Clorox Sues Cognizant After $380M Hack Over MFA Issues

Hacking is hard—until it’s as simple as picking up the phone. In August 2023, a cybercriminal spoofed internal Clorox employees and tricked Cognizant’s outsourced service desk into resetting passwords and multifactor authentication (MFA) tokens without any identity proofing. The result: an estimated $380 million in damage as ransomware spread across factories, supply chains and corporate systems. Now Clorox is suing Cognizant, alleging gross negligence and breach of agreed security procedures.

Background of the 2023 Breach

The Clorox Company had spent a decade (2013–2023) delegating tier-1 password, VPN and MFA support to Cognizant under a managed services agreement. Officially, all requests had to first use Clorox’s MyID self-service tool or, failing that, present the caller’s MyID username and manager’s name for agent validation. Instead, according to the lawsuit filed in California state court in July 2025, multiple Cognizant agents handed over credentials “no authentication questions asked.”

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques. The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal—no authentication questions asked.”
— Excerpt from Clorox lawsuit

Attack Vector and Technical Breakdown

• Social Engineering: The attacker performed caller ID spoofing and used standard vishing scripts to impersonate two distinct Clorox employees in IT and security.
• MFA Bypass: Both Okta and Microsoft Authenticator resets were processed via SMS-based one-time passcodes (OTP). No out-of-band verification or hardware token fallback was enforced.
• Network Access: Once inside, the intruder escalated privileges by discovering and reusing service-account secrets, then deployed ransomware and exfiltrated sensitive data via encrypted channels (TLS 1.2 over port 443).

Vendor Management and SLA Violations

Clorox alleges that Cognizant repeatedly acknowledged compliance with identity-proofing protocols in quarterly governance calls, but internal call recordings show agents ignoring basic steps. Under NIST SP 800-63 guidelines, authentication assurance levels (AAL2 or above) require proof of possession—beyond SMS OTP—yet Cognizant processed resets at AAL1.

Expert Opinions and Industry Standards

“This breach highlights the fragility of SMS-only MFA and underscores the need for hardware security tokens or FIDO2/WebAuthn,” says Dr. Elena Martinez, CISO at a Fortune 500 pharmaceutical company. Gartner’s recent report on Identity and Access Management also warns that vishing attacks have increased 300 percent year-over-year.

Mitigation Strategies and Best Practices

1. Implement hardware-based MFA (e.g., YubiKey, Titan) to reach AAL3 assurance.
2. Enforce strict call-back procedures: authenticate via corporate directory, callback on a registered number, and log reason codes.
3. Adopt a Zero Trust model: microsegmentation, continuous monitoring (SIEM/UEBA), and just-in-time privileged access (PAM solutions).
4. Conduct regular red-team exercises and vishing simulations to test service desk resilience.

Lessons Learned and Next Steps

Following this incident, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its circular on Strengthening MFA Practices, recommending the deprecation of SMS OTP by 2026. Clorox’s lawsuit not only seeks damages but aims to set a precedent on vendor accountability for outsourced security functions.