Panaseer finds 'toxic combinations' drive 70% of major breaches

Research by Panaseer has found that 70% of major cybersecurity breaches in the past five years have resulted from toxic combinations, where overlapping risks compound to create significant vulnerabilities.

The Panaseer team carried out an analysis of 20 high-profile breaches, identifying that in 14 cases, multiple compounding risks were involved. The research included a detailed review of five major incidents involving AT&T, MGM Resorts, Okta, Uber and Colonial Pipeline.

Toxic combinations explained

According to Panaseer, toxic combinations occur when several seemingly minor risks interact. For example, an unpatched device in the hands of a privileged user who regularly clicks on suspicious links can become a serious pathway for attackers, far greater than the sum of individual risks.

The research found that just eight significant risk factors, when present in the right combination, were enough to create vulnerabilities that led to serious breaches. The consequences of these breaches included national emergencies, multibillion currency losses in company valuations, reputational harm, and class action lawsuits.

Case studies of major breaches

In the 2024 breach at AT&T, attackers leveraged compromised credentials obtained via infostealer malware, exploited weak or missing multi-factor authentication (MFA), used reconnaissance tools undetected, and exfiltrated data at scale. The research notes:

"What looked like a chain of credentials abuse, missing MFA and undetected reconnaissance became a textbook toxic combination. Together, these factors allowed attackers not only to enter AT&T's cloud environment but to quietly walk out with sensitive customer data - a breach that has translated into both reputational and financial damage. AT&T has since been ordered to pay customers $2,500 each if customers can prove they were impacted."

The breach at MGM Resorts in 2023 occurred through a combination of poor social engineering defences, undetected persistence and lateral movement, ransomware deployment, and large-scale data exfiltration. Attackers impersonated staff to gain administrator access, maintained unauthorised access, deployed ransomware crippling critical systems, and stole an estimated 6TB of data. The company dealt with customer data theft, operational disruption amounting to about USD $100 million in losses, and later paid a USD $45 million class action settlement.

Okta, an identity and access management provider, was breached in 2022 via a third-party compromise, undetected persistence, and misuse of internal tools. Attackers accessed a support agent's laptop through a third-party vendor, moved laterally using Remote Desktop Protocol over several days, and used support tools to view sensitive company and client information without detection. Although only 2.5% of customers were directly affected, Okta's market value dropped by over USD $2 billion following the incident.

In Uber's 2022 breach, attackers exploited a combination of compromised contractor credentials, weak credential hygiene, inadequate MFA, and social engineering. After purchasing stolen credentials, they found administrator credentials in scripts, conducted an MFA fatigue attack to bypass security, and obtained broad access to internal systems undetected. The breach was followed by financial losses, regulatory fines, a drop in share prices, and a GDPR fine of €290 million from Dutch authorities, which Uber is currently contesting.

The Colonial Pipeline attack in 2021 involved compromised, inactive VPN credentials lacking MFA protection, undetected access to large amounts of sensitive data, and rapid ransomware deployment. What could have been isolated issues resulted in a national emergency, halting fuel supply on the US East Coast and prompting a state of emergency declaration by the government.

Recognising and preventing toxic combinations

The research emphasises that such incidents often result from several overlaps rather than a single point of failure. Seemingly trivial weaknesses-like an inactive account or insufficient phishing training-become serious threats when combined with other factors.

Continuous monitoring and basic cybersecurity hygiene, such as enforcing MFA and retiring unused accounts, are highlighted as important steps. Still, identifying toxic combinations is not straightforward because each element appears low risk in isolation.

The report notes that organisations need more comprehensive, data-driven techniques to identify these dangerous patterns rather than relying solely on intuition. Platforms such as Panaseer's Cyber Control Management are designed to highlight areas where multiple risks intersect and pose elevated threats.

"Organisations need the ability to see these patterns forming. That requires more than human intuition. It calls for data-driven analysis across millions of assets and signals. This is where platforms like Panaseer's Cyber Control Management (CCM) can help make the difference. Panaseer helps identify high-risk scenarios where multiple weaknesses in cybersecurity defences overlap. Panaseer's Compound Risk metrics instantly reveal areas with higher exploitability across multiple cyber domains, combined with business context, so you can focus on the most critical risks first."

The research demonstrates that for many organisations, the challenge lies not just in managing individual risks but in recognising and addressing the way those risks can interact to create vulnerabilities capable of causing severe harm.