Cybersecurity Alert: Account Recovery Workflows Become Prime Target for Identity Breaches
In 2025, a wave of cyberattacks targeting major U.K. retailers including Marks & Spencer, Harrods, and the Co-op Group exposed a critical vulnerability in identity security: account recovery workflows. Despite robust multi-factor authentication (MFA) and phishing-resistant controls at login, attackers bypassed protections by exploiting password resets, MFA re-enrollment, and help-desk recovery requests through social engineering.
The incidents revealed a systemic flaw: recovery processes are rarely treated as high-risk security events. Designed for speed and convenience, these workflows rely on outdated assumptions such as trust in human judgment, static knowledge-based questions, and unsecured communication channels that are easily manipulated by modern attackers. AI-driven impersonation, synthesized voices, and stolen credentials now allow threat actors to convincingly mimic legitimate users, making deception nearly undetectable for help-desk staff.
While MFA is widely adopted, its effectiveness collapses during recovery. Many organizations require minimal verification to reset MFA, allowing attackers to sidestep authentication entirely. The result? Breaches where MFA was technically "enabled" but functionally useless, as compromised recovery flows undermine downstream security controls.
The root issue lies in identity assurance being treated as disposable. Onboarding may involve rigorous verification, but recovery often reconstructs trust using weaker signals such as email links or scripted questions rather than referencing the original proofing process. This creates a paradox: the path to regaining access is easier than the path to maintaining it.
To counter this, experts argue recovery workflows must be designed for adversarial conditions. High-risk actions should trigger step-up verification, and self-service resets must preserve identity assurance rather than weaken it. Without these changes, attackers will continue to exploit recovery as the weakest link in identity security bypassing strong authentication without ever directly attacking it.
Harrods cybersecurity rating report: https://www.rankiteo.com/company/harrods
Marks and Spencer cybersecurity rating report: https://www.rankiteo.com/company/marks-and-spencer
"id": "HARMAR1773319278",
"linkid": "harrods, marks-and-spencer",
"type": "Breach",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Marks & Spencer',
'type': 'Retailer'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Harrods',
'type': 'Retailer'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Co-op Group',
'type': 'Retailer'}],
'attack_vector': 'Social Engineering',
'data_breach': {'personally_identifiable_information': 'Likely'},
'date_detected': '2025',
'description': 'In 2025, a wave of cyberattacks targeting major U.K. '
'retailers including Marks & Spencer, Harrods, and the Co-op '
'Group exposed a critical vulnerability in identity security: '
'account recovery workflows. Attackers bypassed multi-factor '
'authentication (MFA) and phishing-resistant controls by '
'exploiting password resets, MFA re-enrollment, and help-desk '
'recovery requests through social engineering. Recovery '
'processes, designed for speed and convenience, relied on '
'outdated assumptions like trust in human judgment, static '
'knowledge-based questions, and unsecured communication '
'channels, making them easily manipulated by modern attackers '
'using AI-driven impersonation and synthesized voices.',
'impact': {'brand_reputation_impact': 'High', 'identity_theft_risk': 'High'},
'lessons_learned': 'Recovery workflows must be designed for adversarial '
'conditions. High-risk actions should trigger step-up '
'verification, and self-service resets must preserve '
'identity assurance rather than weaken it. Recovery '
'processes are rarely treated as high-risk security '
'events, creating a systemic flaw in identity security.',
'post_incident_analysis': {'root_causes': '1. Recovery processes rely on '
'outdated assumptions (e.g., trust '
'in human judgment, static '
'knowledge-based questions). 2. '
'Identity assurance is treated as '
'disposable during recovery. 3. MFA '
'effectiveness collapses during '
'recovery due to weak verification '
'requirements.'},
'recommendations': '1. Treat recovery workflows as high-risk security events. '
'2. Implement step-up verification for high-risk actions. '
'3. Preserve identity assurance during self-service '
'resets. 4. Redesign recovery processes to account for '
'modern adversarial tactics like AI-driven impersonation '
'and social engineering.',
'title': 'Account Recovery Workflows Exploited in Identity Breaches Targeting '
'U.K. Retailers',
'type': 'Identity Breach',
'vulnerability_exploited': 'Account recovery workflows (password resets, MFA '
're-enrollment, help-desk recovery requests)'}