Clorox lawsuit says help-desk contractors handed over passwords in 2023 cyberattack

Editor's Note: Story updated 10:32 a.m. Eastern U.S. time with statement from Cognizant.

Cleaning product giant Clorox has filed a lawsuit against Cognizant, a company it hired to operate its IT services call-in help desk, accusing the contractor of being directly responsible for a 2023 cyberattack that cost hundreds of millions.

The case, filed on Tuesday in California Superior Court, alleges that contractors working for Clorox on behalf of Cognizant repeatedly handed over crucial login information that allowed hackers to breach the company’s systems and cause the disruption. Cognizant, which did not respond to requests for comment, is a large professional services company that helps companies introduce technology to business processes.

Clorox claimed Cognizant’s “failures and actions directly caused the August 2023 cyberattack and the significant disruptions” to the company’s business operations. 

Clorox said it suffered $380 million in damages from the attack and wants Cognizant to cover that figure as well as punitive damages. According to Clorox, its clearly defined password reset policies were repeatedly ignored by Cognizant help desk workers approached by the hackers. 

“Clorox entrusted Cognizant with the critical responsibility of safeguarding Clorox’s corporate systems — and Cognizant failed miserably,” said Mary Rose Alexander, outside counsel for The Clorox Company. 

“Cognizant didn’t just drop the ball. They handed over the keys to Clorox’s corporate network to a notorious cybercriminal group in reckless disregard for Clorox’s policies and long-established cybersecurity standards. It’s all captured on call recordings, and it’s indefensible.”

A spokesperson for Cognizant placed the blame on Clorox, telling Recorded Future News it was “shocking that a corporation the size of Clorox had such an inept internal cybersecurity system to mitigate this attack.”

“Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed,” the spokesperson said. “Cognizant did not manage cybersecurity for Clorox.”

In court documents, Clorox produces transcripts of phone calls between the hackers and the help desk — allegedly illustrating that the cybercriminals called more than once to ask for multiple passwords to be reset and never had to identify themselves or prove they worked for Clorox. 

In August 2023, Clorox was forced to take systems offline after a cyberattack and told federal regulators that it had disrupted business operations, forcing them to implement workarounds to continue providing its products to customers. 

The company reported months of operational issues and said the attack damaged portions of its IT infrastructure, causing “widescale disruption.” Clorox — which earns billions through its namesake cleaning product and several others like Pine Sol, Burt’s Bees and more — had to revert back to manual ordering and processing procedures after the attack.  

The company could not process orders fast enough and its products were increasingly not available in stores, they said at the time. 

In the six months after the attack, the company reported 6% lower sales volume due to a decrease in shipments. The company also had to hire consulting services, IT recovery firms, forensic experts and others to investigate and remediate the attack. Clorox claims it spent $49 million to fix the damage caused by the cyberattack and lost hundreds of millions of dollars in business. 

The company said in its most recent earnings report that it recently received insurance recoveries of $100 million related to the cyberattack.

Social engineering, step by step

Court documents filed by Clorox paint a damning picture of Cognizant employees, who had been running Clorox’s help desk for over a decade. The lawsuit also describes the kinds of social engineering tactics that experts say cybercriminals are increasingly using to gain access to systems. 

Clorox employees typically contacted Cognizant’s service desk when they needed to recover their password or reset devices attached to specific accounts, court documents said. 

Clorox said it provided Cognizant with guidance saying never to reset anyone’s credentials without properly verifying their identity first. But on August 11, 2023, cybercriminals called and asked for credentials to access Clorox’s network, and “Cognizant handed the credentials right over.”

“Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal — no authentication questions asked,” lawyers for Clorox claimed. “The cybercriminal then used those credentials, and others obtained that same day through similar calls to the Service Desk, to attack Clorox. The resulting cyberattack was debilitating. It paralyzed Clorox’s corporate network and crippled business operations.”

Clorox said its internal Service Desk manager held weekly meetings with the managers of the Cognizant team staffed on the service desk on rules, regulations and any potential updates. 

By January 2023, Clorox updated its guidelines, ordering help desk workers to use the company’s verification and self-reset password tool called MyID, the lawsuit said. If MyID was unavailable, employees were supposed to be asked to provide their manager’s name and account username. 

The hackers had requested a password reset for an employee’s Okta account, the lawsuit said. The service desk worker asked the threat actor to connect to Clorox’s virtual private network, but the hacker responded that they did not have their password for that either.

The service desk official agreed to reset both passwords “without any further questioning or identity verification, in direct violation of Clorox’s credential support procedures,” court documents said. 

The cybercriminal then told the service desk that their Microsoft multi-factor authentication was not working — something Clorox believes should have been a red flag. The agent simply reset the multi-factor authentication without identifying the caller. 

On the same day, the cybercriminal called the service desk again, asking for the same Microsoft MFA to be reset a second time, a request granted without any verification. In a third call that day, the cybercriminal asked for their Okta credentials to be reset a second time. The service desk agent again did this without verifying the person’s identity. 

The cybercriminal asked the service desk to then change the phone number associated with the employee's account for MFA through SMS text, yet another request granted by the agent. 

“At no point during any of the calls did the Agent verify that the caller was in fact Employee 1. At no point did the Agent follow Clorox’s credential support procedures — either the pre-2023 procedure or the January 2023 update — before changing the password for the cybercriminal,” the company’s lawyers said. 

“The Agent further reset Employee 1’s MFA credentials multiple times without any identity verification at all. And at no point did the Agent send the required emails to the employee or the employee’s manager to alert them of the password reset.”

The cybercriminal allegedly used the password resets to log into the network and gather information on Clorox, allowing them to then pivot to another employee who worked in IT security. 

The cybercriminal used the same tactics again, Clorox said, calling the service desk twice to get Okta MFA and Microsoft MFA passwords changed another time. 

That account gave the hacker privileged access to the Clorox network, the company said. Clorox claimed it discovered the intrusion after three hours and tried to contain it but was forced to effectively take all systems offline, pause manufacturing processes and rely on manual order processing. 

Significant parts of the lawsuit are redacted and Clorox never confirms whether it dealt with a ransomware attack. No cybercriminal operation has taken credit for the incident.