TL;DR

Major identity breaches disclosed by Microsoft and Vercel in April 2026 prove that attackers are not cracking MFA; they are bypassing it entirely by stealing OAuth tokens, abusing device-code flows, and weaponising supply-chain trust. Australian SMBs must move beyond basic MFA and start monitoring sessions, auditing third-party app permissions, and hardening help-desk verification.​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The Tactic Shift: From Cracking Passwords to Stealing Sessions

Multi-factor authentication has long been treated as the finish line for identity security. But the breaches of 2025 and 2026 show a clear shift: attackers no longer waste effort brute-forcing passwords when they can simply hijack the session that MFA already approved. Two high-profile incidents from April 2026 demonstrate how trust chains—not passwords—are the new target.

Case Study 1: Microsoft EvilTokens and AI-Enabled Device Code Phishing

In April 2026, Microsoft’s security research team disclosed a widespread phishing campaign that weaponised the legitimate OAuth device-code authentication flow

. Traditionally, device codes expire after fifteen minutes. The attackers bypassed this limitation by using automated infrastructure on platforms like Railway.com to generate dynamic device codes at the exact moment a victim clicked a phishing link.​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Generative AI produced hyper-personalised lures—invoices, RFPs, and manufacturing workflows—tailored to each victim’s role. When the user entered the code on a legitimate Microsoft login page, they unknowingly authorised the attacker’s session. Because the authentication was decoupled from the victim’s original device, MFA was satisfied without binding to the user’s real context. Post-compromise, attackers abused Microsoft Graph API to map organisational permissions and created malicious inbox rules for persistence.

This campaign marks an evolution of the phishing-kit tradecraft pioneered by EvilProxy and Tycoon, automated end-to-end and scaled with AI.

Case Study 2: The Vercel OAuth Supply Chain Cascade

On 19 April 2026, Vercel confirmed that attackers had breached its internal systems via a compromised third-party AI service, Context.ai. A Lumma Stealer malware infection at Context.ai exfiltrated Google Workspace OAuth tokens for a Vercel employee. OAuth tokens do not require a password and often survive password rotations.

Using the stolen token, the attacker accessed the employee’s Google Workspace account, pivoted into Vercel’s internal environment, and read environment variables that were not explicitly classified as "sensitive." While encrypted secrets remained protected, the incident exposed enough metadata to enable lateral movement. Vercel CEO Guillermo Rauch publicly assessed the attacker’s velocity as "very likely significantly accelerated by AI."

This is the same trust-chain collapse seen in earlier incidents like the Storm-0558 Microsoft key compromise and the Okta customer support breaches: when a trusted intermediary is compromised, MFA cannot defend against an attacker riding legitimate, pre-approved tokens.

The Common Thread: MFA Bypass via Trust Abuse

Whether through Scattered Spider-style help-desk social engineering, stolen OAuth tokens, or automated device-code abuse, the pattern is identical. Attackers are not defeating MFA; they are defeating the trust assumptions around it. MFA validates identity at the point of login. It does not protect against stolen sessions, over-permissive OAuth grants, or a help-desk operator tricked into resetting an executive’s credentials.

Three SMB-Scale Defences

You do not need an enterprise SOC to close these gaps. Implement these controls this week:

1. Help-Desk Verification Protocols Eliminate single-channel password or MFA resets. Every identity-related request must be verified out-of-band—via a pre-registered manager mobile number, video call, or in-person confirmation. Treat "I lost my MFA" phone calls with extreme scepticism; pre-texting is the primary tactic of groups like Scattered Spider.

2. Number Matching and Phishing-Resistant MFA Replace simple push-notification approvals with number matching, or better yet, FIDO2 passkeys. Number matching forces the user to enter a code from the login screen into their authenticator app, preventing blind approvals of attacker-initiated flows. Passkeys bind credentials to the origin, rendering token theft and replay attacks useless.

3. Session Token Protection and Admin Activity Alerting Audit OAuth grants quarterly. Revoke any third-party app with broad, unused permissions to email, files, or admin consoles. Set conditional access policies to terminate sessions from impossible locations or non-compliant devices. Alert on Graph API reconnaissance, mass inbox-rule creation, and non-standard IP ranges accessing admin portals. Tokens should be short-lived; if your provider does not support automatic expiration, enforce manual rotation every ninety days.

FAQ

If we have MFA, how did these attacks still succeed? The attackers bypassed MFA rather than breaking it. By stealing OAuth tokens, tricking users into device-code flows, or socially engineering help desks, they obtained sessions that had already passed authentication. The login was legitimate; the session simply belonged to the attacker.

Are Australian SMBs actually targets for this level of sophistication? Yes. Phishing-as-a-Service kits like EvilTokens and EvilProxy have commoditised these tactics. Criminals purchase subscriptions and target businesses indiscriminately. SMBs are preferred because they often hold valuable financial and customer data without dedicated security teams to monitor abuse.

What is number matching, and do we need it? Number matching is an MFA method where your login screen displays a two-digit number you must enter into your authenticator app to approve the sign-in. It prevents "MFA fatigue" attacks where users reflexively tap "Approve." If you use Microsoft Authenticator or similar enterprise tools, enable it immediately.

How do we audit our OAuth apps and third-party integrations? Export a list of all apps connected to Google Workspace, Microsoft 365, or your identity provider. Review their access scopes: does a calendar plugin need access to all emails? If an app has not been used in ninety days, revoke it. Treat every dormant OAuth grant as an exposed credential.

Conclusion

The identity perimeter is no longer at the password field. It is inside the OAuth grant, inside the session token, and inside the help-desk call log. The breaches of April 2026 demonstrate that MFA alone is insufficient when AI-enhanced attackers abuse trust chains. Australian SMBs must adopt phishing-resistant authentication, aggressive session monitoring, and zero-trust OAuth hygiene before their names appear in the next headline.

Book a free cybersecurity assessment today: Visit consult.lil.business for a free cybersecurity assessment.

References

  1. Microsoft Security Blog. "Inside an AI-enabled device code phishing campaign." (2026). https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
  2. Trend Micro Research. "The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables." (2026). https://www.trendmicro.com/en_us/research/26/d/vercel-breach-oauth-supply-chain.html
  3. Australian Cyber Security Centre (ACSC). "Multi-factor authentication." https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/mfa

TL;DR

  • A website called CarGurus had 12.4 million customer records stolen and published online
  • This happened because hackers found a way to break into their computer systems
  • It teaches us that when we share information with companies, we're trusting them to keep it safe
  • Businesses need to be careful about which companies they share customer data with

What Is a Data Breach?

Imagine you write a secret note and give it to a friend to keep safe. You trust your friend to hide it where nobody else can find it.

A data breach is like someone breaking into your friend's house and finding that secret note. Now your secret isn't secret anymore.

When businesses use computers to store customer information — things like names, addresses, phone numbers, and email addresses — they have to keep it safe from hackers. A data breach happens when hackers break in and steal that information.

What Happened at CarGurus?

CarGurus is a website where people go to buy and sell cars. It's like a big online car marketplace where millions of people search for vehicles, compare prices, and apply for loans.

In February 2026, a group of hackers called ShinyHunters broke into CarGurus' computer systems and stole information about 12.4 million customers [1]. That's more people than live in entire countries like Switzerland or Austria!

The stolen information included:

  • Names
  • Email addresses
  • Phone numbers
  • Home addresses
  • Some financing information [2]

Then the hackers did something scary: they published all this information online, where anyone could see it.

Why This Matters for Your Business

If you run a business, you probably share customer information with other companies. Here are some examples:

  • Payment processors like Stripe or PayPal handle credit card information
  • Email marketing tools like Mailchimp store customer email addresses
  • CRM software like Salesforce keeps customer contact details
  • Industry platforms might share customer data with partners

When you share information with these companies, you're trusting them to keep it safe. If one of them gets hacked — like CarGurus did — your customers' information could be exposed too.

Think of it like lending your favorite book to a friend. If your friend leaves it on the bus and someone steals it, that's not your fault — but you've still lost your book.

The "Key Under the Mat" Problem

Imagine you hide a spare key to your house under the doormat in case you lock yourself out. It's convenient, but it also means anyone who finds that key can get inside.

Many businesses share customer information with lots of different companies because it's convenient. Each company is like another key under the mat. The more keys you have, the more chances someone has to find one and break in.

Here's why this is risky:

You can't control someone else's security. You might have excellent locks on your doors, but if you give a key to someone who leaves theirs under a flowerpot, your house still isn't secure.

You might not know when something goes wrong. If a company you work with gets hacked, you might not find out until weeks or months later.

Your customers trust you, not your vendors. When customers give you their information, they're trusting YOU to keep it safe — even if you end up sharing it with other companies.

How to Protect Your Customers

You can't eliminate all risk — doing business online means sharing information sometimes. But you CAN be smart about which companies you trust with customer data.

Choose Partners Carefully

Before sharing customer information with any company, ask yourself:

  • Do they really need this information to do their job?
  • What happens to the information when they're done with it?
  • Have they had security problems before?
  • Do they have security certifications (like SOC 2 or ISO 27001)?

Share Only What's Necessary

If a newsletter service only needs email addresses, don't give them phone numbers too. If a payment processor only needs billing addresses, don't give them customer birthdays.

Think of it like this: if you're hiring a dog walker, you give them a key to your house — but not the code to your safe. They only need access to what they're actually helping with.

Make a Plan Before Something Happens

Waiting until after a breach happens to figure out what to do is like waiting until your house catches fire to buy a smoke detector.

Have a plan ready:

  • Which customers do we need to notify?
  • What do we tell them?
  • How do we help them protect themselves?
  • Who is responsible for what?

What Your Customers Can Do

If your customers' data was exposed in a breach (like the CarGurus one), here's what they should do:

  1. Change their passwords — especially if they used the same password on multiple websites
  2. Enable two-factor authentication — this adds an extra layer of security, like requiring both a password and a code sent to their phone
  3. Watch for suspicious messages — hackers might use stolen information to send fake emails or texts pretending to be from real companies
  4. Check their credit reports — if financial information was stolen, they should look for any accounts or loans they didn't open

The Big Lesson

The CarGurus breach teaches us something important: when you share information with another company, their security becomes YOUR security problem.

You wouldn't hand your wallet to someone you don't know and walk away. So be careful about which companies you hand your customers' information to — and what information you share.

Because when something goes wrong, your customers will look to YOU, not the company you trusted.

FAQ

A data breach is when hackers break into a company's computer systems and steal information. It's like a burglar breaking into a house and stealing valuable items.

Hackers can use stolen information to pretend to be other people, access their accounts, or trick them into giving away more information (like passwords or bank details). They can also sell the information to other criminals.

Look for security certifications like SOC 2 or ISO 27001, ask about their security practices, and check if they've had breaches before. Companies that take security seriously will be happy to talk about it.

Change your passwords, enable two-factor authentication, watch for suspicious messages, and consider freezing your credit reports if financial information was exposed.

Not really — most businesses need to use some third-party services to operate. The goal is to choose carefully and share only what's necessary, not to eliminate all third parties.

References

[1] eSecurity Planet, "12.4 Million Accounts Exposed in CarGurus Leak," eSecurity Planet, March 2026. [Online]. Available: https://www.esecurityplanet.com/threats/12-4-million-accounts-exposed-in-cargurus-leak/

[2] Have I Been Pwned, "CarGurus Data Breach," Have I Been Pwned, 2026. [Online]. Available: https://haveibeenpwned.com/Breach/CarGurus

[3] BleepingComputer, "CarGurus Data Breach Exposes Information of 12.4 Million Accounts," BleepingComputer, March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/cargurus-data-breach-exposes-information-of-124-million-accounts/

Choosing the right partners is part of protecting your customers. Book a consultation at consult.lil.business to build a security strategy that covers your entire business ecosystem.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation