Commentary: A Look Back at 2024’s Top Non-Human Identity (NHI) Attacks

A Year of Growing Concerns

A look back at 2024’s top non-human identity (NHI) attacks and their year-end explosion sends a worrying signal that 2025 is going to be a tough year for machine-to-machine identity theft.

A Warning from the Past

One year ago, NHI burst onto the scene with a big warning flare, when Cloudflare disclosed that NHI mismanagement caused a massive breach. The breach stemmed from the failure to rotate an access token and account credentials exposed in the 2023 Okta compromise.

The Impact of the Attack

While the attack was contained, the impact on Cloudflare was nonetheless significant. The company disclosed it had to rotate every production credential, which in turn, could lead victims to phishing pages designed to steal login credentials, malware downloads, or rogue OAuth app authorization prompts granting attackers access to private repositories and data.

A Dramatic Close to the Year

Finally, and bringing the year to a dramatic close, NHI was responsible for the US Treasury hack by Chinese threat actors. The attackers gained access to "unclassified documents" after compromising the agency’s networks. The attackers were able to exploit vulnerabilities in remote tech support software by misusing a leaked API key to gain unauthorized access.

A Warning for the Future

The flurry of NHI attacks at the end of the year demonstrates extremely strong momentum heading into 2025. That does not bode well.

Prioritizing Emerging NHI Threats

Chief information security officers (CISOs) and security teams need to prioritize the emerging NHI threats roaring into the new year.