Well, I figured, why not write this? I've been in IT for 10 years and in Infosec since 2019. I got into Infosec because I had dreams of being a hacker, but I'm not good at it, so I stuck with defending.
Here's a story about a breach I experienced at my last job; details have been changed to protect the identity of the company.
My last company was in telecom. I started in their NOC (Network Operations Center) and moved into Infosec. During my time in the NOC, I learned a lot, especially about how the company's VoIP product worked, which ended up being helpful for my story. I used to dive into the logs to figure out why a customer was having an issue. I was also really knowledgeable about the entire backend and how everything flowed. Eventually, I got promoted to the Infosec team because of this knowledge.
On Day 1, we were notified of a customer reporting that someone had logged into their account and was making calls to some number that racked up hella charges. We called them premium numbers, like the old 900 sex lines. The Infosec team was tasked with figuring out how this happened; which, in hindsight, was weird. But I dived into the logs and spent the next hour figuring out what had happened. I found an IP from Bangladesh that had logged into the account and had also logged into the admin account, creating a bunch of accounts to make calls to premium numbers.
The goal of the threat actor was to use these company accounts to call premium numbers they owned and rack up charges for profit. Pretty smart, tbh. The mistake they made was using their own IP and email addresses. My team and I started to investigate and discovered they had gained access to our Microsoft Office 365 account for one of the teams. They then scraped data from my company's SharePoint, which had user accounts and passwords that our professional service team had stored. The worst part was that a commonly used password was used for all these accounts.
The threat actor took this info and then spent the next three months logging into our customers' accounts, of which they had literally thousands. The company login page was bad; it was never designed with security in mind. The threat actor was using Burp Community Edition for the simplest use of it, just to password spray the login page and find accounts they could access. Burp has a lot of uses, primarily for web application hacking. I've only scratched the surface of what the tool can do, but password spraying is amateur hour. Yet, they were successful in gaining access to customer accounts and logging in.
At one point, my company had the Infosec team manually blocking IPs, which didn't do anything to slow them down since they started using a VPN provider. We added thousands of IPs to the list. Eventually, I started blocking the entire CIDR block of a VPN provider as soon as I saw it. This did affect some of our customers, but I argued they shouldn't be using our service behind a public VPN service as it would drastically effect call quality.
So, I had been spending months trying to figure out who the hell this person was that made my life hell for the last six months. While I can't give you their name because I'm still under NDA at my last company, I can say for certain they were in Bangladesh. We had called him Muna because that's what his email contained, which just means "Man" in his language. But eventually, he slipped up, and I was able to find his personal Facebook. This guy had made so much money from his attacks; he had bought a Mercedes and was showing it off on his Facebook. He also enjoyed playing PUBG on his phone with his buddies located around the world, including the Philippines, which is an important detail. This person he played with in the Philippines happened to be an employee at my last company.
The employee had helped give him access to our company's O365 account and was working with him to make money off his employer. Unfortunately, we weren't able to arrest him since they never notified the authorities of what had happened, but they did shit can him. After that, all this stopped and I finally got to sleep. I still have some trauma from this even though it's been 3 years since I worked there, even typing this causes me some stress, but it's an interesting story.