A single mis-configured server has been identified as the attack vector in the historic breach that saw the still-unidentified culprits steal information belonging to 83 million JPMorgan Chase & Co. customers over the summer, according to The New York Times. The revelation brings to light the challenges of fully protecting sprawling corporate networks in the era of sprawling networks.

The banking giant’s $250 million cyber defense budget – which may soon double as a result of the incident – apparently wasn’t enough to compensate for one small crack in the wall that hackers used to slip inside.

Unnamed insiders who spoke with the Times revealed that JPMorgan Chase’s IT department apparently neglected to secure the machine used in the attack with two-factor authentication, a security technique commonly used in financial services that requires a user to enter a second set of log-in credentials or respond to a challenge before gaining access.

That allowed the hackers to gain access using stolen credentials of an employee. From there, it penetrated 93 other internal servers and made off with contact information belonging to some 76 million households and seven million small businesses.

The bank only became suspicious several months after the fact when a low-key consultancy called Hold Security uncovered a stash of roughly a billion illicitly-obtained usernames and passwords in late July that had been pilfered by a gang of Russian hackers. The trove included a certificate for the website that JPMorgan Chase uses to organize its annual employee sporting event, which led to a review of internal infrastructure.

Sure enough, the Wall Street giant discovered that the same hackers who compromised the public-facing sporting portal also gained access to its sensitive back-end systems. The attackers were caught before they could put their hands on any critical financial data, but by that time, tens of millions of customer contact records had already been compromised. It was the largest cyberheist to hit an American bank to date.

The revelation comes just a few weeks after Alibaba Group Holding Ltd. had a close brush with an equally simple but potentially just as disastrous vulnerably that could have exposed tens of millions of users on its business-to-consumer wholesale marketplace to account theft. Luckily, however, the e-commerce giant received a well-time warning from a pair of security researchers and issued a patch before the black hat community caught on. The two incidents provide a powerful lesson in the importance of not cutting corners on security, especially when it comes to the seemingly most trivial details.

Photo via Pixabay