When a cloud platform makes headlines for a breach, attention falls on the platform. Was there a vulnerability? Was encryption broken? Was access control misconfigured? In the Snowflake-related incidents, those questions are the wrong ones. Snowflake was not breached. The platform performed exactly as designed. What failed was identity.

OAuth phishing has fundamentally changed the identity attack surface. It does not defeat MFA — it renders MFA irrelevant. Classic phishing targets credentials. OAuth phishing targets authorization. Attackers trick users into granting access to a malicious application. The user never enters a password. No MFA prompt appears. The attacker receives a valid OAuth token and gains persistent access — entirely within the normal login flow.

The MGM Resorts and Caesars breaches were not anomalies. They were demonstrations of a structural fact: identity that can be reset remotely will eventually be reset by someone who should not have access. What made those incidents significant was not the sophistication of the attack. It was its simplicity. Attackers did not exploit code vulnerabilities. They impersonated employees, contacted help desks, and had authentication reset. Legitimate access followed. Everything else — ransomware, data theft, operational disruption — was a consequence of that first failure.

The most important lesson in Vercel’s April 2026 security bulletin is not simply that internal systems were accessed. It is the likely path the attacker took to get there. According to Vercel, the incident originated with a compromise of Context.ai, a third-party AI tool used by a Vercel employee. The attacker then used that access to take over the employee’s Vercel Google Workspace account, which in turn enabled access to some Vercel environments and non sensitive environment variables.

Zero trust has a clear mandate: never trust, always verify. Most enterprises apply this principle to their networks, devices, and applications. They rarely apply it to the moment identity leaves their direct control. Outsourced support desks and business process outsourcing providers now handle identity verification for millions of employees and customers. These teams operate under SLAs built around speed and resolution. They rely on scripted questions, knowledge-based verification, and procedural checks. None of these methods produce cryptographic proof.

For decades, breach response centered on a single question: how did the malware get in? That question is no longer the right one. Recent advisories from CISA confirm what security leaders already see in their incident reports. A significant and growing share of breaches involve no malware at all. Attackers authenticate with legitimate credentials. They operate as trusted users. Detection tools built to catch malicious binaries see nothing — because the attacker is not behaving like malware. They are behaving like an employee.

According to recent reporting by The Register, the ShinyHunters group has been linked to a new breach involving CarGurus. The details are consistent with a pattern that security teams have been tracking for over a year. No exploit. No malware. No zero-day. The attacker authenticated. That distinction matters. It defines the entire problem — and the only category of solution that resolves it.

A new incident response report from Palo Alto Networks Unit 42 — drawn from 750 real-world cases — finds that identity-based techniques drove 65 percent of initial intrusions. Identity played a role in nearly 90 percent of all breaches, from initial access through lateral movement and data exfiltration. This is not a technology failure. It is an architecture failure. And it has a precise solution.

Anthropic’s Claude Code Security addresses a real risk. The larger one remains unaddressed. Anthropic recently announced Claude Code Security—an AI system designed to identify vulnerabilities in code, surface potential zero-day exposures, and accelerate remediation before attackers can exploit them. It is a meaningful technical advance. If it performs as described, it will reduce the exploitable software attack surface across the enterprise. That matters. But it does not address the attack surface that is closing the majority of breaches in 2026. Stronger code does not stop an attacker who authenticates with stolen credentials. And that is the primary breach path enterprises face today.

Attackers are accelerating. AI tooling has lowered the cost of sophisticated campaigns to near zero, while the scale of attacks has expanded across every phase of the attack chain — reconnaissance, initial access, lateral movement. The 2025 Tidal Cyber Threat Led Defense Report confirms what security leaders already understand: defenders no longer hold an inherent speed advantage. This is the Red Queen dynamic. Running harder sustains position. It does not advance it. But there is a more precise problem underneath the noise. Phishing and social engineering have changed structurally. Training-based defenses, however disciplined, are now insufficient by design. The architecture of the threat has shifted. The architecture of the response must follow.

Cybercriminals claiming affiliation with the ShinyHunters group have reportedly breached Wynn Resorts, demanding $1.5 million to prevent the release of stolen data. If accurate, the intrusion follows a pattern that has now repeated itself across hospitality, retail, insurance, and aviation. (Read the full article on Casino.org) The method is consistent. The attackers did not defeat network defenses. They authenticated.

Microsoft, Europol, Trend Micro, and a global coalition just disrupted Tycoon 2FA — one of the most prolific phishing-as-a-service platforms ever documented. That is a meaningful outcome. It is not safety. Tycoon 2FA is offline. The attack model that made it successful is not.