Insider Threats: What One Government Hack Teaches CTOs

Key Takeaways

• Stolen credentials enabled 25 unauthorized accesses to federal court systems over 3 months
• The average cost of credential-based breaches reached $4.45 million in 2023
• Basic security controls like MFA and session monitoring could have detected this attack on day one

According to [Ars Technica](https://arstechnica.com/tech-policy/2026/04/man-with-ihackedthegovernment-instagram-account-tells-judge-i-made-a-mistake/), a 25-year-old Tennessee man pleaded guilty to accessing US government systems including the Supreme Court's electronic filing system using stolen login credentials, then publicly posting screenshots of users' personal information on an Instagram account literally named @ihackedthegovernment.

The case sounds almost comical. A hacker who names his Instagram handle after his crime. A federal court system accessed 25 times over three months before anyone noticed. Screenshots of sensitive user data posted publicly for the world to see.

But if you're running a company in 2026, this case should keep you up at night. Because if the US Supreme Court can't detect unauthorized access for three months, what makes you confident your systems would catch it faster?

How Do Insider Threats Start With Stolen Credentials?

Nicholas Moore didn't exploit a zero-day vulnerability. He didn't write sophisticated malware. He simply used someone else's login credentials to walk through the front door of three federal systems: the Supreme Court's electronic filing system, AmeriCorps, and the Veterans Administration Health System.

The court filings don't specify how Moore obtained the credentials. That's the terrifying part for business leaders. Stolen credentials can come from phishing attacks, data breaches at other services where employees reused passwords, or even purchased on dark web marketplaces for a few dollars.

Once inside, Moore accessed everything the legitimate user could see: full names, email addresses, phone numbers, home addresses, dates of birth, and even private answers to security questions. Then he did something remarkably stupid. He posted screenshots publicly.

What Is the Real Cost of Credential-Based Breaches?

IBM's 2023 Cost of a Data Breach Report puts the average total cost at $4.45 million per incident. Breaches involving stolen or compromised credentials took the longest to identify and contain, averaging 328 days. That's nearly a year of an attacker having access to your systems.

The Moore case demonstrates why these attacks take so long to catch. From August to October 2023, he accessed the Supreme Court's system repeatedly. The filing system presumably logged every access. But nobody was watching those logs in real time. Nobody had alerts configured for unusual login patterns. Nobody noticed when a user suddenly started accessing the system from Tennessee instead of their usual location.

For small and mid-sized businesses, these numbers aren't just statistics. A breach costing even a fraction of $4.45 million can mean layoffs, lost customers, or bankruptcy. And the reputational damage often exceeds the direct costs.

Why Didn't Basic Security Controls Stop This Attack?

This is where the case becomes instructive for CTOs. Moore's attack wasn't sophisticated. It relied entirely on one thing: a valid username and password. Modern security practices have multiple layers specifically designed to stop this exact scenario.

Every control on this list is available today. Most cost less than a junior engineer's monthly salary to implement. The Supreme Court's filing system apparently lacked several of them. Does your company?

What Should CTOs Audit This Week?

The Moore case offers a practical checklist. If you can't confidently answer 'yes' to these questions, you have the same vulnerabilities that let a 25-year-old with an Instagram account breach federal systems.

1. Is MFA enabled on every external-facing system? Not just email. Your CRM, your cloud console, your code repositories, your customer databases.
2. Do you have alerts for impossible travel? If an employee logs in from New York at 9 AM and Tennessee at 9:30 AM, does anyone get notified?
3. Are you monitoring for credential dumps? Services like Have I Been Pwned or enterprise solutions scan for your domain's credentials appearing in breaches.
4. When did you last review access logs? Not automated scans. Human review of who accessed what, looking for patterns that don't make sense.
5. Do terminated employees still have access? The average company takes 7+ days to fully deprovision former employees. That's 7 days of vulnerability.

The uncomfortable truth is that most organizations know they should do these things. They just haven't prioritized them until after a breach. Moore's case is a reminder that 'nobody would target us' isn't a security strategy.

How Should Enterprises Handle the Human Factor?

The sentencing details reveal something important. The government described Moore as 'a vulnerable young man with long-term disabilities' who 'took responsibility for his actions.' He received one year of probation. No prison time. No fine.

This matters for enterprise security because it illustrates that threats don't always come from sophisticated criminal organizations or nation-state actors. Sometimes they come from individuals who stumble onto credentials and make impulsive decisions. Your security architecture can't assume attackers will behave rationally or hide their tracks.

“I made a mistake. I am truly sorry. I respect laws, and I want to be a good citizen.”

— Nicholas Moore, defendant, at his sentencing hearing

Moore's public bragging actually helped investigators. Most credential thieves aren't this cooperative. They access systems quietly, exfiltrate data gradually, and cover their tracks. The techniques that caught Moore, primarily his own Instagram posts, won't catch professional attackers. Your monitoring has to be better than relying on criminals to announce themselves.

What Does This Mean for Compliance and Insurance?

If you're pursuing SOC 2 compliance, seeking cyber insurance, or working with enterprise clients who audit your security, the Moore case highlights exactly what auditors look for. Access control and authentication failures are among the most common findings in security assessments.

Cyber insurance premiums have increased 50-100% over the past two years for many businesses. Insurers now routinely require MFA, endpoint detection, and backup verification before issuing policies. A credential-based breach where basic controls were missing may void coverage entirely.

For startups seeking enterprise clients, demonstrating strong identity and access management isn't optional. Your first Fortune 500 customer will send a security questionnaire. 'We don't have MFA on our database admin console' is an answer that loses deals.

Immediate Action Items for Business Leaders

• Schedule a 30-minute meeting with your IT lead to confirm MFA status on all critical systems
• Request a report showing login locations and times for privileged accounts over the past 90 days
• Ask whether your company monitors public credential dumps for employee email addresses
• Review your incident response plan. If you detected unauthorized access tomorrow, do you know who to call?
• Budget for a penetration test if you haven't had one in 12+ months

None of these actions require major investment. They require prioritization. The difference between the Supreme Court's three-month detection time and catching an intruder on day one is often just configuration changes and monitoring that already exists but isn't enabled.

Frequently Asked Questions

Frequently Asked Questions

How much does implementing MFA cost for a small business?

Most identity providers include MFA at no additional cost. Google Workspace, Microsoft 365, and services like Auth0 offer MFA in their base tiers. The primary cost is implementation time, typically 2-8 hours of IT work depending on your systems. For a company with 50 employees, budget $500-2,000 for full rollout including training.

Can stolen credentials be detected before they're used?

Yes. Services like Have I Been Pwned (free for individuals) and enterprise tools from CrowdStrike, SpyCloud, and others monitor credential dumps and dark web marketplaces. When your domain's credentials appear, you get alerts. This gives you time to force password resets before attackers use the stolen data.

What's the ROI of credential security investments?

With average breach costs at $4.45 million and credential-based attacks being the most common vector, even a 10% reduction in breach probability justifies significant investment. For a mid-sized business, $50,000 in security improvements that prevent one breach delivers 80x+ return. Most improvements cost far less.

How quickly should we detect unauthorized access?

Industry benchmarks suggest detecting intrusions within 24-72 hours significantly reduces damage. The Moore case showed 3 months of undetected access. Best-in-class organizations with mature security operations centers detect anomalies within hours. For most businesses, targeting detection within one week is a realistic first goal.

Is this relevant if we're not a government target?

Absolutely. Most credential attacks are opportunistic, not targeted. Attackers buy bulk credentials from breaches and test them across thousands of services automatically. Your company doesn't need to be specifically targeted. It just needs to have an employee who reused a password.

Source: Ars Technica