When Aflac, one of the largest insurance providers in the United States, disclosed a cybersecurity incident this June, the language felt almost routine: “suspicious activity,” “no ransomware,” and “investigation ongoing.” But what lurked beneath the surface was anything but normal. 

Just days later, security researchers uncovered a trove of 16 billion login credentials leaked online including access to platforms like Google, Apple, Facebook, Telegram, and even government portals. This wasn’t just old data recycled from past breaches. Most of these credentials were freshly harvested collected via infostealer malware that grabs usernames, passwords, cookies, and session tokens directly from infected user devices. 

Together, these two events paint a clear picture of the broken state of authentication in today’s enterprises and the urgent need to fix it. 

What Went Wrong: The Aflac Breach

On June 12, 2025, Aflac detected unusual activity on its U.S. network. Within hours, the company said it had contained the incident. No ransomware, no encryption of systems but that didn’t mean no damage. Early findings suggest the attackers gained access via social engineering, a tactic as old as email itself but still alarmingly effective. 

Worse, the potentially exposed data includes claims records, health information, Social Security numbers, and other sensitive personal details tied to customers, beneficiaries, and employees. 

Despite having cyber protocols in place, Aflac, like many large organizations, still relied on legacy Multi-Factor Authentication (MFA) methods such as SMS codes and push-based app approvals. These methods are now easily bypassed with phishing kits and session replay malware, as attackers proved. 

The Bigger Picture: 16 billion Passwords Leaked

The Aflac incident is just one node in a sprawling threat landscape. The leak of 16 billion credentials this month underscores that the issue is not localized, it’s systemic. 

The passwords were stolen largely through infostealer malware installed on users’ personal or work devices. Once active, these programs silently extract: 

  • Saved browser passwords 
  • Auto-filled credentials 
  • Session tokens (allowing login without password) 
  • Cookies and browser history 

What makes this data gold to attackers is its freshness collected and aggregated in the past year, not from decade-old breaches. Anyone with access to these databases now holds the keys to millions of accounts, many tied to corporate systems and cloud apps. 

The Common Thread: Legacy MFA is No Longer Enough

If there’s one thing both stories tell us, it’s this: Legacy MFA is failing. 

Whether through: 

  • Intercepted SMS codes 
  • Spoofed authenticator app prompts 
  • Credential phishing sites 
  • Session relays that forward login tokens in real-time 

Attackers are now bypassing the tools we once trusted to stop them. In fact, these tools have become predictable, and predictability is exploitable. 

Gartner already predicted that by 2025, more than 50% of enterprises would move to passwordless authentication. What’s now clear is that the need is no longer strategic, it’s urgent. 

Why Passwordless Alone isn't the Answer?

Going passwordless is a great move, but not all passwordless authentication methods are truly secure. 

  • Phishing Still Works 
    Users can still be tricked into logging into fake sites, even without a password. 
  • Compromised Devices = Compromised Access 
    If the phone or device running the authentication app is infected, attackers can bypass controls. 
  • Session Hijacking Risks 
    Malware can intercept active sessions, giving bad actors access even after login. 

In other words, not all passwordless is created equal. 

What Actually Works: Phishing-Resistant MFA

Here’s the good news: phishing-resistant, modern authentication already exists and enterprises like yours can implement it today. 

At AuthX, we build authentication systems that are designed to be: 

  • Resilient against phishing and malware 
  • Tied to a specific domain and application origin 
  • Bound to a user’s physical device and biometric identity 

Using standards like FIDO2 and technologies like device-bound public key cryptography, our platform ensures that: 

  • Credentials can’t be reused or exported. 
  • Every authentication is validated against the correct origin. 
  • Access requires not just a device, but a live fingerprint or biometric match. 

Even if an attacker manages to trick an employee into clicking a phishing link, the authentication process will fail because AuthX won’t sign a challenge for the wrong domain or without biometric validation. 

This isn’t just a security win. It’s a user experience improvement, too. No more remembering dozens of passwords. No more approving dubious push prompts under pressure. 

The Real Cost of Doing Nothing

Aflac may not have lost control of its systems, but the reputational and regulatory consequences are still unfolding. For other organizations, the cost could be far worse: 

  • Regulatory fines under HIPAA, GDPR, or CCPA 
    Non-compliance can trigger multi-million-dollar penalties and prolonged audits. These laws require strict identity and data protections. 
  • Loss of customer trust 
    Once data is compromised, customers often don’t return. Rebuilding confidence can take years if it happens at all. 
  • Operational downtime 
    Even short disruptions stall business, impact revenue, and paralyze internal teams scrambling to respond. 
  • Massive remediation costs 
    Breaches trigger emergency spending: legal, forensic, IT, and PR; all at once, often unbudgeted. 

And those are just the visible impacts. The longer an organization waits to upgrade its identity security, the more brittle its infrastructure becomes. Every outdated login method is a potential doorway. 

It's Time to Close the Doors

If you’re still using: 

  • Username + Password logins 
  • MFA via SMS or email 
  • Push-to-approve apps 

You are exposed. Period. 

Modern attackers aren’t breaking in; they’re walking through the front door using compromised credentials and tricking your employees into letting them in. 

The Path Forward with AuthX

Here’s how AuthX helps you make the shift—securely, gradually, and at enterprise scale: 

  • Step 1: Assess and Map 

Identify all access points; web apps, internal portals, remote desktops, VPNs and map out who uses what. 

  • Step 2: Deploy FIDO2 and Biometrics 

Enable phishing-resistant logins using biometric authenticators, security keys, or mobile-based proximity login, all tied to FIDO2. 

  • Step 3: Enforce Domain-Bound Authentication 

Ensure credentials only work for authorized web origins not lookalike domains or phishing pages. 

  • Step 4: Monitor and Improve 

Use AuthX’s centralized dashboard to monitor adoption, enforce security policies, and continuously test for compliance and resilience. 

Don’t Wait for a Breach to Modernize Access

The Aflac breach and the 16 billion leaked credentials aren’t isolated events. They are symptoms of a global failure in how we protect access and identity. 

But they are also a turning point. 

The question now is not “Will we move beyond passwords?”, it’s “How quickly can we do it, and will our solution actually protect us?” 

At AuthX, we’re helping forward-looking enterprises answer that question every day—with authentication that’s not just passwordless, but phishing-proof, biometric, and enterprise-ready. 

The attackers have evolved. It’s time your authentication did too. 

→ Ready to upgrade your identity security? 

Book a demo with AuthX today.