Troy Hunt webinar recap: Lessons from 'Yes, you've been pwned' with Troy Hunt

The thread running through the whole conversation was identity: how attackers get it, why defenders struggle to protect it, and what the current generation of attacks means for security teams that thought they'd solved the credential problem.

1. Compromised credentials are everywhere, and most organizations can't tell which ones matter

The scale of enterprise identity is the backdrop for the entire conversation. The average employee maintains around 15 SaaS accounts, and only a fraction of those sit behind SSO. Of the last million logins observed by Push, 1 in 4 were password-based rather than SSO, 2 in 5 were not protected by MFA, and 1 in 5 used a weak, breached, or reused password. That's the starting posture — before you even account for how many of those credentials have already been stolen.

Troy's data suggests the answer is: most of them. "We know credential reuse is massive," he said. "We know attackers get credentials from one data breach and then they go along and they try them on all sorts of different services, and now you've got one data breach leading to multiple account takeovers." His service now holds billions of email addresses, monitors 400,000 domains including more than half the Fortune 500, and sends millions of breach notifications every year.

The problem compounds because, as Troy put it, "data never really dies." Employees leave, but their credentials persist in breach datasets and across the SaaS apps they signed up for during their tenure. When an organization pulls its breach exposure data, a significant proportion of what comes back is noise — departed employees, fabricated email addresses, accounts for services that were never sanctioned. Mark described the operational reality: getting a notification that an email address has appeared in a breach "can be very helpful context, but can also be a recipe for spending some time only to find out that maybe that person left two years ago."

The proof is in the breaches. The Snowflake incident was the watershed example — 80% of the compromised accounts had prior breach exposure in datasets dating back to 2020, but without MFA enforcement and without visibility into which credentials were actively in use, those warnings went unanswered while attackers walked in through the front door. The accounts still had local, password-based logins enabled — ghost logins that persisted even in environments that thought they'd moved to SSO.

Push's approach is to match breach intelligence against observed login behavior — correlating stolen credential feeds with the authentication events Push sees in the browser, so that a compromised credential only generates an alert when someone is actively logging in with it. That eliminates 99% of the false positives that make raw breach feeds so painful to operationalize, and turns a low-fidelity data source into something security teams can actually act on.

2. Attacks aren't slowing down — they're industrializing

With that many vulnerable credentials sitting in circulation, the question is how easily attackers can exploit them — and the answer, as Troy described it, is easier than ever. "There's almost like the democratization of hacking tools," he said. "When you get all of these things as a service — phishing as a service, ransomware as a service — you don't need to be particularly technically smart if you can go and pay someone else for access to their infrastructure."

The criminal tooling ecosystem now mirrors legitimate SaaS: turnkey platforms with tiered pricing, customer support, and continuous development cycles. Phishing-as-a-Service kits like Tycoon2FA — responsible for 62% of phishing blocked by Microsoft — offer turnkey AiTM infrastructure that intercepts session tokens in real time and bypasses MFA out of the box. The kits are also converging: AiTM platforms are adding device code phishing modules, credential harvesting kits are adding session token capture, and 60–70% of phishing attacks now originate from PhaaS platforms. The sophistication of the attack no longer reflects the sophistication of the attacker.

As Troy said: "If you look at this through the lens of the moral neutrality of technology, that rising tide lifts all boats. And some of those boats are criminals who can now do things easier than before."

3. You don't need to be a hacker to breach a Fortune 100 company

One of the most striking threads in the conversation was Troy's observation about who is actually behind these breaches — and how little technical sophistication they bring to the table. "The average age of people that are being arrested for a lot of these data breach style activities is around about 19," he said. "Fortune 100 companies are being breached by a kid in his bedroom. That is wild."

The leverage is disproportionate precisely because the attacks don't require deep technical skill. "A lot of the attacks lately have been social engineering attacks," Troy continued, noting with parental familiarity that "kids are great at social engineering — if you've got kids, you know how good they are at social engineering."

The ShinyHunters ecosystem — the group Troy and Mark discussed as the dominant threat actor at the time of recording — exemplifies this pattern. They're getting into Salesforce instances via voice phishing, not through zero-day exploits, and the tooling behind their campaigns is industrialized enough that Push's research team was able to infiltrate one of their criminal phishing panels and observe real-time victim targeting across four distinct infrastructure clusters and over 400 linked domains. Our analysis of the Instructure breach broke down the three core techniques behind these campaigns — credential phishing, AiTM attacks, and account takeover — none of which require particular technical sophistication to execute.

The reproducible playbook Troy described is an identity attack pattern, not a software vulnerability. "Once you do get a group that manages to find a reproducible pattern to gain access to these things, the same pattern is used by so many different organizations". And identity attacks scale precisely because they target the weakest link in the chain: the way people actually log in.

4. Your attack surface is bigger than your org chart

Troy connected the credential problem to the broader reality of modern enterprise architecture: the attack surface isn't defined by your systems anymore — it's defined by every external dependency your employees touch. "We're seeing attacks against the likes of Okta, because obviously Okta holds identity," he said. "Salesforce, a couple of years ago it was things like Snowflake — these external dependencies, and then you have so many different entry points into them."

When Troy tried to describe the resulting complexity, the metaphor was telling: "If you put all of this up on the board, sort of like crime fighter style and you draw the lines between everything, it's just an absolute spider web of interdependencies and access rights."

Mark made the point that the attack chain itself has shifted accordingly: "The first part of the attack, the infostealer, might not even be something that happened in your environment. You're just gonna see the tail end of that attack chain." An employee's credentials get harvested from a personal device, sit in a criminal marketplace for months, and then get used to log into a SaaS app that your IdP doesn't even know exists — because the employee signed up with their corporate email and a reused password. With the average employee maintaining around 15 SaaS accounts, the organizational identity surface extends far beyond what any single IdP directory shows, and most of it is completely unmanaged.

This is the identity surface area Push is built to make visible: shadow SaaS discovered through actual login events, authentication methods observed at the point of login, and the gap between what your IdP thinks is happening and how people are actually authenticating.

5. Even Troy Hunt got phished, showing the need for stronger technical protections, not just more awareness training 

Troy recounted the story of his own phishing incident. "My password out of 1Password got phished. My OTP out of 1Password got phished because it was a phishable form of 2FA," he said. "And as a result, my mailing list got exposed. So I had to put my own mailing list into Have I Been Pwned and then email all my subscribers, which was, to be honest, slightly embarrassing."

If the person who runs Have I Been Pwned — someone who has spent over a decade immersed in breach data and credential security — can get phished, the lesson clearly isn't "pay more attention." Troy was explicit about the takeaway: "It reinforces the need for technical controls that are separate and complementary to the human controls. In my own case, the human controls broke down. Unfortunately there weren't sufficient technical controls in order to save me from myself."

Mark pushed the point further during the Q&A: "Expecting users, even well-educated ones, even security practitioners, to be able to differentiate — I think that's just not a reasonable expectation." When phishing arrives from legitimate domains via notification pipeline abuse, from compromised contacts on LinkedIn, and from sponsored Google search results  the signals users were trained to look for simply don't exist anymore. Training remains valuable as a layer, but the structural argument for technical controls inside the browser was reinforced throughout the session.

6. MFA is necessary but it's not the finish line

Both speakers returned to MFA multiple times, and the consensus was clear: any MFA beats no MFA, but treating it as a solved problem is dangerous. Troy was direct: "You can have the world's best non-phishable 2FA. But an infostealer gets you cookie material and they can replay that and it had browser fingerprints and things in it as well, then you've still got a problem." 

Mark reinforced this: "We're seeing a lot of post-authentication attacks — session hijacking, consent attacks — where you can have the strongest authentication methods available, but if you're sidestepping or doing a post-authentication action, that's really not gonna matter." And with 2 in 5 logins observed by Push still lacking MFA at all, many organizations haven't yet reached the baseline where post-authentication attacks are even the primary concern — they're still exposed to straightforward credential-based compromise at scale.

Push addresses both halves: MFA enforcement guardrails surface where MFA is missing and guide users toward enrollment, while session hijacking detection and authorization attack protections — including device code phishing detection and OAuth consent monitoring — catch the post-authentication attacks MFA was never designed to stop.

7. The ClickFix-to-infostealer-to-account takeover flywheel

The final thread that ran through the conversation was the self-reinforcing nature of the modern attack chain. Mark laid out the cycle explicitly: "ClickFix to infostealer to account takeover, which results then in maybe more ad account takeover, so we distribute more ClickFix and it just kind of has this compounding effect."

This isn't a linear attack path — it's a flywheel. ClickFix silently injects a malicious command into the victim's clipboard and instructs them to paste and execute it, delivering infostealer malware that harvests credentials and session tokens from the browser. Those stolen credentials fuel credential stuffing attacks across every SaaS app the victim has accounts on — particularly apps with ghost logins where local password-based authentication still works even after SSO was configured. Compromised advertising and social media accounts are then used to distribute more ClickFix lures through Google search results, malvertising, and compromised websites, and the cycle starts again.

The scale compounds with every rotation, and the numbers suggest the flywheel is already spinning fast — 54% of all ransomware attacks in 2025 traced back to infostealer-enabled credential theft, and ClickFix was identified as the most common initial access vector by Microsoft last year.

Push breaks the chain at multiple points: detecting ClickFix clipboard injection before the payload reaches the endpoint, identifying stolen credentials when they're actively used in login attempts, flagging accounts missing MFA, and detecting session hijacking when stolen tokens are replayed outside the protected browser.

The bigger picture

The conversation with Troy reinforced something we see in our own data every day: the credential problem isn't just an awareness problem — and better technical controls are needed. Organizations know credentials get compromised, they subscribe to breach notification services, and they run security awareness training, but without the ability to match that intelligence against what's actually happening in the browser — which credentials are in active use, which accounts lack MFA, which logins bypass SSO entirely — the gap between knowing about a compromised credential and being able to do anything about it remains vast.

Troy's work at Have I Been Pwned has made that gap more visible than anyone else could, and the conversation is worth watching in full for the practitioner-level detail he brings to a problem most organizations are still underestimating.

Watch the full webinar to hear the full conversation — or book a demo to see how Push turns credential intelligence into actionable detections.