Real-Life Lessons
Now, more than ever, most organizations only discover their security weaknesses after an attack. But it does not have to be that way, a lot these attacks could have been prevented if organizations just had a proactive approach rather than a reactive one when it comes to their cybersecurity.
Penetration testing simulates real-world attacks to identify and help remediate security vulnerabilities before malicious actors can exploit them.
The Uncomfortable Truth About Modern Cybersecurity
If you’re a security professional, and even if you aren’t actually, this question may have crossed your mind before:
**If Microsoft, Google, and healthcare giants with unlimited security budgets can be breached, what chance do we have?**
The answer might surprise you—and it starts with understanding that these breaches weren't the result of sophisticated attack chains or unknown zero-day exploits.
They failed because of the same vulnerabilities we discovered in majority of penetration tests.
Why This Matters to Your Organization
You might be thinking:
*"We're not Microsoft. We're not a target for these attacks."*
That's precisely the mindset that creates vulnerability.
The attacks that compromised Microsoft or any of the organizations in this blog weren't sophisticated. They were opportunistic. Attackers used password spraying—a technique so basic it's covered in entry-level security courses.
Your organization doesn't need to be "important enough" to be targeted. You just need to be vulnerable enough to be profitable.
Let's have a look at the five common vulnerabilities we've uncovered during penetration testing.
1. Weak or Reused Passwords
23andMe (2023-2024): In 2023, 23andMe experienced a credential stuffing attack that exposed genetic data of approximately 7 million customers—roughly half of the service's userbase. The breach had devastating consequences, with the biotech company filing for Chapter 11 bankruptcy in March 2025. The UK Information Commissioner's Office fined 23andMe £2.3 million for failing to implement mandatory multi-factor authentication and secure password requirements. This demonstrates the catastrophic business impact that credential-based attacks can have on organizations.
Snowflake Breaches (2024): The Snowflake breach in late 2024 exposed customer data where improperly secured accounts—some without multifactor authentication—were used to exfiltrate information. This breach affected multiple organizations using the platform and highlighted how weak authentication practices can have cascading effects across an entire ecosystem.
The Scale of the Problem: In 2025, researchers discovered 16 billion exposed credentials from 30 different databases, primarily harvested by infostealer malware campaigns, representing the largest credential breach compilation recorded to date. Analysis of data leaks from 2024-2025 reveals that 94% of passwords are reused or duplicated, with only 6% being unique.
Weak or reused passwords are one of the easiest ways for attackers to gain unauthorized access. Despite widespread use of multi-factor authentication (MFA), poor password practices remain a primary entry point for attacks.
Prevention:
- Enforce complex, unique passwords and implement MFA
- Conduct regular password audits
- Educate employees about password hygiene
2. Unpatched Systems & Software
Change Healthcare (2024): In February 2024, United Health-owned prescription processor Change Healthcare suffered a massive ransomware attack that cost the company $2.457 billion and exposed the private data of approximately 193 million individuals—making it the largest healthcare data breach ever reported. The ALPHV/BlackCat ransomware group exploited a Citrix remote access service that lacked multi-factor authentication. This breach disrupted healthcare services across the United States, affecting 94% of hospitals and preventing billions of dollars in claims processing.
MOVEit Transfer (2023): In May 2023, the CLOP ransomware gang exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer application. By the end of 2023, the attack had compromised more than 2,700 organizations and exposed approximately 93.3 million personal records, with total damages estimated at $12.15 billion. High-profile victims included British Airways, the BBC, Shell, the U.S. Department of Energy, and numerous universities. This breach highlighted the critical importance of rapid vulnerability patching and the devastating consequences of zero-day exploits.
AVTECH IP Cameras (2024): In August 2024, security researchers discovered an unpatched vulnerability in AVTECH IP cameras used in critical infrastructure was being exploited to spread Mirai malware, despite the vulnerability being known since 2019. This five-year delay in addressing a known vulnerability put essential services at risk.
Outdated systems and unpatched software are among the most common vulnerabilities exploited by attackers. Missing security updates can allow attackers to leverage known vulnerabilities to compromise systems.
Prevention:
- Maintain a robust patch management program
- Conduct regular vulnerability scans
- Prioritize patching critical systems
Pen Test Role: Pen testers identify unpatched systems and attempt to exploit publicly known vulnerabilities (CVEs) to assess the potential impact.
3. Misconfigured Permissions & Access Controls
Microsoft Breach (2024): In late 2023 (discovered January 2024), state-backed cyber espionage group Midnight Blizzard (also known as APT29, Nobelium, and CozyBear) gained access to Microsoft leadership and cybersecurity team emails. The attackers used password spraying attacks against a legacy test account that lacked multi-factor authentication and had elevated access. They then exploited a legacy OAuth application that granted full access to all mailboxes in the organization. Even one of the world's leading technology companies fell victim to misconfigured access controls and orphaned test accounts.
Marks & Spencer (2025): In May 2025, M&S suffered a major cyberattack attributed to the "Scattered Spider" group deploying DragonForce ransomware, potentially linked to vulnerabilities in its IT outsourcing partner Tata Consultancy Services, with an expected £300 million profit loss. This breach demonstrates how misconfigurations in third-party relationships can have massive financial consequences.
Western Alliance Bank (2025): Western Alliance Bank experienced a data breach in March 2025, stemming from exploitation of a zero-day vulnerability in a third-party secure file transfer tool provided by Cleo. The Clop ransomware group gained unauthorized access to approximately 22,000 customers' sensitive information, highlighting vulnerabilities in supply chain security.
Prevention:
- Enforce least-privilege access principles
- Regularly review and audit permissions
- Segment networks and sensitive data appropriately
- Remove legacy and test accounts with elevated privileges
Pen Test Role: Pen testers attempt privilege escalation, unauthorized access, and lateral movement to uncover misconfigurations.
4. Insufficient Network Monitoring & Logging
Office of the Comptroller of the Currency (2025): In early 2025, the U.S. OCC identified suspicious interactions between a system administrative account and internal user mailboxes—activity that had gone undetected for months, raising concerns about the agency's visibility into its systems and the effectiveness of its logging practices. This breach at a federal financial regulator highlighted how even government agencies struggle with monitoring gaps.
AT&T Breach (2022-2024): AT&T confirmed a significant data breach involving unauthorized access to its Snowflake cloud storage environment. The breach occurred between May 1, 2022, and October 31, 2022, but wasn't detected until April 2024—a detection delay of nearly two years. The breach exposed over 86 million records, including Social Security Numbers. This prolonged detection window allowed attackers extensive time to access and potentially monetize sensitive customer data.
Without effective monitoring and logging, suspicious activity can go undetected, giving attackers more time to exploit vulnerabilities and exfiltrate data.
Prevention:
- Implement centralized logging and real-time monitoring solutions
- Regularly analyze logs for anomalies
- Set up automated alerts for suspicious activity
- Establish baseline behavior to detect deviations
Pen Test Role: Pen testers attempt to bypass detection and exfiltrate data to identify gaps in monitoring systems and incident response processes.
5. Human Error & Social Engineering Vulnerabilities
Coinbase (2025): In May 2025, Coinbase confirmed a breach when cybercriminals bribed overseas support staff to leak sensitive customer data, including names, birthdates, email addresses, and partial Social Security numbers. Attackers used this data to orchestrate highly targeted social engineering attacks against customers. This breach highlighted the vulnerability of outsourced operations and the human element in security, demonstrating that even financial incentives can compromise insider threats.
Google Salesforce Breach (2025): In August 2025, Google confirmed a data breach from a compromised Salesforce-hosted corporate database. The hacking group ShinyHunters gained access through social engineering by impersonating IT support staff and tricking a Google employee into approving a malicious application. Even at tech giants with sophisticated security teams and trained personnel, social engineering remains remarkably effective.
Workday Breach (2025): On August 18, 2025, Workday disclosed a data breach stemming from a social engineering campaign where threat actors impersonated HR or IT staff. They contacted employees by phone or text to trick them into granting access to a third-party CRM platform. This demonstrates the evolving sophistication of social engineering tactics and the importance of verification procedures for access requests.
Humans are often the weakest link in cybersecurity. Attackers use phishing, pretexting, impersonation, and other social engineering tactics to manipulate employees into granting access.
Prevention:
- Conduct ongoing security awareness training
- Simulate phishing campaigns regularly
- Implement multi-factor authentication and verify requests for sensitive actions
- Establish clear protocols for verifying identity before granting access
- Create a culture where employees feel comfortable questioning suspicious requests
Pen Test Role: Pen testers simulate phishing attacks and social engineering scenarios to assess employee awareness and identify weak points in organizational security culture.
Conclusion
Penetration testing serves as a proactive approach to identifying and mitigating security vulnerabilities. By addressing these common weaknesses, organizations can significantly enhance their security posture. The breaches highlighted above demonstrate that no organization—regardless of size, industry, or technical sophistication—is immune to cyber attacks when fundamental security controls are not properly implemented and maintained.
At GTconsult, we specialize in penetration testing services tailored to your organization's needs. Our team of experts utilizes the latest tools and methodologies to uncover vulnerabilities and provide actionable recommendations to fortify your defences.
Don't wait for a breach to occur. Contact GTconsult today to schedule a penetration test and take the first step towards securing your organization's future.