According to this story in The Register (the source material is reasonably enough in German), one of our German competitors has recently been forced to reset every single account password causing significant queues for service. Plus a significant amount of malware cleansing.
Reading between the lines, and making possibly unwarranted assumptions based on my knowledge of how attacks work, it seems likely that this incident came about because :-
- A significant malware outbreak occurred despite anti-virus protection (everyone has that these days) making a cause for “next generation endpoint protection” (detecting malware by behaviour rather than signature).
- At least one infected workstation was used by someone with “domain admin” level privileges allowing access to the Active Directory database.
- And presumably some indication was found that the Active Directory database was “stolen” in theory allowing accounts with relatively weak passwords to be compromised.
Security is one of those tasks that can seem kind of like wasted time; until you look at events like this!