Zero Day Logs Thu, 11 Jun 2026 20:17:45 -0400 https://www.zerodaylogs.com en-us © 2026 Zero Day Logs yes 8c7ba2d0-c8d0-5c02-af95-6b9e38756f34 ZDL episodic false Welcome to Zero Day Logs, the podcast that dissects the most consequential cybersecurity breaches of our time. We go beyond the headlines to reconstruct exactly how the world's most heavily defended networks are actually dismantled—focusing not just on the technical exploits, but the structural flaws, human errors, and critical executive decisions that determine who survives and who pays.


From billion-dollar hospitality empires brought to a standstill by a single, well-researched phone call to an IT help desk , to global identity gatekeepers compromised by contractor laptops and standard diagnostic files, each episode maps the attack path step-by-step. We break down the underlying enterprise architecture—explaining concepts like multi-factor authentication, federated identity, and zero-trust frameworks—so you understand the mechanics of the collapse.


Whether you are a security professional defending a network, or simply someone trying to understand how the digital infrastructure we all depend on actually fails, Zero Day Logs provides the unvarnished autopsy. We explore the uncomfortable reality of modern digital defense: that the weakest link is rarely a piece of software, but the human processes and vendor relationships where trust is extended and verification is skipped.


Find full technical breakdowns, attack timelines, and defensive configurations for every episode at zerodaylogs.com.

]]> Buzzsprout (https://www.buzzsprout.com) cybersecurity, data breach, hacking, SolarWinds, social engineering, zero trust, incident response, APT, nation-state, true crime, infosec, enterprise security ZDL https://storage.buzzsprout.com/v2d0j3b0yl3cottktsnalqvdec1v?.jpg Zero Day Logs https://www.zerodaylogs.com Yahoo: 3 Billion Accounts, Four Years Hidden Yahoo: 3 Billion Accounts, Four Years Hidden Three billion user accounts. Two separate breaches. Four FSB-directed operatives. And nearly two years of silence between what Yahoo's security team knew and what the public was told.

This episode traces the full operation from the spear phishing campaign that opened the door, through the forged authentication cookies that bypassed every login screen, to the SEC enforcement action that established a new category of regulatory risk: the failure to disclose a known breach.

Chapters:
0:00 — 3 Billion
1:47 — The Spear Phishing Campaign
3:26 — Inside Yahoo's Network
5:39 — The Stolen Database
7:28 — The Account Management Tool
9:14 — The Hybrid Model: State + Criminal
11:03 — The Silence
13:23 — The Disclosures
15:23 — The SEC Enforcement
17:14 — The Indictment
17:58 — Aftermath
18:20 — The Pattern

Sources: DOJ indictment (United States v. Dokuchaev et al.), SEC enforcement order (Altaba Inc.), Yahoo SEC filings, Verizon acquisition disclosures.

Full technical breakdown and free PDF summary at zerodaylogs.com.

]]> Three billion user accounts. Two separate breaches. Four FSB-directed operatives. And nearly two years of silence between what Yahoo's security team knew and what the public was told.

This episode traces the full operation from the spear phishing campaign that opened the door, through the forged authentication cookies that bypassed every login screen, to the SEC enforcement action that established a new category of regulatory risk: the failure to disclose a known breach.

Chapters:
0:00 — 3 Billion
1:47 — The Spear Phishing Campaign
3:26 — Inside Yahoo's Network
5:39 — The Stolen Database
7:28 — The Account Management Tool
9:14 — The Hybrid Model: State + Criminal
11:03 — The Silence
13:23 — The Disclosures
15:23 — The SEC Enforcement
17:14 — The Indictment
17:58 — Aftermath
18:20 — The Pattern

Sources: DOJ indictment (United States v. Dokuchaev et al.), SEC enforcement order (Altaba Inc.), Yahoo SEC filings, Verizon acquisition disclosures.

Full technical breakdown and free PDF summary at zerodaylogs.com.

]]> ZDL Buzzsprout-19300326 Fri, 05 Jun 2026 12:00:00 -0400 1210 1 8 full false Colonial Pipeline: From Legacy VPN to Bitcoin Seizure — The Complete Breakdown Colonial Pipeline: From Legacy VPN to Bitcoin Seizure — The Complete Breakdown One leaked password. No multi-factor authentication. Nine days undetected.

In May 2021, a compromised VPN credential — found on the dark web, tied to a former employee's account, protected by nothing more than a single password — gave DarkSide ransomware operators access to Colonial Pipeline's IT network. What followed: 100 gigabytes of stolen data, encrypted systems, a $4.4 million Bitcoin ransom, a six-day shutdown of 5,500 miles of fuel infrastructure, and a DOJ operation that clawed back 63.7 of the 75 Bitcoin using a method that remains partially redacted from the public record.

This episode traces the complete chain: the entry vector, the nine-day dwell time, the franchise model behind DarkSide, the IT/OT boundary decision that shut down physically intact infrastructure, the ransom payment calculus, and the regulatory reckoning that followed.

Primary sources: Senate testimony, CISA advisory, FBI seizure affidavit, GAO report.

Free PDF breakdown: https://zerodaylogs.com


00:00 — The Escalation
01:30 — Introduction
01:35 — What Is a VPN?
02:39 — The Forgotten Door
03:34 — One Password, No Second Factor
04:40 — DarkSide: Ransomware-as-a-Service
05:39 — Anatomy of the Attack
07:29 — 100 Gigabytes Out the Door
08:34 — Two Buildings, One Boundary
11:12 — Seventy Minutes
11:44 — The Shutdown Decision
13:08 — The $4.4 Million Question
14:02 — The Vault
15:10 — The DOJ Strikes Back
15:54 — Three Missing Controls
17:55 — Eleven Years Without an Update
18:21 — The Aftermath

]]> One leaked password. No multi-factor authentication. Nine days undetected.

In May 2021, a compromised VPN credential — found on the dark web, tied to a former employee's account, protected by nothing more than a single password — gave DarkSide ransomware operators access to Colonial Pipeline's IT network. What followed: 100 gigabytes of stolen data, encrypted systems, a $4.4 million Bitcoin ransom, a six-day shutdown of 5,500 miles of fuel infrastructure, and a DOJ operation that clawed back 63.7 of the 75 Bitcoin using a method that remains partially redacted from the public record.

This episode traces the complete chain: the entry vector, the nine-day dwell time, the franchise model behind DarkSide, the IT/OT boundary decision that shut down physically intact infrastructure, the ransom payment calculus, and the regulatory reckoning that followed.

Primary sources: Senate testimony, CISA advisory, FBI seizure affidavit, GAO report.

Free PDF breakdown: https://zerodaylogs.com


00:00 — The Escalation
01:30 — Introduction
01:35 — What Is a VPN?
02:39 — The Forgotten Door
03:34 — One Password, No Second Factor
04:40 — DarkSide: Ransomware-as-a-Service
05:39 — Anatomy of the Attack
07:29 — 100 Gigabytes Out the Door
08:34 — Two Buildings, One Boundary
11:12 — Seventy Minutes
11:44 — The Shutdown Decision
13:08 — The $4.4 Million Question
14:02 — The Vault
15:10 — The DOJ Strikes Back
15:54 — Three Missing Controls
17:55 — Eleven Years Without an Update
18:21 — The Aftermath

]]> ZDL Buzzsprout-19252040 Fri, 29 May 2026 05:00:00 -0400 1217 1 7 full false Target — Certified Compliant, Breached Eight Weeks Later Target — Certified Compliant, Breached Eight Weeks Later On September 20, 2013, Target Corporation was certified compliant with the Payment Card Industry Data Security Standard. Eight weeks later, malware was running on nearly every cash register in the company's 1,793 stores.

This episode traces the full attack path — from a stolen HVAC contractor password to 40 million compromised payment cards — and examines why every control that could have stopped the breach already existed in published security guidance years before it happened.

We cover: the Fazio Mechanical entry point, the network segmentation gap, how BlackPOS exploited the moment card data exists as plaintext in RAM, why FireEye's alerts went unacknowledged for 12 days, the exfiltration architecture that moved stolen data through three countries during peak shopping hours, and the compliance paradox at the center of it all.

Full technical breakdown: zerodaylogs.com

Primary sources: U.S. Senate Commerce Committee "Kill Chain" analysis, Target SEC filings, multistate AG settlement, NIST and PCI-DSS standards.

]]> On September 20, 2013, Target Corporation was certified compliant with the Payment Card Industry Data Security Standard. Eight weeks later, malware was running on nearly every cash register in the company's 1,793 stores.

This episode traces the full attack path — from a stolen HVAC contractor password to 40 million compromised payment cards — and examines why every control that could have stopped the breach already existed in published security guidance years before it happened.

We cover: the Fazio Mechanical entry point, the network segmentation gap, how BlackPOS exploited the moment card data exists as plaintext in RAM, why FireEye's alerts went unacknowledged for 12 days, the exfiltration architecture that moved stolen data through three countries during peak shopping hours, and the compliance paradox at the center of it all.

Full technical breakdown: zerodaylogs.com

Primary sources: U.S. Senate Commerce Committee "Kill Chain" analysis, Target SEC filings, multistate AG settlement, NIST and PCI-DSS standards.

]]> ZDL Buzzsprout-19198088 Fri, 22 May 2026 05:00:00 -0400 1642 1 6 full false How Equifax Lost 147 Million Social Security Numbers How Equifax Lost 147 Million Social Security Numbers A critical vulnerability was disclosed. A patch was released the same day. Equifax was warned directly. The patch was never applied. Two months later, attackers walked through the door — and spent seventy-six days inside a system holding 147 million Social Security numbers. Episode 5 covers the full 2017 Equifax breach — the Apache Struts vulnerability, the scanner that missed, the certificate that was blind for over a year, the breach response that made everything worse, and the PLA indictment that revealed what the stolen data was really for. 

0:00 — Introduction
0:42 — What Is Equifax
1:17 — The Data You Never Chose to Give
1:42 — Growth vs. Security
2:05 — ACIS: A 1970s System on the Public Internet
2:25 — CVE-2017-5638: The OGNL Injection
4:19 — The Missed Scan
5:37 — The Honour System
6:16 — CEO vs. Committee
6:37 — May 13th: The Door Opens
7:13 — No Walls: Lateral Movement
8:20 — The Harvest: 147 Million Records
9:31 — The Expired Certificate
10:45 — Found by Accident
11:09 — The Response Timeline
12:35 — The Response That Made Everything Worse
13:52 — Insider Trading
14:28 — Executive Departures
14:52 — The Settlement
15:34 — PLA Attribution
16:23 — The Intelligence Mosaic
17:05 — Entirely Preventable
17:47 — Closing

Full technical breakdown: zerodaylogs.com

]]> A critical vulnerability was disclosed. A patch was released the same day. Equifax was warned directly. The patch was never applied. Two months later, attackers walked through the door — and spent seventy-six days inside a system holding 147 million Social Security numbers. Episode 5 covers the full 2017 Equifax breach — the Apache Struts vulnerability, the scanner that missed, the certificate that was blind for over a year, the breach response that made everything worse, and the PLA indictment that revealed what the stolen data was really for. 

0:00 — Introduction
0:42 — What Is Equifax
1:17 — The Data You Never Chose to Give
1:42 — Growth vs. Security
2:05 — ACIS: A 1970s System on the Public Internet
2:25 — CVE-2017-5638: The OGNL Injection
4:19 — The Missed Scan
5:37 — The Honour System
6:16 — CEO vs. Committee
6:37 — May 13th: The Door Opens
7:13 — No Walls: Lateral Movement
8:20 — The Harvest: 147 Million Records
9:31 — The Expired Certificate
10:45 — Found by Accident
11:09 — The Response Timeline
12:35 — The Response That Made Everything Worse
13:52 — Insider Trading
14:28 — Executive Departures
14:52 — The Settlement
15:34 — PLA Attribution
16:23 — The Intelligence Mosaic
17:05 — Entirely Preventable
17:47 — Closing

Full technical breakdown: zerodaylogs.com

]]> ZDL Buzzsprout-19174054 Fri, 15 May 2026 05:00:00 -0400 1103 1 5 full false The Twitter/X Breach — July 2020 The Twitter/X Breach — July 2020 On July 15, 2020, the verified Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Apple, and Uber were hijacked simultaneously. Every account posted the same Bitcoin scam. The attacker was a 17-year-old in Tampa, Florida.

This episode reconstructs how a series of phone calls defeated Twitter's multi-factor authentication through a real-time credential relay, how a single admin tool called Agent Tools gave unrestricted access to every account on the platform, and how the attack escalated from stealing OG usernames to hijacking the accounts of world leaders. The New York Department of Financial Services investigated and found five specific security controls that would have prevented the breach — all of which existed, were documented, and were available. None were deployed.

Based on the NY DFS Report (October 14, 2020), United States v. Graham Ivan Clark, and Twitter's own incident disclosures.

 📄 Free technical breakdown PDF: zerodaylogs.com

0:00 — Introduction
0:50 — The Phone Call
2:33 — Real-Time Credential Relay
3:59 — Why MFA Failed
6:04 — Agent Tools: The God Mode Panel
7:06 — Inside the Admin System
9:23 — Three Phases of the Attack
12:22 — The Cascade: World Leaders Hijacked
14:34 — Twitter Breaks Its Own Platform
17:02 — The Damage Report
17:47 — The Deeper Harm: Private Messages
19:23 — Tracing the Attackers
21:44 — Arrests and Sentencing
24:38 — No CISO
25:16 — Five Missing Controls
28:44 — Why Security Controls Go Undeployed
29:01 — Should Platforms Be Stress Tested?
30:30 — What Twitter Changed After the Breach
31:39 — The Pattern Repeats: MGM 2023
32:33 — The Question That Remains

 #cybersecurity #twitter #databreach #infosec #zerodaylogs 

]]> On July 15, 2020, the verified Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Apple, and Uber were hijacked simultaneously. Every account posted the same Bitcoin scam. The attacker was a 17-year-old in Tampa, Florida.

This episode reconstructs how a series of phone calls defeated Twitter's multi-factor authentication through a real-time credential relay, how a single admin tool called Agent Tools gave unrestricted access to every account on the platform, and how the attack escalated from stealing OG usernames to hijacking the accounts of world leaders. The New York Department of Financial Services investigated and found five specific security controls that would have prevented the breach — all of which existed, were documented, and were available. None were deployed.

Based on the NY DFS Report (October 14, 2020), United States v. Graham Ivan Clark, and Twitter's own incident disclosures.

 📄 Free technical breakdown PDF: zerodaylogs.com

0:00 — Introduction
0:50 — The Phone Call
2:33 — Real-Time Credential Relay
3:59 — Why MFA Failed
6:04 — Agent Tools: The God Mode Panel
7:06 — Inside the Admin System
9:23 — Three Phases of the Attack
12:22 — The Cascade: World Leaders Hijacked
14:34 — Twitter Breaks Its Own Platform
17:02 — The Damage Report
17:47 — The Deeper Harm: Private Messages
19:23 — Tracing the Attackers
21:44 — Arrests and Sentencing
24:38 — No CISO
25:16 — Five Missing Controls
28:44 — Why Security Controls Go Undeployed
29:01 — Should Platforms Be Stress Tested?
30:30 — What Twitter Changed After the Breach
31:39 — The Pattern Repeats: MGM 2023
32:33 — The Question That Remains

 #cybersecurity #twitter #databreach #infosec #zerodaylogs 

]]> ZDL Buzzsprout-19138271 Tue, 12 May 2026 05:00:00 -0400 2039 1 4 full false SolarWinds: The Update That Wasn't SolarWinds: The Update That Wasn't In the spring of 2020, up to 18,000 organizations installed a software update from a trusted vendor. It was signed. It was verified. Every security check said it was clean. Every one of those checks was correct. What they couldn't verify was what was inside the package before the seal was applied.

This is the full story of SUNBURST — how Russia's SVR compromised SolarWinds' build pipeline, turned a routine software update into a backdoor, and spent nine months reading emails inside the U.S. Treasury, the Department of Homeland Security, the State Department, and dozens of Fortune 500 companies. How FireEye discovered it by investigating their own breach, burned their own toolkit to stop it, and exposed one of the largest intelligence operations in history — in a single day.

Zero Day Logs is an investigative audio documentary built entirely from the public record: official security advisories, customer post-incident reports, court documents, and verified forensic findings. Every breach. One episode. Real consequences.

Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review.

____________________

CHAPTERS
00:00 Cold Open — In 2020, They Were Invited
00:41 The Routine Update
01:14 18,000 Organizations
02:07 What Orion Could See
03:58 Inside the Treasury
05:46 Why Every Security Scan Passed
09:16 The Build Pipeline
10:10 Code Signing: The Wax Seal
11:31 The Printing Press Analogy
12:16 Inside the Build Pipeline
14:51 Sunburst Activates
16:52 The DNS Covert Channel
19:36 100 Out of 18,000
19:57 Hands-On Access
25:54 Nine Months of Access
28:03 FireEye's Response
28:44 Pulling the Thread
29:53 December 13, 2020
34:09 Attribution and Sanctions
36:53 The solarwinds123 Password
39:18 The Three Missing Controls
42:32 Defense in Depth
43:08 The Cost of Remediation
48:49 Trust and Verification
54:24 Technical Breakdown + Resources
54:41 Next on Zero Day Logs















]]> In the spring of 2020, up to 18,000 organizations installed a software update from a trusted vendor. It was signed. It was verified. Every security check said it was clean. Every one of those checks was correct. What they couldn't verify was what was inside the package before the seal was applied.

This is the full story of SUNBURST — how Russia's SVR compromised SolarWinds' build pipeline, turned a routine software update into a backdoor, and spent nine months reading emails inside the U.S. Treasury, the Department of Homeland Security, the State Department, and dozens of Fortune 500 companies. How FireEye discovered it by investigating their own breach, burned their own toolkit to stop it, and exposed one of the largest intelligence operations in history — in a single day.

Zero Day Logs is an investigative audio documentary built entirely from the public record: official security advisories, customer post-incident reports, court documents, and verified forensic findings. Every breach. One episode. Real consequences.

Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review.

____________________

CHAPTERS
00:00 Cold Open — In 2020, They Were Invited
00:41 The Routine Update
01:14 18,000 Organizations
02:07 What Orion Could See
03:58 Inside the Treasury
05:46 Why Every Security Scan Passed
09:16 The Build Pipeline
10:10 Code Signing: The Wax Seal
11:31 The Printing Press Analogy
12:16 Inside the Build Pipeline
14:51 Sunburst Activates
16:52 The DNS Covert Channel
19:36 100 Out of 18,000
19:57 Hands-On Access
25:54 Nine Months of Access
28:03 FireEye's Response
28:44 Pulling the Thread
29:53 December 13, 2020
34:09 Attribution and Sanctions
36:53 The solarwinds123 Password
39:18 The Three Missing Controls
42:32 Defense in Depth
43:08 The Cost of Remediation
48:49 Trust and Verification
54:24 Technical Breakdown + Resources
54:41 Next on Zero Day Logs















]]> ZDL Buzzsprout-19100802 Tue, 05 May 2026 05:00:00 -0400 3324 1 3 full false The Support Ticket That Opened Every Door The Support Ticket That Opened Every Door In 2022, a teenager posted screenshots from inside the company that controls the login page for 18,000 organisations — not by breaking through a firewall, but through a contractor's compromised laptop. Twenty months later, it happened again. This time through a diagnostic file uploaded to a support ticket.

This is the full story of both Okta breaches — how a contractor's laptop, a credential saved to a personal Google account via Chrome's password sync, and a file format most people have never heard of gave attackers a window into Cloudflare, 1Password, BeyondTrust, and thousands of others. And how one company was told something was wrong — and stayed silent for 18 days.

Zero Day Logs is an investigative audio documentary built entirely from the public record: official security advisories, customer post-incident reports, court documents, and verified forensic findings. Every breach. One episode. Real consequences.

Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review.

____________________________

CHAPTERS

00:00 Cold Open — Screenshots on Telegram
03:52 The Invisible Gatekeeper
06:07 Lapsus$ — Not a Nation State
07:52 What Actually Happened in 2022
08:03 How Authentication Actually Works
11:43 The Contractor's Laptop
19:53 Twenty Months Later
23:13 The 2023 Breach
24:17 The HAR File — A Flight Data Recorder
25:03 Session Cookies and Stolen Wristbands
27:55 The November 29th Disclosure
30:03 Cloudflare, 1Password, BeyondTrust
34:15 The Supply Chain Problem
36:38 Zero Trust and Assume Breach
40:31 Eighteen Days of Silence
41:43 The Three Missing Controls
43:23 The Credential That Left the Building
47:06 What Changed After
48:20 The Chain of Trust
53:09 Outro
53:35 Next: SolarWinds

____________________________

SOURCES & FURTHER READING

- Okta Security Advisory — October 2023
- Okta Expanded Disclosure — November 29, 2023
- Okta Security Advisory — March 2022
- Cloudflare blog: "How Cloudflare mitigated yet another Okta compromise"
- 1Password Security Incident Report (2023)
- BeyondTrust Incident Disclosure (2023)
- CISA Identity Security Guidance
- Lapsus$ public reporting / Arion Kurtaj UK conviction (2023)

]]> In 2022, a teenager posted screenshots from inside the company that controls the login page for 18,000 organisations — not by breaking through a firewall, but through a contractor's compromised laptop. Twenty months later, it happened again. This time through a diagnostic file uploaded to a support ticket.

This is the full story of both Okta breaches — how a contractor's laptop, a credential saved to a personal Google account via Chrome's password sync, and a file format most people have never heard of gave attackers a window into Cloudflare, 1Password, BeyondTrust, and thousands of others. And how one company was told something was wrong — and stayed silent for 18 days.

Zero Day Logs is an investigative audio documentary built entirely from the public record: official security advisories, customer post-incident reports, court documents, and verified forensic findings. Every breach. One episode. Real consequences.

Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review.

____________________________

CHAPTERS

00:00 Cold Open — Screenshots on Telegram
03:52 The Invisible Gatekeeper
06:07 Lapsus$ — Not a Nation State
07:52 What Actually Happened in 2022
08:03 How Authentication Actually Works
11:43 The Contractor's Laptop
19:53 Twenty Months Later
23:13 The 2023 Breach
24:17 The HAR File — A Flight Data Recorder
25:03 Session Cookies and Stolen Wristbands
27:55 The November 29th Disclosure
30:03 Cloudflare, 1Password, BeyondTrust
34:15 The Supply Chain Problem
36:38 Zero Trust and Assume Breach
40:31 Eighteen Days of Silence
41:43 The Three Missing Controls
43:23 The Credential That Left the Building
47:06 What Changed After
48:20 The Chain of Trust
53:09 Outro
53:35 Next: SolarWinds

____________________________

SOURCES & FURTHER READING

- Okta Security Advisory — October 2023
- Okta Expanded Disclosure — November 29, 2023
- Okta Security Advisory — March 2022
- Cloudflare blog: "How Cloudflare mitigated yet another Okta compromise"
- 1Password Security Incident Report (2023)
- BeyondTrust Incident Disclosure (2023)
- CISA Identity Security Guidance
- Lapsus$ public reporting / Arion Kurtaj UK conviction (2023)

]]> ZDL Buzzsprout-19031830 Tue, 28 Apr 2026 05:00:00 -0400 3271 1 2 full false How One Phone Call Cost MGM $100 Million How One Phone Call Cost MGM $100 Million In September 2023, one of the largest casino and hospitality companies on Earth was brought to a standstill — not by malware, not by a state-sponsored strike, but by a single phone call to an IT help desk.

This is the full story of how Scattered Spider exploited the gap between trust and verification — from a LinkedIn search to a rogue Identity Provider inside MGM's Azure AD tenant — and how a $100M containment decision brought the casino floor dark.

Zero Day Logs is an investigative audio documentary built entirely from the public record: SEC filings, court documents, government advisories, and verified forensic findings. Every breach. One episode. Real consequences.

Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

CHAPTERS 

00:00 Cold Open — Las Vegas Goes Dark 

00:19 The Casino Floor Stops 

01:38 The Help Desk: Where It All Started 

03:42 OSINT — They Opened LinkedIn 

04:43 Vishing: The Phone Call 

05:47 Inside Okta — The MFA Reset 

06:12 How Multi-Factor Authentication Works 

09:49 Lateral Movement — Mapping the Network 

11:53 Federated Identity Explained 

16:10 SAML Assertion Forgery 

18:25 The ESXi Architecture 

20:08 MGM Pulls the Plug 

20:48 What One MFA Reset Actually Cost

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SOURCES & FURTHER READING

  • Okta Security Advisory (2023)
  • CISA Advisory AA23-320A
  • MGM SEC 8-K filing, September 2023
  • Microsoft DART case study
]]> In September 2023, one of the largest casino and hospitality companies on Earth was brought to a standstill — not by malware, not by a state-sponsored strike, but by a single phone call to an IT help desk.

This is the full story of how Scattered Spider exploited the gap between trust and verification — from a LinkedIn search to a rogue Identity Provider inside MGM's Azure AD tenant — and how a $100M containment decision brought the casino floor dark.

Zero Day Logs is an investigative audio documentary built entirely from the public record: SEC filings, court documents, government advisories, and verified forensic findings. Every breach. One episode. Real consequences.

Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

CHAPTERS 

00:00 Cold Open — Las Vegas Goes Dark 

00:19 The Casino Floor Stops 

01:38 The Help Desk: Where It All Started 

03:42 OSINT — They Opened LinkedIn 

04:43 Vishing: The Phone Call 

05:47 Inside Okta — The MFA Reset 

06:12 How Multi-Factor Authentication Works 

09:49 Lateral Movement — Mapping the Network 

11:53 Federated Identity Explained 

16:10 SAML Assertion Forgery 

18:25 The ESXi Architecture 

20:08 MGM Pulls the Plug 

20:48 What One MFA Reset Actually Cost

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SOURCES & FURTHER READING

  • Okta Security Advisory (2023)
  • CISA Advisory AA23-320A
  • MGM SEC 8-K filing, September 2023
  • Microsoft DART case study
]]> ZDL Buzzsprout-18994368 Tue, 21 Apr 2026 05:00:00 -0400 2367 1 1 full false