How did the Scattered Spider attack on Clorox occur?

The attack used trivial social engineering tactics. Scattered Spider hackers called Cognizant's service desk requesting employee credentials and received them without any identity verification. The attackers successfully compromised two Clorox employee accounts through a series of calls, obtaining passwords, resetting MFA credentials, and changing associated phone numbers for SMS authentication.

What was the total financial impact of the Clorox cyberattack?

The total financial impact reached approximately $380 million, broken down as $49 million in direct remediation costs (including third-party consulting services, IT recovery, forensic experts, and incremental operating expenses) and over $330 million in business interruption losses due to halted product shipments and manufacturing delays.

When did the Scattered Spider attack on Clorox occur?

The cyberattack on Clorox occurred in August 2023 and was attributed to the Scattered Spider cybercriminal gang, which used social engineering tactics to compromise the company's systems through Cognizant's help desk services.

What operational impact did the Clorox cyberattack have?

The attack damaged portions of Clorox's IT infrastructure, leading to widespread disruption of production capabilities and forcing the company to manually process orders. The impact extended well beyond the immediate attack period, with operational strain continuing into the fiscal second quarter as the company worked to rebuild retailer inventories.

What cybercriminal group was responsible for the Clorox attack?

The Scattered Spider gang claimed responsibility for the August 2023 cyberattack on Clorox. This group used social engineering tactics to compromise employee credentials through Cognizant's help desk services.

How many Clorox employee accounts were compromised?

The Scattered Spider attackers successfully compromised two Clorox employee accounts through a series of social engineering calls to Cognizant's service desk, obtaining passwords, resetting MFA credentials, and changing associated phone numbers for SMS authentication.

What were the direct remediation costs for Clorox?

Clorox incurred $49 million in direct remediation costs, which included third-party consulting services, IT recovery expenses, forensic experts, and incremental operating expenses related to responding to and recovering from the cyberattack.

What business disruptions did Clorox experience?

Clorox experienced over $330 million in business interruption losses due to halted product shipments and manufacturing delays. The company was forced to manually process orders and suffered widespread disruption of production capabilities, with operational strain continuing into the fiscal second quarter.

What was Cognizant's role in Clorox's IT operations?

According to Cognizant's response, they were hired by Clorox for a narrow scope of help desk services and maintain they did not manage cybersecurity for Clorox. Cognizant claims they were only contracted for limited help desk services, not broader IT security management.

Incident

Clorox sues Cognizant over 2023 cyberattack, blames IT provider for giving hackers passwords

Q: What evidence shows the security failure in the Clorox attack?

Court documents include a recorded call where a cybercriminal stated 'I don't have a password, so I can't connect,' and the Cognizant agent replied, 'Oh, ok. Ok. So let me provide the password to you ok?' The agent then provided a password beginning with 'Welcome...' without any identity verification whatsoever.

Q: How has Cognizant responded to Clorox's lawsuit?

Cognizant has pushed back against the allegations, stating: 'Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed.' The company maintains that it did not manage cybersecurity for Clorox and was only contracted for limited help desk services.

Q: What security procedures did Cognizant allegedly fail to follow?

According to Clorox's lawsuit, Cognizant failed to follow established credential support procedures that required proper authentication before resetting passwords or MFA credentials. The agents provided passwords and reset authentication factors without verifying the caller's identity.

published: July 23, 2025

Take action: Social engineering attacks help desk or support services are very dangerous. Helpdesk/support is under pressure to have a happy customer and close tickets very fast. This can be an excellent vector into a hacker pressuring helpdesk agents into bypassing control procedures. So train your teams, and educate your customer. Slower is better, because controls matter.

Learn More

The Clorox Company has filed a lawsuit against IT services provider Cognizant, alleging gross negligence that enabled a cyberattack in August 2023.

The attack was claimed by the Scattered Spider gang and resulted in $380 million in total damages. The court documents claim that Scattered Spider hackers used a trivial social engineering to gain access. They called Cognizant's service desk and requesting employee credentials, and received them without any identity verification.

Court documents quote the following:

"I don't have a password, so I can't connect," the cybercriminal stated in one recorded call. The Cognizant agent replied, "Oh, ok. Ok. So let me provide the password to you ok?" The agent then proceeded to provide a password beginning with "Welcome..." without any identity verification whatsoever.

The attackers successfully compromised two Clorox employee accounts through a series of calls, obtaining passwords, resetting MFA credentials and changing associated phone numbers for SMS authentication.

The total financial impact reached approximately $380 million, broken down as follows:

$49 million in direct remediation costs, including third-party consulting services, IT recovery, forensic experts, and incremental operating expenses
Over $330 million in business interruption losses due to halted product shipments and manufacturing delays

The attack damaged portions of Clorox's IT infrastructure, leading to widespread disruption of production capabilities and forcing the company to start manually processing orders. The impact extended well beyond the immediate attack period, with operational strain continuing into the fiscal second quarter as the company worked to rebuild retailer inventories.

Clorox claims that Cognizant failed to follow established credential support procedures that required proper authentication before resetting passwords or MFA credentials. Despite having comprehensive policies in place and repeatedly assuring Clorox that its agents were properly trained, Cognizant's service desk staff ignored basic security protocols multiple times during the attack.

Cognizant has pushed back against the allegations, stating in a response: "Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed." The company maintains that it did not manage cybersecurity for Clorox and was only contracted for limited help desk services.

Clorox sues Cognizant over 2023 cyberattack, blames IT provider for giving hackers passwords