Back in 2023, Clorox was one of several companies targeted by hacker group Scattered Spider. However, the eventual hack of their systems was allegedly easier than others — because the hackers just called, asked for their passwords and their security company gave them to them.

In a new lawsuit, Clorox alleges that IT provider Cognizant allowed their servers to be hacked after a hacker “called the Cognizant Service Desk, asked for credentials to access Clorox’s network and Cognizant handed the credentials right over.”

Partial call transcripts basically show this verbatim, with the hacker claiming they can’t get into the account, and the customer service worker handing over the crucial information without any additional verification.

For example, in one call, the hacker says, “I don’t have a password, so I can’t connect” — to which the agent replies, “Oh, okay. Okay. So let me provide the password to you okay?”

The hack caused $380 million in damages for Clorox — and, given this information, I think they might be able to use the legal system to get a fair bit of it back.