Cybersecurity Horror Stories: Lessons from Famous Hacks

The MGM Casino Ransomware (2023)

The Attack: In September 2023, the Las Vegas giant ceased to function. Slot machines displayed errors, hotel room keys stopped working, and guests couldn't check in.

How did they get in? Social Engineering (Vishing). The attackers, a group known as "Scattered Spider", simply found an employee's information on LinkedIn, called the IT helpdesk, and pretended to be that employee who had lost their phone. The helpdesk reset the password and disable MFA for them.

The Cost: MGM Resorts estimated the attack cost them over $100 Million in lost revenue and remediation costs.

Lesson Learned: Humans are often the weakest link. Identity verification for helpdesks must be visual or biometric, not just based on "knowing" employee ID numbers.

The SolarWinds Supply Chain Attack (2020)

The Attack: This is considered one of the most sophisticated attacks in history. Instead of hacking the victims directly, Russian hackers breached SolarWinds, a company that provides IT management software.

They injected malicious code into a legitimate software update for "Orion". When thousands of companies (and the US Government) updated their software, they unknowingly installed a backdoor meant for spies.

The "Password" Myth: While a SolarWinds update server was reportedly secured with the shockingly weak password solarwinds123 years prior, the actual attack was a complex insertion of malware into the build pipeline.

The Impact: The Pentagon, the Department of Homeland Security, Microsoft, Intel, and hospitals were all compromised for months before anyone noticed.

The Uber Hack (2022) & "MFA Fatigue"

The Attack: A hacker purchased an Uber contractor's credentials on the dark web. They tried to log in, but were stopped by Multi-Factor Authentication (MFA).

Did they give up? No. They used a technique called MFA Fatigue (or MFA Bombing). They sent dozens of login requests in the middle of the night. Eventually, the contractor, annoyed or confused, clicked "Approve" just to make the notifications stop.

Defense: Use "Number Matching" in your authenticator app. Instead of just clicking "Approve", the user must type a number displayed on the login screen, proving they are actually trying to log in.

The MGM Casino Ransomware (2023)

The Attack: In September 2023, the Las Vegas giant ceased to function. Slot machines displayed errors, hotel room keys stopped working, and guests couldn't check in.

The Cost: MGM Resorts estimated the attack cost them over $100 Million in lost revenue and remediation costs.

Lesson Learned: Humans are often the weakest link. Identity verification for helpdesks must be visual or biometric, not just based on "knowing" employee ID numbers.

The SolarWinds Supply Chain Attack (2020)

The Impact: The Pentagon, the Department of Homeland Security, Microsoft, Intel, and hospitals were all compromised for months before anyone noticed.

The Uber Hack (2022) & "MFA Fatigue"

The Attack: A hacker purchased an Uber contractor's credentials on the dark web. They tried to log in, but were stopped by Multi-Factor Authentication (MFA).

PASSWORD WALL

By Overtips

Cybersecurity Horror Stories: Lessons from Famous Hacks

The MGM Casino Ransomware (2023)

The SolarWinds Supply Chain Attack (2020)

The Uber Hack (2022) & "MFA Fatigue"

blog.cta.title

PASSWORD WALL

By Overtips

Cybersecurity Horror Stories: Lessons from Famous Hacks

The MGM Casino Ransomware (2023)

The SolarWinds Supply Chain Attack (2020)

The Uber Hack (2022) & "MFA Fatigue"

blog.cta.title