Hackers Aren’t Breaking In … They’re Logging In!
In May 2023, hackers didn’t break into Oregon’s DMV systems.
👉 https://www.oregon.gov/odot/dmv/pages/data_breach.aspx
They simply logged in, using a stolen key.
More than 3.5 million Oregonians, nearly everyone with a valid driver’s license or ID, had their names, birth dates, addresses, license numbers, and partial Social Security numbers exposed when attackers exploited a vulnerability in third-party file transfer software known as MOVEit.
It became one of the largest data breaches in Oregon’s history.
And while DMV offices stayed open, and no financial data was taken, the real lesson is this:
It wasn’t some advanced hack. It was a credentials-based attack.
At 10D Tech, we help small businesses identify these vulnerabilities through practical tools like multifactor authentication (MFA) setup, phishing training, and credential management policies before they’re exploited, because in most cases, the problem isn’t a missing firewall… it’s a login someone shouldn’t have.
The hackers used a flaw in how files were moved between systems, but once inside, they had access to everything they needed.
This is how today’s cybercriminals operate.
The New Cybercrime Playbook: Just Log In
Modern hackers aren’t wasting time smashing down firewalls. They go for the low-hanging fruit: your logins.
- They steal passwords.
- They trick employees with fake login pages.
- They overwhelm people with push notifications until someone hits “approve” out of frustration.
In fact, 67% of serious breaches in 2024 started with stolen credentials, not ransomware, not brute force, just a password that got into the wrong hands.
How Oregon Businesses Are Being Targeted
Here are the top tactics we’ve seen right here in Oregon:
Phishing scams: Fake emails and login pages that fool employees into entering passwords.
SIM swapping: Hackers take over your phone number and intercept 2FA codes.
MFA fatigue: Endless login prompts until someone clicks “yes” just to make it stop.
Vendor compromise: Attackers break in through your help desk, call center, or file transfer vendor … like the MOVEit breach.
4 Ways to Protect Your Business Now
You don’t have to overhaul your entire system, but you do need to be smart about who’s getting through the front door.
✅ 1. Use Strong MFA (Not Text Messages)
App-based MFA or hardware keys are much harder to bypass than SMS codes.
✅ 2. Train Your Team to Spot Scams
One phishing email is all it takes. Educate your team on how these attacks work and what to watch for.
✅ 3. Limit Access
Don’t give every employee access to everything. Compartmentalization protects the rest of your system if one account is compromised.
✅ 4. Move Toward Passwordless Login
Tools like fingerprint logins and security keys are more secure and easier to manage than constantly updating passwords.
Bottom Line: The DMV Breach Was a Wake-Up Call
The Oregon DMV breach didn’t happen because someone failed to lock the door.
It happened because someone handed over the key, likely without even realizing it.
If a state agency with full-time security staff can fall victim to this kind of breach, small businesses with fewer resources are even more vulnerable.
About 10D Tech
10D Tech provides managed IT and cybersecurity solutions to small and midsized businesses across Oregon. We deliver proactive, practical protections, from EDR to secure AI use to phishing training, with local support and no confusing jargon.
👉 Book your 15-minute cybersecurity assessment and let’s take a Closer Look at how to keep your business safe. https://www.10dtech.com/15min-assessment
