Lawsuit says Clorox hackers got passwords simply by asking

Bleach maker Clorox has sued information technology provider Cognizant over a devastating 2023 cyber attack, alleging that the hackers pulled off the intrusion simply by asking the tech company's staff for employees' passwords.

Clorox was one of several major companies hit in August 2023 by the hacking group dubbed Scattered Spider, which specialises in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom.

In a case filed in California state court, Clorox said one of Scattered Spider's hackers was able to repeatedly steal employees' passwords simply by asking for them.

"Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," according to a copy of the lawsuit reviewed by Reuters.

"The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over."

Cognizant did not immediately return a message seeking comment on the suit, which was not immediately visible on the public docket of the Superior Court of Alameda County. Clorox provided Reuters with a receipt for the lawsuit from the court.

Three partial transcripts included in the lawsuit allegedly show conversations between the hacker and Cognizant support staff in which the intruder asks to have passwords reset and the support staff complies without verifying who they are talking to, for example, by quizzing them on their employee identification number or their manager's name.

"I don't have a password, so I can't connect," the hacker said in one call. The agent replied: "Oh, ok. Ok. So let me provide the password to you, ok?"

The 2023 hack caused US$380 million (A$576 million) in damages, Clorox said in the suit.

Roughly US$50 million of this was tied to remedial costs, while the rest was tied to Clorox's inability to ship products to retailers in the wake of the hack.

Clorox said the clean-up was hampered by other failures by Cognizant's staff, including failure to deactivate certain accounts or properly restore data.