How to Reset Your Password: A Quick Guide

How to Reset Your Password: A Quick Guide

According to court records and investigations, the attackers repeatedly called, obtained these resets with little verification, and then used the access to advance quickly toward domain administrator accounts.

Clorox estimates that the attack caused nearly $380 million in losses, including $49 million for remediation and several hundreds of millions tied to business interruptions. We will detail how the attack unfolded, show how to secure third‑party desk services, and explain how to implement effective verification through the right technology.

How did the attack unfold?

Social engineering attacks operate by exploiting human weaknesses. Attackers begin with a reconnaissance phase, gathering information such as names, roles, new hires, or internal ticket references. They then make calm, scripted calls, mimicking the behavior of a legitimate user, with the aim of pressuring the agent and nudging them to bypass security procedures.

In the Clorox case, the complaint indicates frontline agents were persuaded by phone to reset credentials and MFA without escalation or out‑of‑band verification. This ran counter to the procedure agreed with Cognizant, which stated that accounts should never be reset without proper authentication. The result: a single compromised identity served as the entry point for lateral movement and caused a major disruption.

Impact: Operational paralysis and data loss

Clorox reported that production systems were taken offline, manufacturing was halted, orders had to be processed manually, and delivery delays reduced sales. These disruptions to the supply chain and logistics, along with the costs of investigations and remediation, form the bulk of the losses cited in the lawsuit. It shows that a single unauthorized reset can have outsized consequences.

The CISA and other agencies have identified the same pattern: Scattered Spider and similar groups target outsourced service desks, which often provide broad access to the systems of multiple clients. Defensive recommendations emphasize that attackers impersonate users and exploit weak verifications to bypass MFA and reset passwords. Rigorous caller verification is thus a critical control across the supply chain.

Why outsourcing increases risk

Outsourcing support isn’t inherently problematic when the provider’s processes are robust. However, if verification mechanisms are weak or poorly enforced, risk rises sharply. This can be explained by three main factors:

  • Expanded trust: Providers often hold broad privileges and fast procedures (password resets, MFA resets, or account unlocks). If abused, these accesses can open doors to critical systems across the enterprise.
  • Process drift and high volume: Large providers handle a high volume of calls. When scripts are unclear or quality control is insufficient, agents tend to prioritize service continuity over thorough verification. In this case, Clorox notes that contract verification requirements were not met.
  • Lack of visibility: Third‑party service desks log actions in their own tools, often poorly integrated with the client’s SIEM or privileged access management solutions, delaying incident detection.

Recommended measures for security teams

Resets should be treated as privileged actions and protected by five concrete measures:

  1. Out-of-band verification: require a callback to an internal number, the sending of a one-time token via a professional email, or a simple cryptographic challenge, rather than questions based on personal information.
  2. Approval levels: sensitive resets, such as MFA or privileged accounts, should require dual validation and automatic notification to the owner, tied to the ticket identifier.
  3. Temporary sessions and isolation: use temporary privileged sessions and immediately revoke suspected admin sessions.
  4. Automated telemetry and containment: log every reset in an immutable journal, trigger alerts for abnormal behavior, and automatically revoke tokens or force re-authentication.
  5. Turn detection into rules: monitor patterns such as the same callback number used for multiple accounts or multiple MFA resets within a single entity over a short period. These signals should trigger automatic session revocation and escalation to the SOC.

Operational governance: contracts and audits

If you outsource, your contract should mandate technical controls and the ability to audit the provider. It should require that the provider demonstrate, through logs and annual tests, that it applies two‑channel verification, maintains immutable logs, and integrates its actions into your SIEM. It should also specify measurable SLAs for detecting and responding to compromised accounts, as well as simulated social engineering tests with a report of corrective actions.

Technology helps, but humans remain vulnerable to social engineering. It is essential to regularly conduct telephone simulations, analyze failures, and integrate corrective training into operations. Reducing the time between reset and containment is more effective than expensive one‑off hardening projects.

Try Specops Secure Service Desk

To see caller verification in action, immutable logs, and ticket integration, try Specops Secure Service Desk. It’s the quickest way to see how reliable verification and automated containment limit the time attackers have. Book a live demonstration.

Dawn Liphardt

Dawn Liphardt

I'm Dawn Liphardt, the founder and lead writer of this publication. With a background in philosophy and a deep interest in the social impact of technology, I started this platform to explore how innovation shapes — and sometimes disrupts — the world we live in. My work focuses on critical, human-centered storytelling at the frontier of artificial intelligence and emerging tech.

© 2025 Dawn Liphardt