What would happen if someone got hold of an old password from one of your team — something they haven’t used in years?
Not a current password.
Not one they even remember.
Just an outdated login that never got changed.
For many businesses across manufacturing, the trades, automotive services and charities, this scenario is a very real threat. And a recent global cyber incident proved just how dangerous it can be.
A silent data‑theft campaign that relied on old passwords
A major investigation uncovered a large‑scale cybercriminal operation targeting organisations across multiple countries and industries. Sensitive business data, customer information and internal documents were quietly stolen and later sold on the dark web.
Different sizes of business were affected.
Different sectors.
Different systems.
But one factor kept appearing — the attackers logged into cloud services using nothing more than a username and an old password.
No MFA.
No second check.
No safeguard.
For criminals, it was like using a rusty key that still somehow worked.
How attackers got hold of the passwords
The campaign made use of infostealing malware — malicious software that often ends up on a device without anyone noticing.
It can infect:
- Home PCs used for checking emails
- Personal laptops used for remote work
- Shared workshop machines
- Old office computers still running out-of-date software
Once active, it quietly collects login details and sends them back to attackers.
Here’s the worrying part:
The stolen passwords weren’t new — many were several years old.
Why old passwords are still dangerous
This incident revealed two major weakness points:
- Passwords weren’t being changed often enough
- Old logins were still accepted by systems long after they should have been disabled
For businesses that rely heavily on uptime — such as machine shops, electricians, gas engineers, car garages, and parts distributors — a legacy password floating around the internet is a serious operational risk.
Cyber criminals don’t need new information.
They just need something that still works.
The ‘latency’ problem: Old mistakes don’t disappear
This is what experts call latency — a threat from the past that can suddenly cause chaos in the present.
A device infected long ago can leak login details long after the employee has moved on or the machine has been replaced. If that old password still grants access to important systems, attackers can simply walk right in.
Where MFA stops attackers instantly
This entire situation could have been prevented if MFA had been enforced.
MFA (Multi‑Factor Authentication) requires a second proof of identity, such as:
- A code on your phone
- An authentication app
- A fingerprint
- A hardware key
Even with the password, the attackers would have hit a brick wall.
No second factor = no access.
“But MFA is annoying…”
It’s true — MFA adds an extra moment to the login process.
But compare that to:
- Your engineering workshop stopping because files were encrypted
- Your electricians unable to access job sheets
- Your garage management software being held to ransom
- Your charity’s confidential data being leaked online
A 3‑second authentication step suddenly feels like a bargain.
Old passwords don’t expire — unless you make them
This incident proved one thing clearly:
Old passwords remain a threat indefinitely
Unless you enforce:
- Strong MFA
- Regular password changes
- Disabling old accounts
- Monitoring for compromised credentials
You’re leaving doors open that you don’t even remember exist. If you want to shut those doors properly — for good — we can help.