Clorox is Suing for $380M Over a Password. Seriously. WTF?

Cybersecurity Dive just reported that Clorox is suing Cognizant for $380 million after a cyberattack crippled operations. The alleged trigger? A hacker posed as an employee and convinced someone to hand over a password. That’s it. No advanced zero-day exploit. No AI-powered quantum hack. Just a social engineering phone call and a password—and now Clorox wants $380 million in damages.

WTF.

This isn’t 2001. We all know by now that passwords—and even so-called “modern” MFA methods—are the weakest link. The fact that a multi-billion-dollar company’s operations can still be tanked by a simple impersonation scam is staggering.

But here’s the real kicker: this could have been completely avoided.

If Clorox had used Token BioStick or Token Ring, that hacker would have gotten absolutely nowhere. Here’s why:

1. A password alone means nothing with Token. Even if the hacker had the correct credentials, Token requires a live fingerprint match before any login is approved.
2. Device theft wouldn’t help either. Even if they physically stole the Token device, it’s useless without the authorized user’s fingerprint and proximity to the login device.
3. No social engineering loophole. You can trick someone into giving you a password or approving a push notification, but you can’t trick Token into authenticating you. Every request is cryptographically bound to the real site and signed only with the right biometric present.

And yet, companies are still betting their entire operations on outdated authentication methods like passwords, SMS codes, and authenticator apps—the very methods attackers are targeting because they work.

This lawsuit shouldn’t just be a wake-up call for Cognizant (and we don’t know what really happened here so they are innocent till proven otherwise). It’s a wake-up call for every enterprise still playing security roulette with legacy MFA. The technology to make this kind of social engineering attack impossible already exists.

It’s Token. Use it, and these $380 million “oops” moments simply don’t happen.

So ask yourself this: What’s cheaper, rolling out Token, or paying $380 million because someone believed a fake phone call?