You’d think a company known for disinfecting just about everything would be better at cleaning up cyber messes.
But in August 2023, Clorox found itself knee-deep in a digital disaster that had nothing to do with bleach and everything to do with a hacker group called Scattered Spider.
And now, two years later, that little hack has snowballed into a $380 million lawsuit, with Clorox pointing the finger squarely at its IT vendor—Cognizant.
In August 2023, someone called Clorox’s IT help desk and asked for a password reset.
The help desk agent wasn’t sitting inside Clorox headquarters.
They worked for Cognizant — one of the world’s largest IT services companies, hired to manage Clorox’s technical support.
The caller claimed to be a Clorox employee locked out of their account. The request sounded routine. Urgent, but normal.
According to Clorox, that single phone call may have opened the door to a cyberattack that would cripple operations, disrupt supply chains across America, and trigger a massive $380 million lawsuit against Cognizant.
What happened next would expose one of the most dangerous truths in modern cybersecurity:
Hackers don’t always break in.
Sometimes, they just ask.
Wait, What Even Happened?
Timeline
| Date | Event |
| August 2023 | A cyberattack, later attributed to the “Scattered Spider” group, breaches The Clorox Company’s IT infrastructure. The attack disrupts production and order processing, leading to product shortages. |
| September 2023 | Clorox publicly discloses the cyberattack and its significant impact on operations. The company’s stock price is negatively affected. |
| July 2025 | The Clorox Company files a lawsuit against Cognizant in the Superior Court of California for Alameda County. The suit seeks $380 million in damages, citing breach of contract, negligence, and other claims. |
Let’s rewind. In August 2023, Clorox’s IT systems got hit hard by a cyberattack that shut down production, delayed orders, and left shelves unusually bare. The fallout wasn’t just operational—stock prices took a nosedive, and customers were left wondering why they couldn’t find their usual bottle of disinfecting wipes.
But it wasn’t just some highly sophisticated, ultra-stealthy cyber breach. No, Clorox claims the whole thing started with a phone call. That’s right. A simple, unverified phone call to Cognizant’s help desk.
According to allegations, someone impersonating a Clorox employee called Cognizant’s service team and, without much resistance, obtained credentials—aka passwords—that opened the door for hackers to stroll right in.
No need for breaking through firewalls or cracking encryption. Just a bit of good ol’ social engineering. It’s almost insultingly simple.
Who Are These Scattered Spiders Anyway?
If the name sounds like a Marvel villain offshoot, you’re not far off. Scattered Spider, also known as UNC3944, is a cybercrime group that’s oddly young (mostly teens and early 20s) and shockingly effective.
They’re not your average hoodie-wearing, basement-dwelling hackers. These folks are smooth talkers.
Instead of breaking in, they often talk their way in. Social engineering is their specialty—convincing people to hand over the digital keys to the kingdom.
They’ve gone after big names like MGM Resorts, Caesars Entertainment, and even financial giants like Visa and PNC.
From Bleach to Breach: Clorox’s Fallout
Clorox’s reputation wasn’t just built on its cleaning products—it was cemented by trust. During the 1918 Spanish Flu pandemic, Clorox was one of the few brands households relied on for safety.
That legacy took a hit when the cyberattack forced the company to shut down some of its operations, triggering significant supply chain disruptions.
By September 2023, Clorox had to publicly admit the severity of the attack. The impact? A 24% decline in sales for that quarter, coupled with customer trust taking a hit harder than a disinfectant commercial gone wrong.
Cue the Lawsuit: $380 Million, Please
Fast forward to July 2025. Clorox filed a lawsuit in California against Cognizant, claiming breach of contract, gross negligence, and more. They want $380 million in damages—chump change for some, but a major statement from a company that just wants to ensure this kind of slip doesn’t happen again.
Their argument? That Cognizant didn’t just fail to protect their data—they handed it over. Allegedly. It’s the difference between someone picking your lock and someone giving them the key because they asked nicely.
Cognizant’s Side of the Story
As of now, Cognizant has kept things pretty tight-lipped. A spokesperson told the Financial Times that the company intends to “vigorously defend itself” against what they claim are “meritless allegations.” In corporate-speak, that’s basically “don’t believe everything you hear.”
But let’s be real: whether it was gross negligence or just a rare lapse in protocol, this case is shining a harsh light on how fragile digital security still is, even in billion-dollar organizations.
Let’s Talk About the Real Issue Here
The problem isn’t just passwords or protocols—it’s people.
Cybersecurity isn’t only about software updates and encrypted tunnels. It’s about training. It’s about skepticism. It’s about that help desk employee feeling empowered (and educated) enough to say, “Hold on, I need to verify your identity first.”
Because the truth is, hackers will always exist. The question is, will we keep letting them in because someone picked up the phone and believed a friendly voice?
The Verdict
This isn’t just a tech story—it’s a cautionary tale for every company, big or small. The biggest breaches aren’t always because of some genius hacker in a dark room.
Sometimes, it’s because someone didn’t ask enough questions during a customer support call.
So whether you’re a Fortune 500 or a startup in a garage, remember: all it takes is one weak link, one misstep, one unverified call—and suddenly, you’re staring down a $380 million fallout.
Leave a Reply