{
	"id": "152db031-be09-4543-96c3-f6126a2ded41",
	"created_at": "2026-04-12T02:22:26.843686Z",
	"updated_at": "2026-04-12T02:22:41.460146Z",
	"deleted_at": null,
	"sha1_hash": "9202016b29e38363dd1e3cbd44d7b6a46040f5b8",
	"title": "“Can you reset my password?” How a simple service desk attack cost Clorox $400 million",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59273,
	"plain_text": "“Can you reset my password?” How a simple service desk attack\r\ncost Clorox $400 million\r\nBy Marcus White\r\nPublished: 2025-07-28 · Archived: 2026-04-12 02:20:43 UTC\r\nTable of Contents\r\n“Can you reset my password?” How a simple service desk attack cost Clorox $400 million\r\nClorox breach: Attack summary \r\nClorox hack: How the service desk social engineering played out\r\nSpecops analysis: What can we learn from the Clorox hack? \r\nHand holding a Clorox spray bottle\r\nTable of Contents\r\n“Can you reset my password?” How a simple service desk attack cost Clorox $400 million\r\nClorox breach: Attack summary \r\nClorox hack: How the service desk social engineering played out\r\nSpecops analysis: What can we learn from the Clorox hack? \r\npicture of author marcus white\r\nLast week, cleaning products giant Clorox took the unusual step of suing its IT services partner Cognizant for\r\ngross negligence. Clorox are alleging that the August 2023 ransomware attack they suffered came about thanks to\r\nan incredibly simple piece of human error. According to the complaint, hackers tied to the “Scattered Spider”\r\ngroup simply phoned Cognizant’s service desk and requested a password reset – and were given one.\r\nWe’ll walk through how this basic lapse led to serious consequences and share some practical hardening measures\r\nyou can put into place.\r\nClorox breach: Attack summary \r\nWho was targeted: Clorox \r\nAttack type: Ransomware \r\nEntry technique: Service desk social engineering\r\nImpact: Operational disruption, $49 million in direct remediation expenses \u0026 $380 million in lost revenue\r\nWho was responsible: Hackers linked to the Scattered Spider group\r\nOn August 11th, 2023, attackers tied to the Scattered Spider group executed a social‑engineering campaign against\r\nCognizant’s Clorox service desk. They placed multiple calls in which they posed as locked‑out employees\r\nhttps://specopssoft.com/blog/clorox-password-social-engineering/\r\nPage 1 of 4\n\nrequesting password and MFA resets. Despite Clorox’s clear, “straight‑forward” reset procedures, the agent on the\r\nline bypassed the protocols. The caller wasn’t verified, and they were given a new password.\r\nCrucially, no notification emails were sent to either the impersonated employee or their manager. This basic alert\r\ncould have tipped off Clorox’s security team about the unauthorized changes. Worse still, the attackers repeated\r\nthe same trick to compromise a second account belonging to an IT‑security employee, instantly elevating\r\nthemselves to domain‑admin privileges and granting unfettered access to Clorox’s core Active Directory\r\nenvironment.\r\nRansomware deployment\r\nWith valid high‑level credentials in hand, the intruders disabled critical security controls, swept through the\r\nnetwork to escalate privileges further, and deployed ransomware across key servers. This silently encrypted data\r\nand severed links between manufacturing, distribution, and IT systems. By the time Clorox detected anomalous\r\nactivity and pulled the plug on affected systems, production lines were halted and order fulfilment ground to a\r\nstandstill.\r\nIn the immediate aftermath, Clorox claimed there were delays in containment and a failure to shut down\r\ncompromised accounts, compounding the damage during the critical first hours. Recovery efforts stretched for\r\nweeks, encompassing forensic analysis, credential resets, system restores, and vendor‑led process overhauls.\r\nIn total, Clorox reports $49 million in direct remediation costs and $380 million in overall losses, including lost\r\nrevenue from shuttered factories and disrupted supply chains.\r\nSpecops analysis: What can we learn from the Clorox hack? \r\nDarren James, Senior Product Manager at Specops, said: “Ultimately, this lawsuit should be a wakeup call for all\r\nMSPs that provide IT help desk services to their customers. They need to take ownership of the user verification\r\nprocess, particularly regarding password or MFA resets. They should provide their customers with secure and\r\nflexible self-service solutions that can be used from any device, at any time, and from any location so there can be\r\nno exceptions made.\r\n“For all other service desk calls, there should also be a mandatory verification process put in place. Having written\r\nprocedures is one thing, but is the technology there to enforce a process? Or can the process be circumvented with\r\na simple social engineering strategy? Failure to provide such services could leave an MSP open to similar\r\nlitigation and reputational as well as financial penalties.”\r\nIs outsourcing the service desk risky?\r\nIt’s estimated 50% of organizations outsource at least part of their service desk function. Outsourcing critical\r\nsupport functions can deliver cost savings and 24/7 coverage, but it can introduce risk too. Earlier this year, UK\r\nretailer Marks and Spencer’s suffered a similar incident. Attackers phoned in posing as M\u0026S employees and\r\ntricked staff at Tata Consultancy Services (M\u0026S’s long term IT helpdesk contractor) into resetting privileged\r\ncredentials, gaining them unfettered access to the retailer’s Active Directory environment.\r\nhttps://specopssoft.com/blog/clorox-password-social-engineering/\r\nPage 2 of 4\n\nTo mitigate these risks, it’s important to maintain strict SLAs that codify verification protocols, conduct frequent\r\nred team exercises on outsourced processes, and require transparent, real-time reporting of all high-risk activities.\r\nOnly by enforcing strong verification processes at your service desk (even when it’s run by a partner) can you\r\nensure that your “frontline” defense remains a strength, not a vulnerability.\r\nThe key lesson here is the vulnerability of service desk agents to social engineering. It’s vital to lock down\r\nservice-desk permissions so that agents cannot reset credentials for admin or IT-privileged accounts without a\r\nsecondary approval workflow.\r\nTo lock down your service desk against social-engineering threats like those used by Scattered Spider, try Specops\r\nSecure Service Desk for secure verification, granular reset controls, and full audit trails. Give your agents the\r\nsupport they need – book a live demo.\r\nLast updated on November 11, 2025\r\npicture of author marcus white\r\nWritten by\r\nMarcus White\r\nMarcus is a cybersecurity product specialist based in the UK, with 8+ years experience in the tech and cyber\r\nsectors. He writes about authentication, identity and access management, and compliance.\r\nRelated Articles\r\nSecuring the service desk: Interview with an OffSec expert \r\nSecuring the service desk has become a priority for many organizations, especially after the spate of social\r\nengineering attacks in the UK linked to Scattered Spider. Attackers know the service desk can be an easy\r\nway to bypass MFA and gain initial entry to a network, as agents without the right security tools are\r\nvulnerable…\r\nRead More\r\nScattered Spider service desk attacks: How to defend your organization\r\nScattered Spider is a disparate hacking collective that has surged to prominence by using sophisticated\r\nsocial engineering tactics. One of their key tactics is exploiting people – specifically, corporate service\r\ndesks. They recently hit the headlines by allegedly carrying out a crippling ransomware hack on UK\r\nretailer Marks \u0026 Spencer (M\u0026S). M\u0026S Chairman Archie Norman…\r\nRead More\r\nhttps://specopssoft.com/blog/clorox-password-social-engineering/\r\nPage 3 of 4\n\nM\u0026S ransomware hack: Service Desk \u0026 Active Directory security lessons \r\nM\u0026S (Marks and Spencers) are a cornerstone of British retail with over 64,000 employees – so it was a\r\nshock for many to see them laid low by a ransomware attack in April 2025. The retail giant fell victim to a\r\nsignificant cyber-attack attributed to the hacking group known as Scattered Spider. Attackers reportedly\r\ninfiltrated…\r\nRead More\r\nSource: https://specopssoft.com/blog/clorox-password-social-engineering/\r\nhttps://specopssoft.com/blog/clorox-password-social-engineering/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://specopssoft.com/blog/clorox-password-social-engineering/"
	],
	"report_names": [
		"clorox-password-social-engineering"
	],
	"threat_actors": [],
	"ts_created_at": 1775960546,
	"ts_updated_at": 1775960561,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9202016b29e38363dd1e3cbd44d7b6a46040f5b8.pdf",
		"text": "https://archive.orkl.eu/9202016b29e38363dd1e3cbd44d7b6a46040f5b8.txt",
		"img": "https://archive.orkl.eu/9202016b29e38363dd1e3cbd44d7b6a46040f5b8.jpg"
	}
}