To Gain Root Access At This Company, All An Intruder Had To Do Was Ask Nicely
The Register, Thursday, May 14th, 2026
A pentester gained root access by social engineering IT staff who prioritized being helpful over security procedures.
During a penetration test, security consultant Brandon Dixon successfully compromised a company's network by calling IT support, impersonating the head of security, and requesting a password reset without proper verification. The IT staff failed to follow security protocols, accepting his claim despite failed challenge questions and directly entering his suggested password over the phone rather than sending a reset link.
Dixon also shared a related story about a pharmaceutical company where competitors called employees impersonating coworkers to extract information about upcoming drugs. The common lesson from both incidents is that humans' desire to be helpful and please authority figures often overrides security best practices, highlighting the critical importance of maintaining strict verification procedures regardless of who is requesting access.