Exploitation of a critical Oracle vulnerability gave Clop operators an entry point into unpatched E-Business Suite servers at the University of Phoenix and Aflac. Once inside, the group extracted stored credentials from service accounts, administrative consoles, and database connections. The University of Phoenix alone lost records belonging to nearly 3.5 million individuals, while Aflac and other victims saw comparable volumes of personal and financial data leave the environment over several weeks.

The breach followed a repeatable pattern: the Oracle vulnerability created the entry point, but the volume of data removed depended entirely on reusable credentials that let attackers move laterally into administrative portals and connected identity systems.

Credential Harvesting After Initial Access

After the first exploit succeeded, Clop did not need additional zero-days. Harvested credentials from the compromised Oracle instances granted direct access to administrative interfaces and backend databases that held the majority of exposed records. Prior Clop operations showed the same dynamic: stolen secrets, not the original vulnerability, determined how far attackers could travel.

Why Reusable Credentials Enabled Large-Scale Exfiltration

Administrative and database accounts at most organizations still rely on factors that can be captured or replayed once obtained. When an attacker extracts a password, session token, or one-time code, they can authenticate exactly as a legitimate user would. Public-key cryptography removes this possibility because the private key never leaves the device and no reusable secret crosses the network.

MFA 2.0 applies this model across the entire identity lifecycle. It is phish-proof, passwordless authentication built on public-key cryptography (the same technology used in Apple Pay and Google Pay). MFA 2.0 uses device-bound credentials with no central credential database and performs same-device authentication without requiring a second device. It is prevention-focused: the attack cannot succeed because there are no credentials available to compromise. MFA 2.0 is not continuous authentication, behavioral monitoring, anomaly detection, session analysis, or risk-based authentication.

How Device-Bound Keys Would Have Limited the Incident

If administrative and database accounts had used device-bound public keys instead of reusable credentials, the material collected from the Oracle servers would have been unusable. Any session tokens tied to those keys would also have required the physical device for replay. The initial remote code execution would still have occurred, yet the subsequent expansion into large-scale data exfiltration would have been blocked.

Onboarding device-bound keys occurs once per device through a public-key exchange that creates and stores no passwords or shared secrets. Revocation of a lost or decommissioned device simply removes the corresponding public key at the identity platform, leaving an attacker with nothing usable to leverage.