Stolen Admin Credentials Opened Months of Access to Telecom Metadata for 100 Million Users

Nation-state operators obtained initial entry to major U.S. telecommunications networks by replaying administrative credentials previously harvested by infostealer malware. These valid login pairs granted access to BeyondTrust remote support portals at AT&T and Verizon. From that authenticated position, attackers exploited unpatched software flaws to elevate privileges and maintain presence for weeks while retrieving call detail records and location metadata.

The operation required no zero-day exploits. Routine support sessions provided sufficient cover for sustained data extraction. IBM’s 2025 Cost of a Data Breach Report records an average breach cost of $4.44 million and a mean containment time of 241 days, figures that rise sharply for critical infrastructure where dwell time extends regulatory exposure.

Reusable Credentials as the Persistent Entry Point

The decisive advantage came from the simple fact that the portals accepted authentication from any client once the correct username and password were supplied. Because the credentials were not bound to specific hardware, attackers could present them directly from their own systems. Once inside, standard privilege-escalation paths converted ordinary sessions into persistent administrative control.

Traditional second-factor methods offered no additional protection after the primary credentials were obtained. An attacker who replayed the complete login sequence encountered the same workflow a legitimate administrator would follow. The absence of device binding meant the entire authentication flow remained replayable.

Device-Bound Cryptography Removes the Reusable Secret

Public-key cryptography replaces shared secrets with asymmetric key pairs generated and stored exclusively on the user’s hardware or secure enclave. Only the public key is registered with the identity provider. Each authentication consists of a cryptographic challenge that can be answered only by the private key, which never leaves the device and never traverses the network.

This model applies across registration, device onboarding, authorization, authentication, and decommissioning. MFA 2.0 is phish-proof, passwordless authentication built on public-key cryptography—the same technology used in Apple Pay and Google Pay. It relies on device-bound credentials with no central credential database and requires no second device. Because no phishable material exists at any stage, the surfaces exploited in the Salt Typhoon operation are eliminated by design.

Third-Party and Vendor Access Without Extractable Secrets

The same binding principles apply to managed-service and vendor portals. Without shared passwords or extractable OTP seeds, credential theft no longer yields an authenticated session. Monitoring and anomaly detection can still record events, yet they operate after the fact. An architecture that removes stealable credentials ensures the events cannot occur in the first place.

Device-bound cryptographic authentication would have blocked the initial authenticated session required by Salt Typhoon. Without that foothold, the subsequent BeyondTrust vulnerabilities would have remained unreachable. Adding FIDO2 to existing MFA hardens only the login step; removing phishable factors across the full identity lifecycle prevents the credentials from existing in stealable form to begin with.