The biggest breaches of 2024 taught us one thing: identity is at the heart of modern cyberattacks. From the MOVEit hack to advanced phishing campaigns, attackers exploited weak spots in identity systems to cause chaos.
This list, built exclusively from expert insights, research, and real-world examples from SC Media over the past 12 months, highlights the key lessons every organization needs to know. Experts shared practical advice on what went wrong—and how to fix it.
Top 6 Lessons from 2024 Breaches
1. Default Credentials Are Still an Issue
Default credentials continue to be exploited by attackers. The MOVEit breach of 2023, which persisted into 2024, underscored this issue. Hackers exploited vulnerabilities and poorly managed credentials in the file transfer software, impacting over 1,000 organizations and exposing sensitive employee directories. The breach revealed that some third-party software providers fail to enforce basic security hygiene, such as changing default credentials, leaving systems vulnerable.
“It’s not just about the credentials you manage—it’s about ensuring your third-party vendors and partners do the same,” said Michael Farnum, advisory CISO at Trace3 during a webinar on identity resilience.
2. Attackers Target High-Risk Users
Increased attacks on high-risk users—executives, IT admins, and third-party vendors—were a defining trend in 2024. During a webinar, CyberArk’s Khizar Sultan noted that attackers now focus on high-risk users because they are weaker security links.
“The thing being attacked the most is users, not systems. These users have broader access to high-value assets, making them ideal targets for phishing and malware campaigns,” Sultan explained.
An example of this shift can be seen in the exploitation of privileged users during the MOVEit breach. Attackers used phishing and social engineering tactics to compromise vendor credentials, then escalated privileges to access critical systems.
3. Social Engineering Works Too Well
Despite technical defenses like MFA, social engineering remains devastatingly effective. The MGM Resorts breach in 2023 is a case in point. Hackers tricked a help-desk employee into resetting MFA on a privileged user’s account, allowing attackers to bypass multiple security layers. This incident highlighted the necessity of robust identity awareness training for employees.
“Social engineering is so effective because it preys on human tendencies, not just technological vulnerabilities,” said Jim Desmond, chief security officer at Asurion.
Additionally, in a CyberRisk Alliance survey, respondents ranked social engineering as one of the top causes of breaches, showing that human error is often exploited more than system flaws.
4. Multi-Layered Defense Is a Must
Single-layer defenses like basic MFA are no longer enough. In the “State of Identity 2024” report, organizations that adopted multi-layered security—including zero trust frameworks, behavioral analytics, and phishing-resistant MFA—were significantly better at mitigating breaches. Behavioral analytics, for example, flagged anomalous logins that traditional tools missed, enabling organizations to react before damage was done.
“Resilience isn’t just about blocking the first attempt. It’s about detecting the next one and adapting in real time,” explained Adrian Sanabria, host of Enterprise Security Weekly, during a webinar on identity resilience.
The effectiveness of multi-layered strategies was evident in organizations that thwarted follow-on attacks during the MOVEit and Okta breaches, thanks to such layered approaches.
5. Third-Party Access Is a Backdoor
The MOVEit breach revealed how third-party software and vendors are often overlooked in security planning. Hudson Rock researchers noted how the breach exposed detailed employee directories, including Amazon’s, through compromised third-party systems.
“It’s not enough to secure your environment; you also have to account for the vendors and their security practices,” emphasized Jeff Reich, executive director of the Identity Defined Security Alliance.
This lesson resonates with Desmond’s observation: “You’re not just managing your identity anymore; you’re also managing the identities of your partners, contractors, and even the software they use,” he said during a webinar Key Identity Guidance for Late 2024 and Early 2025.
6. Recovery Is the Weakest Link
Recovery times for breaches were alarmingly slow in 2024. Many organizations lacked identity recovery protocols, resulting in operational disruptions and reputational damage. For instance, the MOVEit breach left affected companies scrambling to contain the fallout, with recovery taking weeks in some cases.
“We’ve spent so long preventing breaches that we’ve neglected what happens when the worst occurs,” said MightyID’s Steinke, during a discussion on identity resilience. “The ability to operate in a degraded state and recover quickly must be part of every organization’s IAM strategy.”
The CyberRisk Alliance survey, published in The State of Identity 2024, revealed that only 27% of respondents were highly confident in their organization’s ability to recover from breaches, highlighting how unprepared most businesses are.
These Lessons Matter
Each of these lessons points to critical gaps in current IAM strategies. The MOVEit breach, phishing campaigns, and reliance on high-risk users emphasize the need for layered defenses, improved recovery plans, and tighter third-party access controls. By learning from these incidents, organizations can fortify their identity strategies for 2025 and beyond.
