According to Panaseer’s latest research, 70% of major breaches are caused by toxic combinations: overlapping risks that compound and amplify each other, forming a critical vulnerability. Cybersecurity failures rarely result from a single mistake. More often, they are the result of a domino effect of multiple smaller risks.
This chain reaction is referred to as a toxic combination. Take a laptop that has not been patched in months. On its own, it is a problem waiting to be exploited. Now, place that laptop in the hands of a highly privileged user who is also prone to clicking on malicious links. Suddenly, what might have looked like an isolated weakness becomes a clear pathway into an organisation’s most sensitive systems.
To understand how common and dangerous these overlaps are, Panaseer analysed 20 major breaches over the past five years. In 14 of the 20 cases, it found clear evidence of compounding risks forming toxic combinations that magnified the overall impact.
From that group, the company took a closer look at five major breaches: AT&T, MGM Resorts, Okta, Uber, and Colonial Pipeline. Across these, just eight distinct risk factors were enough to create toxic combinations that spiralled into national emergencies, wiped billions off company valuations, inflicted lasting reputational harm and triggered multiple class-action lawsuits.
AT&T; (2024)
AT&T1, the world’s third-largest telecommunications company, became one of the highest-profile victims of Scattered Spider in 2024. The attackers did not directly break into AT&T’s core systems. Instead, they combined a series of weaknesses that, when combined, gave them access to sensitive customer data stored in the cloud.
Toxic combination factors
• Compromised credentials and poor credential hygiene: Infostealer malware harvested credentials for unauthorised access.
• Weak or absent MFA/access controls: Attackers then logged into AT&T’s cloud database, which lacked two-factor authentication (2FA).
• Undetected tool use and reconnaissance: The attackers deployed reconnaissance tools – such as the utility dubbed FROSTBITE – to discover high-value data sets without being detected or prevented by network access policies.
• Undetected data exfiltration/large-scale access: Finally, the attackers staged desired tables of data copies using built-in capabilities and successfully exfiltrated the data to their chosen environment.
What looked like a chain of credentials abuse, missing MFA, and undetected reconnaissance, became a textbook toxic combination. Together, these factors allowed attackers not only to enter AT&T’s cloud environment, but also to quietly walk out with sensitive customer data – a breach that has translated into both reputational and financial damage. AT&T; has since been ordered to pay customers $2500 each if they can prove they were impacted.
MGM Resorts (2023)
The 2023 breach at MGM Resorts2, which owns the MGM Grand in Las Vegas, among other properties, demonstrates how social engineering, combined with weak internal defences, can snowball. The attackers, Scattered Spider again, this time working with AlphV, caused widespread disruption to MGM’s business and customer trust.
Toxic combination factors
• Poor controls against social engineering: Attackers called MGM’s IT helpdesk, posing as a legitimate employee, to gain administrator access to MGM’s Okta and Azure tenant, undetected by helpdesk employees.
• Persistence and lateral movement without detection: Attackers deployed their own identity provider (IDP), which submitted authenticated requests into MGM’s Okta system to maintain access even when locked out, a tactic that also went undetected. They then moved laterally through MGM’s network without being discovered.
• Ransomware and large-scale business disruption: Next, they deployed ransomware across more than 100 ESXi hypervisors, which hosted thousands of virtual machines critical to operations.
• Undetected data exfiltration/large-scale access: Data was then exfiltrated, with Scattered Spider claiming some 6 TB of data extracted.
This was not one failure, but four, stitched together: a social engineering phone call, a rogue identity provider, lateral movement, and ransomware, which resulted in data theft. Combined, they paralysed MGM’s operations, drained revenue and pushed the company into costly settlements and lawsuits. Customer data was stolen, digital slot machines went offline, resulting in estimated losses of $100 million, and MGM ultimately agreed to a $45 million class action settlement.
Okta (2022)
In 2022, Okta, a well-known identity and access provider, fell victim to a breach by the group Lapsus$3. The incident illustrates how weaknesses at third-party providers can intersect with other oversights, like inadequate monitoring, to open the door for attackers.
Toxic combination factors
Third-party and supply chain weaknesses: Attackers gained access to a customer support agent’s laptop via a third-party support provider.
Persistence and lateral movement without detection: They then used Remote Desktop Protocol (RDP) over five days to maintain their foothold and exploit the privileges they had gained, all without detection.
Undetected tool use and reconnaissance: Next, they accessed the support engineer’s tools, including Okta’s customer support panel and Slack systems. They were able to view Jira tickets and user lists and could reset passwords and MFA tokens.
Third-party compromise, undetected persistence and tool misuse might sound like operational noise in isolation, but at Okta, they overlapped into a toxic combination that directly undermined trust in an identity giant, erasing billions in market value almost overnight. While only 2,5% of clients were directly affected, the company’s share price plunged, wiping more than $2 billion off its market capitalisation.
Uber (2022)
Uber’s4 2022 incident at the hands of Lapsus$ is a lesson in how weak contractor access and credential hygiene, combined with effective social engineering, produced enterprise-wide compromise.
Toxic combination factors
• Compromised credentials and poor access hygiene: Attackers purchased stolen credentials belonging to an external Uber contractor, likely via a dark-web marketplace. Once inside, they located hard-coded administrator credentials in PowerShell scripts that gave them privileged access to Uber’s Thycotic PAM system.
• Weak MFA or absent MFA/access controls: Initial login attempts were blocked by MFA.
• Poor controls against social engineering: However, the attacker then flooded the contractor with MFA push requests and impersonated Uber IT on WhatsApp to convince the contractor to allow access, showing a failure in training.
• Persistence and lateral movement without detection: Using elevated credentials, the attacker gained broad admin access to numerous internal systems without detection.
A contractor’s stolen credentials, MFA fatigue tactics, hard-coded secrets, and unnoticed lateral movement combined to form a toxic mix that gave attackers enterprise-wide control. The result was financial losses, regulatory fines and long-term trust issues that could have been stopped had just one link in the chain been broken. Instead, the breach wiped 5% off Uber’s share price and drew a €290 million GDPR fine from Dutch regulators – a penalty the company is still contesting.
Colonial Pipeline (2021)
Perhaps one of the most dramatic examples of a toxic combination is the 2021 Colonial Pipeline attack5. The DarkSide ransomware group managed to shut down almost half of America’s East Coast fuel supply through three failures that could have been minor on their own.
Toxic combination factors
• Compromised credentials and poor access hygiene: Attackers exploited a compromised VPN credential, as well as an inactive account that lacked multi-factor authentication, to infiltrate the network, highlighting a failure to secure accounts.
• Undetected data exfiltration/large-scale access: 100 GB of data was then accessed without detection and encrypted.
• Ransomware and large-scale business disruption: Ransomware was deployed, and systems shut down entirely within 70 minutes.
A single dormant VPN account without MFA would not normally shut down half the US East Coast’s fuel supply. However, combined with undetected data access and rapid ransomware deployment, it became a toxic combination that escalated from overlooked risk to a national emergency within hours. Colonial could no longer bill customers or coordinate shipments, forcing it to halt operations. The crisis was severe enough for the federal government to declare a state of emergency, underscoring how a single weak link can cascade into a nationwide disruption.
Breaking the chain
Across all these examples, the pattern is clear; Breaches rarely hinge on a single vulnerability. They emerge when multiple risks overlap. Toxic combinations turn ‘nuisance’ problems, such as an inactive account, a missed phishing test or a misconfigured system, into incidents that can cripple entire industries.
Breaking that chain comes down to continuously monitoring even the simplest measures, such as enforcing MFA everywhere, training staff to spot social engineering, and retiring inactive accounts. The challenge is recognising the overlaps. Toxic combinations are difficult to spot because each element appears low-risk when considered individually.
Organisations need the ability to see these patterns as they form. That requires more than human intuition. It calls for data-driven analysis across millions of assets and signals. This is where platforms like Panaseer’s Cyber Control Management (CCM) can help make a difference. Panaseer helps identify high-risk scenarios where multiple weaknesses in cybersecurity defences overlap. Panaseer’s Compound Risk metrics reveal areas with higher exploitability across multiple cyber domains, combined with business context, enabling clients to focus on the most critical risks first.
Find out more at www.panaseer.com
[1] https://tinyurl.com/39sx5bvy
[2] https://tinyurl.com/3przy8d
[3] https://tinyurl.com/3kke8aus
[4] https://tinyurl.com/3ytb2s5n
[5] https://tinyurl.com/y5nxpcxu
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version