Cisco has confirmed that it was the victim of a cyberattack and data raid, just hours after a ransomware group published a partial list of supposedly stolen files on the dark web. The tech giant said it discovered the compromise on May 24; an internal investigation revealed that an employee had been tricked into handing over sensitive information. 

Here's how it went down:

1. The hacker gained access to a Cisco employee's personal Gmail account. That Gmail account had saved credentials for the Cisco VPN.

2. The VPN required MFA for authentication. To bypass this, the hacker used a combination of MFA push spamming (sending multiple MFA prompts to the user's phone) and impersonating Cisco IT support and calling the user.

3. After connecting to the VPN, the hackers enrolled new devices for MFA. This removed the need to spam the user every time and allowed them to log into the network and begin moving laterally.

This is why I recommend never saving passwords in browsers and requiring 2FA on all devices, including personal items that are used for work. I'm also an advocate for paying employees for the use of their personal devices with a stipend and thus requiring 2FA.