Account Recovery Becomes a Major Source of Workforce Identity Breaches

Some of the most damaging identity breaches now occur after login — during password resets, MFA re-enrollment, or routine help-desk recovery requests. Many organizations have hardened login security with MFA and phishing-resistant controls.

These workflows are rarely treated as security-critical events. Attackers know that credentials can be reset, MFA can be disabled, and devices can be replaced. They don’t need to defeat cryptography if they can convince a system or a service desk to let them in.

That weakness has been exploited in the real world. In a series of incidents in 2025, major U.K. retailers such as Marks & Spencer, Harrods, and the Co-op Group were targeted by attackers who used social engineering to trick help-desk personnel into resetting credentials and bypassing MFA protections.

Recovery paths exist because things go wrong. That makes them the easiest place to exploit trust.

When breaches are analyzed after the fact, the initial compromise can often be traced to an account that was legitimately issued, protected by MFA, and compliant with policy. The failure wasn’t at login. It was in how identity was re-established afterward.

Account Recovery Becomes a Major Source of Workforce Identity Breaches

Other newsrooms on this story

Related reading

Modernizing Identity Security Beyond MFA

In a world of outages and AI threats, passwords are no longer enough

Password1: how scammers exploit variations of your logins

Enterprises must rethink IAM as AI agents outnumber humans 10 to 1

Organizations Can’t Deploy Passwordless, Declare Victory And Walk Away

Apple needs to fix admin authentication in ABM