TL;DR

Your identity layer is the single most attacked surface in your business. This week, you can enforce phishing-resistant multi-factor authentication across every account, deploy single sign-on to eliminate password sprawl, audit dormant identities, and begin enforcing zero trust principles — all for roughly $5–$10 per user per month. Here is the exact playbook to do it.

The threat landscape in June 2026 makes identity compromise the number-one initial access vector for Australian businesses. A decade-old authentication bypass was just patched in phpBB. Over 400 Arch Linux packages were compromised to steal credentials and access tokens. Oracle is actively mitigating a PeopleSoft zero-day (CVE-2026-35273) exploited in credential theft attacks. Attackers are not hacking in — they are logging in.

The Australian Signals Directorate's Essential Eight lists multi-factor authentication as a core mitigation strategy. NIST SP 800-63-3 explicitly recommends phishing-resistant authenticators at its highest assurance levels (AAL3). CIS Controls v8 dedicates entire control families to identity management and access control. Yet most SMBs still rely on passwords and SMS-based one-time codes.

Here is what you can deploy, starting Monday.

1. Enforce Phishing-Resistant MFA on Every Account

Not all MFA is equal. SMS codes and email verification are vulnerable to SIM-swapping, phishing proxies (like Evilginx), and man-in-the-middle attacks. Phishing-resistant MFA uses cryptographic proof bound to a specific domain, making it impossible for an attacker to relay the authentication even if they intercept the flow.

What qualifies as phishing-resistant:

  • FIDO2/WebAuthn hardware keys — YubiKey 5 Series (approximately $55–$75 AUD per key, one-time cost) supports USB-A, USB-C, and NFC. Users simply tap the key during login. No codes to intercept.
  • Passkeys — Platform-native FIDO2 credentials stored on devices (Touch ID, Face ID, Windows Hello). Free to deploy on devices your users already own.
  • Microsoft Authenticator number matching — While not fully phishing-resistant, enabling number matching and additional context in the Microsoft Authenticator app significantly raises the bar compared to basic push approvals.

Immediate actions this week:

  1. Enable MFA for all users in Microsoft Entra ID, Google Workspace, or Okta — no exceptions, including admin and shared accounts.
  2. Configure conditional access policies requiring phishing-resistant MFA for privileged roles (administrators, finance, executives).
  3. Order YubiKeys for at least your IT admins and senior leadership. Assign two per person so there is always a backup.
  4. Disable SMS and voice call as MFA options wherever your identity provider allows it.

Cost: Microsoft Entra ID P1 includes MFA and conditional access at $6 USD per user per month. If you already have Microsoft 365 Business Premium or E3, this is already included in your licence.

2. Deploy Single Sign-On (SSO) and Kill Password Sprawl

Every separate login is a separate attack surface. When employees reuse passwords across SaaS apps, one breach exposes everything. SSO centralises authentication through a single identity provider, giving you one point of control, one audit trail, and one place to enforce MFA.

SSO platform options for Australian SMBs:

Platform Cost (per user/month) Best For
Microsoft Entra ID P1 ~$6 USD Microsoft 365 shops
Okta Workforce Identity ~$6–$8 USD Multi-vendor SaaS environments
Google Workspace SSO Included with Business plans Google-native organisations
Authentik (self-hosted) Free (infrastructure costs only) Tech-savvy teams with compliance constraints

Deployment steps:

  1. Inventory every SaaS application your business uses. Check each for SAML2 or OIDC support.
  2. Configure your identity provider as the SSO hub. Entra ID and Okta both offer application galleries with pre-built integrations for hundreds of apps.
  3. Enforce MFA at the identity provider level — not at the application level. This guarantees every app inherits your MFA policy.
  4. Provision a password manager (1Password Business at ~$8 USD/user/month or Bitwarden Teams at ~$4 USD/user/month) for accounts that cannot integrate with SSO.

3. IAM Hygiene — Audit, Clean, and Monitor

Dirty identity directories are a compliance and security nightmare. Dormant accounts become ghost entry points. Over-privileged accounts amplify breach impact. Stale service accounts with long-lived credentials are an attacker's dream.

Run this audit this week:

  • Dormant accounts: Pull a report of all accounts with no login activity in 30, 60, and 90 days. Disable anything over 60 days. Delete (or archive) anything over 90 days with manager approval.
  • Privileged accounts: List every account with admin, superuser, or elevated privileges. Verify each one is assigned to a named individual with a documented business need. Migrate shared admin accounts to individual accounts with just-in-time access (Entra ID P2 Privileged Identity Management at ~$9/user/month handles this).
  • Service accounts: Inventory every service account, API key, and application secret. Rotate any credentials older than 90 days. Set expiry dates on all secrets.
  • Guest and external accounts: Review every B2B guest account. Remove access for departed contractors and former partners.

CIS Controls v8 (Control 6 — Access Control Management) explicitly calls for establishing and maintaining an access granting and revoking process, and auditing access rights at least annually — quarterly for privileged accounts.

4. Zero Trust Identity Verification — "Never Trust, Always Verify"

Zero trust is not a product you buy. It is a set of principles: never trust any user or device by default, verify every access request continuously, and grant the minimum privilege required.

Identity-focused zero trust controls to implement now:

  • Conditional access policies: Require compliant devices (managed, with up-to-date OS and endpoint protection) before granting access to corporate resources. Entra ID Conditional Access and Okta's Device Trust both support this.
  • Risk-based authentication: Entra ID P2's Identity Protection uses machine learning to detect anomalous sign-in behaviour (impossible travel, unfamiliar properties, leaked credentials) and steps up authentication automatically.
  • Continuous verification: Set session token lifetimes to 1 hour for sensitive applications and 8 hours for standard productivity apps. Require re-authentication for high-risk actions.
  • Micro-segmented access: Use group-based access policies so marketing cannot reach infrastructure tools and developers cannot access finance systems.

Quick-Win Checklist: Identity Security Overhaul This Week

  • Enable MFA for 100% of users — no exceptions
  • Disable SMS and email as MFA methods; enforce authenticator app or FIDO2
  • Order YubiKeys for all privileged users (admins, finance, executives)
  • Configure SSO for your top 10 most-used SaaS applications
  • Deploy a password manager company-wide
  • Run a dormant account audit; disable accounts with no login in 60+ days
  • Inventory and rotate all service account credentials
  • Enable conditional access requiring compliant devices for corporate app access
  • Set session token lifetimes to a maximum of 8 hours
  • Document the audit — you will need it for Essential Eight and ISO 27001 evidence

FAQ

How much does a full identity security overhaul cost for a 50-person Australian business?

Expect roughly $7–$10 per user per month for the identity platform (Entra ID P1 or Okta), plus $4–$8 per user per month for a password manager, plus a one-time cost of $55–$75 per YubiKey for privileged users. For a 50-person team, the monthly recurring cost lands between $550 and $900 AUD, with roughly $1,000–$2,000 in upfront hardware costs.

Is SMS-based MFA better than nothing?

Yes, but only marginally. SMS is vulnerable to SIM-swapping and real-time phishing proxies. If your provider supports it, move immediately to authenticator app-based MFA as a baseline, and plan your FIDO2 hardware key rollout within 30 days. NIST SP 800-63B explicitly discourages SMS for new deployments.

Do we need Entra ID P2, or is P1 sufficient?

Most SMBs can start with P1 ($6/user/month), which includes MFA, conditional access, and SSO. Upgrade to P2 ($9/user/month) when you need Privileged Identity Management, automated Access Reviews, and Identity Protection risk-based policies. If you are pursuing Essential Eight Maturity Level 2 or ISO 27001, P2 makes compliance evidence significantly easier.

How does this map to the ASD Essential Eight?

MFA enforcement is a dedicated Essential Eight control. SSO and IAM hygiene support the "Restrict Administrative Privileges" and "User Application Hardening" strategies. Zero trust conditional access policies support multiple controls simultaneously. The ACSC considers MFA "the most effective tool to protect your digital identity."

Conclusion

Identity security is not a future roadmap item — it is something you can meaningfully improve this week. Start with phishing-resistant MFA on every account, centralise authentication through SSO, clean up dormant and over-privileged accounts, and layer on zero trust conditional access policies. The tools are mature, affordable, and well-documented. The frameworks (Essential Eight, NIST SP 800-63-3, CIS Controls v8) give you clear targets to aim for.

Every day without phishing-resistant MFA is a day an attacker can log in as any employee who clicks the wrong link. Fix it now.

Visit consult.lil.business for a free cybersecurity assessment.

References

  1. NIST SP 800-63-3: Digital Identity Guidelines — The authoritative US federal standard for digital identity proofing, authentication, and federation, including AAL requirements for phishing-resistant authenticators.
  2. ASD Australian Cyber Security Centre — Essential Eight — The ACSC's prioritised mitigation strategies, with MFA as a core control and a three-level maturity model for progressive implementation.
  3. CIS Controls v8 — Center for Internet Security — Community-developed security benchmarks, including Control 5 (Account Management) and Control 6 (Access Control Management) with specific implementation groups for SMBs.
  4. Yubico — YubiKey for the Essential Eight — Mapping of FIDO2 hardware key capabilities to each Essential Eight maturity level, with deployment guidance for Australian organisations.

The FBI Just Closed a Giant Swap Meet for Stolen Passwords — And Your Business Passwords Might Have Been There

ELI10 Edition — explained like you're 10, no jargon required.

TL;DR

  • The FBI and international partners just shut down a huge online marketplace called LeakBase where criminals bought and sold stolen passwords [1][2]
  • 142,000 criminals were members. Hundreds of millions of stolen passwords were traded there [2]
  • Your business passwords may have passed through places like this — most business owners never find out until something goes wrong
  • Three simple fixes can dramatically reduce your risk: check your exposure, use a password manager, turn on MFA

Imagine a Giant Flea Market for Stolen Keys

Picture a massive flea market. Instead of vintage lamps and old records, everything for sale is stolen house keys. Keys to offices, filing cabinets, safe deposit boxes — thousands of them, sorted neatly by type.

That's basically what LeakBase was. Except instead of physical keys, the criminals sold stolen passwords and login details for businesses, bank accounts, and personal accounts — hundreds of millions of them [1][2].

This week, the FBI teamed up with police forces from 14 countries and shut the whole thing down. They seized everything: the website, the inventory, the records of who bought what, and the chat logs between criminals. The flea market is closed [2].

How Did Those Passwords Get There in the First Place?

Here's the part most people don't expect: your business doesn't have to get hacked directly for your passwords to end up somewhere like LeakBase.

All it takes is for one of the apps or websites your employees use to get hacked. Maybe it's a project management tool. Maybe it's an online accounting service. When that service gets breached, the criminals package up all the stolen usernames and passwords into a tidy bundle — called a "stealer log" — and sell it [3][4].

If an employee used the same password for that service as they do for your business email or your banking portal? Criminals now have the keys to those too.

Think of it like this: if a locksmith who made copies of your keys gets robbed, the thief now has copies of your keys — even though your office was never broken into.

What Does This Mean for Your Business?

The flea market is closed, but the stolen keys are still out there. Law enforcement has the records, which is good for future investigations. But it doesn't mean every stolen password evaporates overnight.

The way criminals use stolen passwords is methodical. They run automated software that tries thousands of stolen username/password combinations across popular business tools — email, cloud storage, accounting software — until something works. Security researchers call this "credential stuffing" [5].

According to Verizon's research, stolen passwords are involved in nearly half of all business data breaches [6]. It's one of the most common ways businesses get compromised, and it's also one of the easiest to prevent.

Three Things You Can Do Today (None of Them Are Complicated)

1. Check if your business email addresses have been in a breach. Go to haveibeenpwned.com — it's free. Type in your email address. It'll tell you if it appeared in any known data breaches. If it did, change that password everywhere it's used and switch on two-factor authentication [7].

2. Get a password manager. A password manager (like 1Password or Bitwarden) creates and remembers long, unique passwords for every account. Your employees only need to remember one strong master password. If a service gets breached, the damage stops there — the stolen password doesn't work anywhere else [8].

3. Turn on two-factor authentication (2FA/MFA) for your important accounts. This adds a second lock to your door. Even if criminals get your password, they still can't get in without your phone or your security key. Start with email, banking, and cloud storage — those are the most valuable targets [5].

These three steps cost almost nothing and take a few hours to set up. They address the exact attack method that LeakBase enabled.

Why This Is Actually Good News

It might feel like bad news — another story about stolen passwords and criminals. But the dismantlement of LeakBase is a genuine win for law enforcement and for businesses.

Operations like this don't just take down one marketplace. They give investigators access to full records of criminal activity — who was buying, who was selling, what was traded [2]. That intelligence feeds future prosecutions and disruptions.

The security community has better tools and monitoring than ever. The steps to protect your business credentials are well-understood, accessible, and cheap. The businesses that get hurt by credential theft are almost always the ones that didn't take the basic precautions.

You're reading this now. That puts you ahead.

Your Action List

  • Go to haveibeenpwned.com and check your business email addresses (10 minutes)
  • Set up a business password manager — 1Password Teams or Bitwarden Business are both solid options (2–4 hours)
  • Enable MFA on email, banking, and cloud storage accounts (1–2 hours)
  • Ask your team to do the same for personal accounts they use at work (send them this post)

If you want help building this out properly across your whole team, that's exactly what lilMONSTER does. Book a free consultation here.

FAQ

No. Have I Been Pwned is a simple website — you type in an email, it gives you a result. Password managers are designed for regular people to use. Most MFA setup is a 5-minute process that apps walk you through.

Don't panic. Change the password for that account immediately, enable MFA if you haven't, and check whether you used that same password anywhere else. Change those too.

No — actually the opposite. Large enterprises have dedicated security teams watching for credential exposure. Most small businesses don't, which makes them attractive targets for automated attacks [6].

It generates and stores a unique, random password for every website and app. If one service gets breached, the stolen password is useless everywhere else because you never reused it. It also flags if a site you use has been breached [8].

The infrastructure is seized and the data is in law enforcement hands. But similar forums exist, and new ones emerge over time. That's why credential hygiene is an ongoing habit, not a one-time fix [2].

References

[1] The Hacker News, "FBI and Europol Seize LeakBase Forum Used to Trade Stolen Credentials," The Hacker News, March 5, 2026. [Online]. Available: https://thehackernews.com/2026/03/fbi-and-europol-seize-leakbase-forum.html

[2] U.S. Department of Justice, "United States Leads Dismantlement of One of the World's Largest Hacker Forums," DOJ Office of Public Affairs, March 4, 2026. [Online]. Available: https://www.justice.gov/opa/pr/united-states-leads-dismantlement-one-worlds-largest-hacker-forums

[3] SpyCloud, "January 2026 Cybercrime Update," SpyCloud Blog, January 2026. [Online]. Available: https://spycloud.com/blog/january-2026-cybercrime-update/

[4] Flare.io, "Dark Web Forums Report," Flare Security, 2023. [Online]. Available: https://flare.io/learn/resources/blog/dark-web-forums

[5] CISA, "Phishing-Resistant MFA Fact Sheet," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/sites/default/files/2023-01/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

[6] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[7] Troy Hunt, "Have I Been Pwned — About," haveibeenpwned.com, 2025. [Online]. Available: https://haveibeenpwned.com/About

[8] NIST, "Special Publication 800-63B: Digital Identity Guidelines," National Institute of Standards and Technology, 2024. [Online]. Available: https://pages.nist.gov/800-63-3/sp800-63b.html

Security doesn't have to be complicated or scary. It just has to be done. If you're not sure where to start or you'd like an expert to look at your current setup, lilMONSTER offers practical, no-jargon cybersecurity consultations for small businesses.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation