When you think about Clorox, what comes to mind? Cleanliness. Sterility. Trust. The last thing you’d expect is a cybersecurity scandal with a help desk allegedly handing out employee passwords to cybercriminals like candy on Halloween.

But here we are.

In a jaw-dropping development that should have every CIO and CISO in America checking their MSP contracts, Clorox has filed a lawsuit against Cognizant, one of the world’s largest IT services providers, accusing them of handing over the digital keys to the kingdom — literally. According to a Reuters report, Clorox alleges that Cognizant’s IT help desk handed out passwords to hackers posing as employees, resulting in a major breach that disrupted the company for weeks and wiped hundreds of millions off its balance sheet.

Let that sink in for a moment: The help desk gave away employee credentials to attackers. Not through a zero-day exploit. Not via a high-end phishing campaign or some sophisticated APT actor. They just… gave them out. Why? Because someone asked them for them. Crazy huh? I think so too.

The Breach Heard ‘Round the Supply Chain

The timeline is particularly damning. In August 2023, Clorox experienced a cyberattack that disrupted operations and caused widespread disruptions across its supply chain. The company struggled for weeks to recover, with some systems still not fully restored months later. In its financial disclosures, Clorox reported a staggering $356 million impact on earnings directly tied to the cyber incident.

Now, we know why — or at least, Clorox thinks it knows.

Their lawsuit, filed in federal court in California, alleges that Cognizant’s personnel were grossly negligent in verifying identity before resetting passwords. Worse, Clorox claims this wasn’t a one-time flub. They allege multiple instances where help desk agents gave away credentials without following basic security protocols, including not verifying who was calling, not escalating the request, and not logging these critical actions properly.

Cognizant Says Not So Fast

Cognizant, for its part, has denied wrongdoing and says it will fight the allegations vigorously. And let’s be clear: These are just allegations. We’re not in the courtroom. We don’t have subpoena power. We’ll wait and see how the legal battle unfolds.

But even if Clorox is only half right, the implications are enormous.

This isn’t just about Clorox and Cognizant. This is about the fragility of trust in IT outsourcing. It’s about the weakest link in the security chain — not the technology, but the human behind the keyboard or the headset.

A Tale as Old as Cybercrime

Unfortunately, this is not an isolated incident. I was recently made aware of a case — names redacted to protect the embarrassed — where a company’s accounts payable department wired close to $1 million to cybercriminals, all because someone didn’t properly verify “new” bank account details sent in a spoofed email.

These kinds of social engineering attacks aren’t new. What is new is the scale, speed and realism with which they’re now executed, thanks to advancements in AI. Deepfakes, voice cloning, real-time manipulation of video and audio — all these things are being used to weaponize trust.

As Sam Altman recently warned, voice authentication — long considered a futuristic security enhancement — may already be obsolete. AI voice cloning is too easy, too accessible, and too good. If your bank or your company is relying on “voiceprint” alone to authenticate users, you might as well leave the front door wide open.

So, What Do We Do?

First and foremost, we need to re-establish the baseline of verification. That means multi-factor authentication — and not the kind that gets turned off “just for convenience.” That means clear policies and strict controls on how password resets and sensitive transactions are handled. It also means regular training, simulations and red teaming, especially for help desks, finance teams, and other high-risk human entry points.

Second, it’s time to re-evaluate your third-party risk posture. Outsourcing IT services doesn’t mean outsourcing responsibility. Companies must ensure their providers follow the same — or stronger — controls as their internal teams. If your MSP isn’t regularly audited, hasn’t updated their protocols, or can’t tell you how they verify user identity on a reset call, you’ve got a problem.

Third, let’s stop pretending that “common sense” is enough in cybersecurity. These days, it’s not about intelligence. It’s about discipline and design. Smart people fall for smart scams. That’s why the process must do the thinking. Follow the playbook. Build guardrails. Assume nothing.

A Clean Break?

Clorox’s brand is built around cleanliness and safety. This incident cuts to the core of their identity. But they’re not alone. This could happen to anyone. And if the allegations prove true, Clorox won’t just be setting a legal precedent — they’ll be sending a message to every vendor in the supply chain: You own your part of the security stack, or we’ll see you in court.

So maybe this lawsuit is the bleach we all need to disinfect some of the rot in the system.

Because at the end of the day, cybersecurity isn’t just a tech problem — it’s a trust problem. And as we’ve seen here, when that trust is breached, the consequences can be catastrophic.

Stay safe. Stay skeptical. And if your help desk is giving out passwords without checking IDs, maybe it’s time to clean house — before the lawyers show up.