors still transmit values or approvals that exist in readable form outside the protected device. When the primary credential is already known, these factors become the only remaining gate. Attackers can relay them in real time, swap SIM cards, or deceive users into approving requests. In this case, the authentication layer accepted factors that could be observed or manipulated from another location, allowing the session to continue uninterrupted while data left the environment.
Device-Bound Public-Key Cryptography Removes the Attacker’s Material
MFA 2.0 replaces reusable secrets with phish-proof, passwordless authentication built on public-key cryptography—the same technology used in Apple Pay and Google Pay. During registration a private key is generated and stored exclusively on the user’s device; only the corresponding public key is registered with the service. Every subsequent authentication requires the device to sign a fresh challenge. No password, OTP, or push notification crosses the network, eliminating material that an attacker can intercept or reuse.
Because the private key never leaves the device and no central credential database exists, a stolen password list or supply-chain harvest yields nothing usable on attacker-controlled hardware. The same cryptographic flow governs registration, device onboarding, authorization, authentication, and decommissioning, keeping the entire identity lifecycle free of phishable secrets. This approach differs from conventional passkey deployments that may strengthen only the final login step while leaving earlier registration and recovery flows exposed to traditional credential theft.
MFA 2.0 is prevention-focused rather than detection-focused. The attack cannot occur because there are no credentials available for compromise in the first place. Device-bound credentials generated within the platform itself remove the need for separate hardware tokens and maintain the same low-friction experience across all lifecycle stages. AuthN by IDEE represents one implementation of this model, demonstrating how organizations can close the exact entry point exploited in incidents involving reusable credentials.
