One criminal, 50 hacked organizations, and all because MFA wasn't turned on

If you don't say "yes way" to MFA, the consequences can be disastrous. Sensitive data belonging to about 50 global enterprises is listed for sale – and, in some cases, has already been sold – on the dark web following a major infostealer campaign, with apparent victims including American utility engineering firm Pickett and Associates; Japan's homebuilding giant Sekisui House; and Spain's largest airline Iberia.

The thief, who goes by the moniker Zestix or Sentap, steals data from corporate file-sharing portals by using compromised cloud credentials obtained from information-stealing malware. And none of the purported victims enforced multi-factor authentication (MFA), according to Hudson Rock, an Israeli cybersecurity company that specializes in infostealers.

Stolen credentials combined with a lack of MFA are always a recipe for disaster, as we have seen in earlier big breaches such as Change Healthcare, British Library, and Snowflake customers' database hacks.

"Because the organizations listed ...