They relied on a type of malware called infostealing malware.
This type of malicious software can end up on a computer without the person realizing it. Once installed, it quietly collects:
- Saved passwords
- Login credentials
- Other sensitive data
That information is then sent back to criminals.
And this doesn’t only happen on office computers.
It can happen on:
- Home PCs
- Personal laptops
- Any device that’s ever been used to log into work systems
The Part That Really Matters
When login details are stolen, they aren’t always used straight away.
Some of the passwords used in this campaign were years old.
That tells us two important things:
- Passwords weren’t being changed often enough
- Old logins were still being trusted long after they should have been invalidated
In other words, a device infected long ago can suddenly become a serious problem today.
Security professionals refer to this as a latency issue.
The threat sits quietly in the background, waiting.
Time doesn’t erase mistakes. It just delays the consequences.
MFA Would Have Stopped This
The attackers had the passwords.
What they didn’t have was:
- The phone
- The app
- The approval tap
That single extra step would have turned a successful breach into a dead end.
This is why security professionals keep repeating the same message:
Passwords alone are no longer enough.
“But MFA Is Annoying…”
That’s a common reaction—and yes, it does add an extra moment to logging in.
But compare that to the alternative:
- A password nobody remembers is still valid years later
- Confidential files are copied, sold, or quietly leaked
- No one notices until the damage is already done
MFA turns a stolen password into useless information.
That’s why enforcing MFA isn’t overkill anymore.
It’s simply sensible.