Another good reason to enforce MFA

What would happen if someone got hold of one of your employees’ passwords from years ago?

Not a password they’re using today.

Not one they even remember.

Just an old login that never got changed.

That’s exactly how a recent large‑scale data‑theft campaign worked.

A cyber security investigation uncovered a quiet but widespread attack where sensitive business data from organisations around the world was collected and later sold on the dark web.

Different industries.

Different countries.

Different sizes of business.

But there was a common thread.

Every affected organisation relied on username and password only to access important cloud systems.

No second step.

No additional check.

Just type the password and you’re in.

That’s where things fell apart.

This is what multi‑factor authentication (MFA) is designed to prevent.

MFA simply means proving it’s really you in more than one way.

Usually that’s a password plus something else, like a code on your phone, an approval prompt, or biometrics.

So even if a password is stolen, access still stops there.

In these cases, MFA wasn’t enforced.

The attackers used something called infostealing malware.

This type of malware can sit on a device without the user realising.

It quietly collects saved passwords and login details and sends them back to criminals.

And this doesn’t just happen on office computers.

It can happen on home devices, personal laptops, or any machine that’s ever been used to log into work systems.

Here’s the part that really matters.

Some of the passwords used in this campaign were years old.

That tells us two things:

• Passwords weren’t being rotated often enough

• Old access was still trusted long after it should have been removed

In other words, a device compromised a long time ago can suddenly become a serious problem today.

This is often called a “latency” issue. The threat sits quietly in the background, waiting. Time passing does not make it safe.

Every one of these attacks would have been stopped by MFA.

The attackers had the passwords.

They just didn’t have the second factor.

No phone.

No app.

No approval tap.

That single extra step would have turned access into a dead end.

This is why security professionals keep repeating the same message: passwords on their own are no longer enough.

Yes, MFA adds a small extra step.

And yes, some people find it annoying.

But compare that to the alternative.

A password nobody remembers still working years later.

Confidential files accessed and copied without anyone noticing until the damage is done.

MFA turns stolen passwords into useless information.

That’s why enforcing it isn’t overkill anymore.

It’s just sensible.

If there’s one takeaway, it’s this: old passwords don’t expire on their own.

One extra lock on the door really does make all the difference.

If you need help reviewing or enforcing MFA across your systems, get in touch.