Toxic Combinations: The hidden cause behind 70% of today’s major breaches

This chain reaction is what we call a toxic combination. Take a laptop that hasn’t been patched in months. On its own, it’s a problem waiting to be exploited. Now, place that laptop in the hands of a highly privileged user who is also prone to clicking on malicious links. Suddenly, what might have looked like an isolated weakness becomes a clear pathway into an organisation’s most sensitive systems.

To understand how common and dangerous these overlaps are, we analysed 20 major breaches over the past five years. In 14 of the 20 cases, we found clear evidence of compounding risks forming toxic combinations that magnified the overall impact.

From that group, we took a closer look at five major breaches – AT&T, MGM Resorts, Okta, Uber and Colonial Pipeline. Across these, just eight distinct risk factors were enough to create toxic combinations that spiralled into national emergencies, wiped billions off company valuations, inflicted lasting reputational harm and triggered multiple class-action lawsuits.

Our analysis

AT&T (2024)

AT&T, the world’s third-largest telecommunications company, became one of the highest-profile victims of Scattered Spider in 2024. The attackers did not break into AT&T’s core systems directly. Instead, they combined a series of weaknesses that, when combined, gave them access to sensitive customer data stored in the cloud.

Toxic combination factors:

• Compromised credentials and poor credential hygiene: Credentials harvested by infostealer malware were used for access.
• Weak or absent MFA/access controls: Attackers then logged into AT&T’s cloud database, which lacked 2FA.
• Undetected tool use and reconnaissance: The attackers deployed reconnaissance tools – such as the utility dubbed FROSTBITE – to discover high-value data sets without being detected or prevented by network access policies.
• Undetected data exfiltration/large-scale access: Finally, the attackers staged desired tables of data copies using built-in capabilities and successfully exfiltrated the data to their chosen environment.

What looked like a chain of credentials abuse, missing MFA, and undetected reconnaissance became a textbook toxic combination. Together, these factors allowed attackers not only to enter AT&T’s cloud environment but to quietly walk out with sensitive customer data – a breach that has translated into both reputational and financial damage. AT&T has since been ordered to pay customers $2,500 each if customers can prove they were impacted.

MGM Resorts (2023)

The 2023 breach at MGM Resorts, which owns the MGM Grand in Las Vegas, among other properties, demonstrates how social engineering combined with weak internal defences can snowball. The attackers – Scattered Spider again, this time working with AlphV – caused widespread disruption to MGM’s business and customer trust.

Toxic combination factors:

• Poor controls against social engineering: Attackers called MGM’s IT help desk, posing as a legitimate employee to gain administrator access to MGM’s Okta and Azure tenant undetected by helpdesk employees.
• Persistence and lateral movement without detection: Attackers deployed their own Identity Provider (IDP) that submitted authenticated requests into MGM's Okta system to maintain access even if locked out, which also went undetected. They then moved laterally through MGM’s network without being discovered.
• Ransomware and large-scale business disruption: Next, they deployed ransomware across more than 100 ESXi hypervisors hosting thousands of virtual machines critical to operations.
• Undetected data exfiltration / large-scale access: Data was then exfiltrated, with Scattered Spider claiming some 6TB extracted.

This wasn’t one failure but four, stitched together: a social engineering phone call, a rogue identity provider and lateral movement, ransomware, and data theft. Combined, they paralysed MGM’s operations, drained revenue and pushed the company into costly settlements and lawsuits. Customer data was stolen, digital slot machines went offline, losses hit an estimated $100 million, and MGM ultimately agreed to a $45 million class action settlement.

Okta (2022)

In 2022, Okta, a well-known identity and access provider, fell victim to a breach by the group Lapsus$. The incident illustrates how weaknesses at third-party providers can intersect with other oversights, like inadequate monitoring, to open the door for attackers.

Toxic combination factors:

• Third-party and supply chain weaknesses: Attackers gained access to a customer support agent’s laptop via a third-party support provider.
• Persistence and lateral movement without detection: They then used Remote Desktop Protocol (RDP) over a five-day window to maintain their foothold and use the privileges they had to gain access, completely undetected.
• Undetected tool use and reconnaissance: Next, they accessed the support engineer's tools, including Okta’s customer support panel and Slack systems. They were able to view Jira tickets and user lists and had the ability to reset passwords and MFA tokens.

Third-party compromise, undetected persistence and tool misuse might sound like operational noise in isolation. But at Okta, they overlapped into a toxic combination that directly undermined trust in an identity giant – erasing billions in market value almost overnight. While only 2.5% of clients were directly affected, the company’s share price plunged, wiping more than $2 billion off its market capitalisation.

Uber (2022)

Uber’s 2022 incident at the hands of Lapsus$ is a lesson in how weak contractor access and credential hygiene combine with effective social engineering to produce enterprise-wide compromise.

Toxic combination factors:

• Compromised credentials and poor access hygiene: Attackers purchased stolen credentials belonging to an external Uber contractor, likely via a dark-web marketplace. Once inside, they located hard-coded administrator credentials in PowerShell scripts that gave them privileged access to Uber’s Thycotic PAM system.
• Weak MFA or absent MFA / access controls: Initial login attempts were blocked by MFA.
• Poor controls against social engineering: However, the attacker then flooded the contractor with MFA push requests and impersonated Uber IT on WhatsApp to convince the contractor to allow access, showing a failure in training.
• Persistence and lateral movement without detection: Using elevated credentials, the attacker gained broad admin access to numerous internal systems without detection.

A contractor’s stolen credentials, MFA fatigue tactics, hard-coded secrets and unnoticed lateral movement stacked up into a toxic combination that gave attackers enterprise-wide control. The result was financial losses, regulatory fines and long-term trust issues that could have been stopped had just one link in the chain been broken. Instead, the breach wiped 5% off Uber’s share price and drew a €290 million GDPR fine from Dutch regulators – a penalty the company is still contesting.

Colonial Pipeline (2021)

Perhaps one of the most dramatic examples of a toxic combination is the Colonial Pipeline attack in 2021. The DarkSide ransomware group managed to shut down almost half of America’s East Coast fuel supply through three failures that could have been minor on their own.

Toxic combination factors:

• Compromised credentials and poor access hygiene: Attackers used a compromised VPN credential, an account that was inactive and lacked multi-factor authentication, to infiltrate the network, showing a failure of condemning accounts.
• Undetected data exfiltration/large-scale access: 100GB of data was then accessed without detection and encrypted.
• Ransomware and large-scale business disruption: Ransomware was deployed, and systems shut down entirely within 70 minutes.

A single dormant VPN account without MFA would not normally shut down half the US East Coast’s fuel supply. But combined with undetected data access and rapid ransomware deployment, it became a toxic combination that escalated from overlooked risk to a national emergency within hours. Colonial could no longer bill customers or coordinate shipments, forcing it to halt operations. The crisis was severe enough for the federal government to declare a state of emergency, underscoring how one weak link can cascade into nationwide disruption.

Breaking the chain

Across all these examples, the pattern is clear: Breaches rarely hinge on a single vulnerability. They emerge when multiple risks overlap. Toxic combinations turn “nuisance” problems, such as an inactive account, a missed phishing test or a misconfigured system, into incidents that can cripple entire industries.

Breaking that chain comes down to continuously monitoring even the simplest of measures like enforcing MFA everywhere, training staff to spot social engineering and retiring inactive accounts. The challenge is recognising the overlaps. Toxic combinations are hard to spot because each element looks low risk when considered in isolation.

Organisations need the ability to see these patterns forming. That requires more than human intuition. It calls for data-driven analysis across millions of assets and signals. This is where platforms like Panaseer’s Cyber Control Management (CCM) can help make a difference. Panaseer helps identify high-risk scenarios where multiple weaknesses in cybersecurity defences overlap. Panaseer’s compound risk metrics instantly reveal areas with higher exploitability across multiple cyber domains, combined with business context, so you can focus on the most critical risks first.