top of page
Search

Toxic Combinations: The Hidden Catalyst Behind 70 % of Today’s Major Breaches

In the evolving theatre of cyber-conflict, large-scale breaches are no longer just the result of a single dramatic failure—now they are nearly always the result of many smaller failures colliding. According to recent analysis by Panaseer—a specialist in continuous controls monitoring—the statistic that sets the alarm bells ringing is stark: 70 % of major breaches stem from “toxic combinations” of overlapping cybersecurity risks.


Understanding the domino effect


The term toxic combination borrows from pharmacology: individually, each risk may seem manageable—but when they overlap on the same asset or pathway, their combined effect is vastly greater. Panaseer defines it as “a combination of control gaps relating to the same asset. Alone, each control gap is a small risk, but combined, they can be a major cause for concern.”


A classic scenario could be:


  • an un-patched laptop,


  • held by a user with privileged access,


  • lacking strong multi-factor authentication (MFA),


  • who then clicks a phishing link.


Individually, each item might raise a flag; together, they become a clear path into – and through – an organization’s critical systems.


The research looked at 20 major breaches over five years; in 14 of them, Panaseer found evidence that it was the compounding of multiple risks—not a singular catastrophic vulnerability—that enabled the intrusion and damage.


Cases in point: How the breaks form


Several high-profile incidents illustrate how toxic combinations played out in practice:


  • At AT&T (2024), attackers used stolen credentials (from infostealer malware) plus missing two-factor authentication on a cloud database; then stealthy reconnaissance tools discovered high-value data sets, leading to exfiltration. A chain of weaknesses, not one glaring error.


  • At MGM Resorts International (2023), a social-engineering call tricked the help-desk, enabling admin access, followed by lateral movement, ransomware across thousands of VMs, and data theft—again, multiple failures stitched together.


  • At Okta (2022), a third-party vendor’s compromised laptop led to undetected RDP access, which then exposed support tools, user lists, and reset capabilities—fueled by long-standing monitoring gaps.


  • At Uber Technologies (2022), purchased contractor credentials + hard-coded admin secrets + MFA-fatigue social engineering + undetected lateral movement formed the breach chain.


  • At Colonial Pipeline Company (2021), the attackers exploited a dormant VPN account without MFA, undetected data exfiltration followed by rapid ransomware deployment, shutting down half the U.S. East Coast’s fuel supply. Alone the VPN account might seem minor; together, catastrophic.


Why this matters now


Several broader trends amplify the threat:


  • Security-teams increasingly recognize that “textbook single vulnerability” attacks are diminishing; adversaries build attack chains. According to Panaseer, 92 % of security leaders agree that toxic combinations are a real concern.


  • The adoption of AI by attackers means “time to exploit” is shrinking; mismatches between traditional remediation windows (e.g., 30 days) and attacker speed are growing.


  • Major organizations still struggle with visibility: asset inventories, control coverage, compensating controls across domains. Without that visibility, the overlaps go undetected.


In short: A device might be patched, or an account might have MFA—but if the right combination of other weaknesses remains unchecked, the breach path opens.


The path forward: Breaking the chain


It’s one thing to recognize that malicious overlaps exist; it’s another to build capability to see them, prioritize them and fix them.


Panaseer argues for a shift beyond checklist compliance to compound risk metrics—that is, metrics that combine signals from across control domains (endpoints, patching, identity, cloud, privilege) and identify where they overlap on the same asset or path.


An executive from the field puts it plainly:


“Effective amplification is vital to ensure that signals of problems, even seemingly small ones, are transmitted within the context of toxic combinations. The system must also make sure these signals are received and acted upon.”

In practice, this means:


  • Retiring dormant accounts (e.g., VPN users) promptly;


  • Enforcing MFA universally;


  • Monitoring for link-click failures and phishing test results;


  • Avoiding hard-coded credentials or elevated access on devices without endpoint detection;


  • Building dashboards that show where multiple high-risk signals converge, not just where each signal lives in isolation.


Bottom line for CISOs & boards


The headline is blunt: Most catastrophic breaches can be traced to overlapping low- and moderate-level failures, not just the rare “zero-day” exploit. Trying to patch every single vulnerability isn’t enough if you can’t watch how they align.


Boards and cyber executives should ask:


  • Do we have visibility into cross-domain control gaps?


  • Can our tools show when “account with high privileges + device unpatched + recent phishing failure” coincide?


  • Is our remediation strategy still one-fault-at-a-time, or built for compound risk?


  • Do we monitor for “attack-path clusters” rather than lone failures?


Failing to treat the chain, not just the link, invites attackers to walk in through the cracks we assumed were benign.


For organizations facing tight budgets, the priority must shift: Not “patch everything now” but “which stacks of small issues, when combined, create the most likely attack path?” Because that’s where the damage lies.


As the breach landscape evolves, the data is clear: preventative controls must become smarter about intersections. While no single control guarantees safety, their orchestration—visibility, analytics and prioritization—may well define which companies survive the next high-profile breach.

bottom of page