Medibank Breach: One Set of Credentials Exposed 9.7 Million Records

Attackers needed only a single set of valid credentials to reach the personal and medical data of 9.7 million current and former Medibank customers. They used those credentials to move laterally for weeks, locate high-value data stores, and stage ransomware before the company refused payment and portions of the stolen information were published.

The Verizon 2023 DBIR shows stolen credentials have been the top initial-access vector for five straight years. IBM’s 2023 Cost of a Data Breach Report places the average cost of such incidents at $4.45 million and notes that organizations typically grant attackers a 277-day window once valid credentials are obtained. In the Medibank case, no password cracking or novel exploit was required.

Credential Reuse and Extended Internal Access

The compromised account relied on a reusable password that remained valid across multiple systems. Once authenticated, the attackers could explore the environment, identify target repositories, and prepare the ransomware payload without generating obvious authentication failures. The same credentials satisfied every subsequent control, allowing weeks of undetected activity.

Traditional second factors such as SMS codes, TOTP apps, and push notifications offered no additional barrier once the first factor was known. Interception and real-time social engineering techniques allowed the attackers to satisfy every challenge as it appeared.

Device-Bound Public-Key Credentials Remove the Reusable Element

MFA 2.0 is phish-proof, passwordless authentication built on public-key cryptography—the same technology used in Apple Pay and Google Pay. It relies on device-bound credentials with no central credential database and requires same-device authentication without a second device. MFA 2.0 is prevention-focused: the attack cannot occur because there are no credentials available for an attacker to compromise or replay. It is not continuous authentication, behavioral monitoring, anomaly detection, session analysis, or risk-based authentication.

At registration a private key is generated and stored exclusively inside the user’s device secure enclave or TPM. Only the corresponding public key is registered with the service. Each authentication becomes a cryptographic challenge that proves possession of the private key without ever transmitting a reusable secret. Because the private key never leaves the device, the initial-access vector exploited against Medibank is eliminated across registration, device onboarding, authorization decisions, and decommissioning.

Lifecycle Management Without Shared Secrets

Revoking access for a lost or replaced device requires only the removal of the registered public key. A replacement device enrolls a fresh key through the same registration process, leaving no window in which a stolen credential could be reused. No separate hardware token is needed; the private key resides in the secure hardware already present in standard laptops and phones.

This model extends cryptographic protection across the full identity lifecycle rather than applying it only at login. The Medibank incident demonstrates that once valid reusable credentials are obtained, traditional controls provide limited resistance. Replacing those credentials with device-bound public-key material removes the reusable element that made the breach possible.