At this point, nobody seriously argues that cyber crisis training is optional.

There is, of course, one very effective alternative: going through the real thing. I would not recommend it. Across the 50+ major crises I have handled in my career, the lesson has always been the same: a real cyber crisis is a very efficient teacher, but a painfully expensive one. You learn a great deal, at a cost most organisations would rather not pay.

So yes, organisations need to exercise. But they should not all exercise in the same way, and certainly not at the same level from day one.

One of the recurring mistakes in this field is to think of a cyber crisis exercise as a single format: a big event, a dramatic scenario, a room full of people reacting under pressure. In reality, there is a progression. The right format depends on the organisation’s maturity, on what it is actually trying to test, and on how much strain it is willing to put on the machine.

Done properly, an exercise programme becomes more demanding over time. It also becomes more useful.

Before any exercise, there has to be a framework

This sounds obvious, but it is often skipped: before testing how an organisation handles a cyber crisis, you need a procedure worth testing.

If the crisis process does not exist, or exists only in fragments, the exercise will not reveal much beyond the fact that the organisation is unprepared. That is not always a useless finding, but it is an expensive and frustrating way to arrive at it. People usually come out of that kind of session feeling they have been judged against rules that were never clearly set in the first place.

That reaction is understandable. An exercise is not supposed to be a trap.

There is another issue here. Cyber crises are close enough to “traditional” crisis management to create false confidence, but different enough to make direct transposition risky. Existing (non-cyber) crisis governance, risk structures, escalation routines, and executive habits remain very useful. But they still need to be reviewed through a cyber lens before exercise design begins.

Level 0: the activation test

This is not the most glamorous format, but it is one of the most useful.

An activation test is simple in principle: you trigger the crisis mechanism in a controlled way and observe whether the right people mobilise, whether the alerting chain works, whether escalation is smooth, and whether the practical setup holds together.

There is barely a scenario. That is not the point. The test stops once the organisation is operational and in a position to manage whatever event is thrown to it.

What it tells you is whether the foundations are sound. Can the key people be reached quickly and anytime? Do they know what is expected of them? Is the crisis room ready, physically or virtually? Does the process start cleanly, or does it begin in confusion? I have seen activation tests reveal that the CEO's emergency number had not been updated in three years.

Because it is light and quick to run, this is often the format that deserves to be repeated most often. It does not answer every question, but it answers an important one: can the organisation even get on its feet when something serious begins.

Level 1: the tabletop

This is the format most people know, and for good reason. A tabletop is light, fast, and easy to organise, at least compared to what comes next!

A group of participants (usually the people who would form the decision-making crisis cell) is brought together and presented with an evolving scenario. They discuss what they would do, how they would prioritise, what decisions they would take, and what difficulties they face due to the degraded conditions.

It is less realistic than what comes later, but that is not necessarily a weakness. A tabletop is often the best place to start because it acts as an excellent brainstorm session.

Used well, it is an excellent format for awareness, alignment, and collective reflection. It does not fully validate the crisis plan. It will not tell you much about logistics, and it only partly tests the more complex mechanisms of crisis management. But it does something else that matters a great deal: it helps people understand one another.

In a good tabletop, legal starts to see what operations is struggling with. IT realises how quickly uncertainty becomes a communications problem. Executives get a better feel for the friction between caution, speed, and incomplete information. That shared understanding is often more valuable than people expect.

To be frank, this is also the format many clients ask for most often today. They are right to do so. Even without the more formal validation benefits, the discussion itself is already a win. In some organisations, that benefit alone makes the exercise worthwhile.

Level 2: the live exercise

This is usually what people have in mind when they hear the term crisis exercise.

The participants start at their desks, in the middle of an apparently normal working day. Then the first inputs arrive: emails, calls, messages, requests, alerts. Everything is clearly marked as part of an exercise, but the experience is designed to create enough realism and enough pressure to force real coordination.

This is where the exercise starts to come alive. You can introduce media pressure through mock news flashes, outside scrutiny through simulated regulator contact, commercial pressure through simulated customers and partners, and physical-world consequences through fabricated but plausible impacts. A well-run live exercise can feel surprisingly close to the rhythm of a genuine event.

Participants are expected to act, not just discuss. They alert, escalate, communicate, activate crisis structures, move to the relevant rooms or calls, respond to external pressure, and keep advancing through the ambiguity as the situation evolves.

From this point on, the organisation is no longer merely talking about crisis response. It is beginning to test whether it can actually execute it.

That is why preparation matters. A live exercise only has real value if the participants have a process they can rely on — something reviewed, adapted, and properly communicated beforehand. Otherwise the organisation ends up improvising its own structure under exercise conditions, which is usually noisy but not especially enlightening (I once saw a single 57-persons Stack channel used for crisis coordination during an exercise. Needless to say, it did not work well...)

This format also demands more support around the players: a facilitation team, a dedicated control room, working comms, and enough observers to capture what happened accurately. There is no proper debrief and improvement plan without a good set of observers.

The main limitation is technical. In most live exercises, actions on the real information system are avoided, or kept strictly read-only.

Which is why the final step exists.

Level 3: the simulation

This is where things become epic.

A simulation takes the organisational mechanics of a live exercise and adds the element that changes the nature of the whole event: a replica of the information system in an isolated environment.

Once that exists, the exercise stops being only organisational. It becomes technical as well. Participants are no longer reacting solely to scripted reporting or facilitation prompts. They are dealing with technical activity unfolding in a controlled environment, and they must connect that activity to business decisions in real time.

This can include an actual Red Team operating against the replica, forcing defenders to detect, investigate, contain, and recommend responses while the rest of the organisation deals with degraded services, uncertain impacts, and business consequences.

That coordination is the real value of the format. Cyber crises are difficult not only because the technical problem is hard, but because the technical and organisational timelines rarely move at the same pace. The simulation is one of the few ways to work on that tension seriously.

It is also the closest thing to a real cyber crisis that an organisation can experience without suffering one. Not identical, of course. You never fully reproduce the stress, the fog, or the emotional charge of a real incident (and believe me, these are absolutely major factors). But you get much closer.

Unsurprisingly, this is also the most demanding format in every sense: time, preparation, internal involvement, and of course budget. Some simulations run for several days and involve very large numbers of participants. They can be extremely valuable. They are just not where most organisations should begin.

On surprise exercises

At some point, the same question usually comes up: should the exercise be announced?

The instinct behind the surprise exercise is easy to understand. Real crises do not arrive politely. So why announce the rehearsal?

Because in practice, surprise does not always mean realism.

An unannounced exercise can fail for very mundane reasons: the wrong day, the wrong people absent, not enough bandwidth, not enough willingness to engage, not enough room to distinguish simulation from distraction. When that happens, the result is often disappointing, and occasionally counterproductive.

That does not mean surprise exercises are pointless. They can be very useful in mature organisations, especially when the goal is narrow: testing alternates in key roles, for example, or seeing how mobilisation works under less comfortable conditions. But they tend to work best when the organisation already knows how to handle the more structured formats.

In that case, it is wiser to relax the surprise factor slightly and make sure strong senior backing has been secured first. Pro tip: CEOs are often game for this kind of idea and love pulling it to their C suite during holiday season...

There is, however, a line that should usually not be crossed: the disguised exercise, where the event is not only unannounced but not even identified as an exercise. In most cases, that is a bad idea.

A clean separation between the exercise world and the real world is one of the basic rules of proper crisis exercise design. Once that boundary starts to blur, you create the possibility of escalation outside the intended perimeter. All it takes is one participant taking the situation too literally and triggering real-world action with customers, authorities, partners, or the media.

At that point, you may find yourself managing an actual crisis caused by the exercise itself.

There are more creative ways to work once an organisation is truly mature. That is true in cyber crisis management as it is anywhere else. But most organisations still have plenty to gain from simply building their exercise programme in the right sequence, with clear goals and no unnecessary theatrics.

Start where you are. Build the sequence. Save the theatrics for when you can afford them.

Three years ago, I was taking part in a major French military exercise as a civilian contractor. Among the many participating nations was a contingent of U.S. service members.

One day at lunch, while waiting in line, I overheard a group of young soldiers speaking English. The shoulder patch made their U.S. affiliation unmistakable. Having lived and studied in the United States, I’ve always enjoyed interacting with Americans. So, naturally, I greeted them and asked where they were from to start a casual conversation.

The response was immediate, guarded and unambiguous: they clearly had been briefed about the risk of foreign elicitation attempts and would not disclose anything. The fact that I was one of the few people dressed in civilian clothing amid a sea of uniforms probably didn’t help my case either.

Recognizing what had just happened, I didn’t press the matter and went back to my smartphone. The exchange seemed trivial at the time, and I quickly forgot about it.

Until that evening…

Back at my hotel, I noticed that my LinkedIn profile had been viewed by an intelligence analyst from a U.S. National Guard unit.

I was genuinely stunned. If this wasn’t coincidence—and it absolutely could have been—it would imply several things:

• The soldiers had been properly briefed on elicitation risks (entirely expected).

• They were able to identify me in real time (perhaps via a discreet photo later while I was having lunch).

• The information was reported and processed within just a few hours.

• The analyst’s deliberate visit to my LinkedIn profile from his own public account may have been a subtle message. The classic “we see you.”

If that interpretation is correct, it’s impressive.

Of course, Occam’s razor strongly suggests a far simpler explanation: random chance. Ian Fleming captured this ambiguity well: “Once is happenstance. Twice is coincidence. Three times is enemy action.” So, realistically, there was probably nothing extraordinary about it.

What Does This Mean for Organizations?

Regardless of the true explanation, the episode led me to reflect on a more practical question:

How could a comparable level of awareness and responsiveness be implemented within corporate environments, particularly during the reconnaissance phase described in the MITRE ATT&CK framework: a phase that is notoriously difficult to detect and counter?

This is not about encouraging employees to photograph every stranger who asks questions about their role. That would raise obvious legal and privacy concerns. But still, it does raise legitimate questions:

• Do exposed or sensitive roles within your organization receive specific awareness training on social engineering and elicitation tactics?

• Is there a low-friction mechanism for reporting unusual interactions or behaviors?

• Do you have the analytical capability to validate and correlate weak signals (for example, through Threat Intelligence and OSINT practices)?

Pushing the idea further, a four-part approach emerges:

1. Targeted Awareness

High-exposure roles—executives, R&D, procurement, executive assistants—benefit from tailored briefings. The goal is to recognize patterns such as the “vendor” asking unusually detailed questions, the “journalist” probing into supply chains, or the LinkedIn contact displaying excessive curiosity about internal initiatives.

2. Frictionless Reporting Channels

The mechanism matters less than the usability: a dedicated email alias, an intranet button, a lightweight form. The key requirement is speed and simplicity. Employees must be able to flag something suspicious in seconds, without the burden of formal reporting.

3. Analysis and Correlation Capability

This is where Threat Intelligence functions become critical. An isolated report rarely means anything. Multiple reports involving related teams or projects begin to form a pattern. OSINT techniques then help assess credibility: does the individual exist? Is the digital footprint coherent? Are there inconsistencies?

4. Feedback Loops

Closing the loop reinforces the security culture. Even minimal responses—“Thank you, reviewed, no issue detected” or “Good catch, this warranted attention”—strengthen awareness and encourage future reporting behaviors.

What do you think?
Is this already a thing where you work? If not, what prevents it?

“What exactly do you DO here?” a CISO asked me 48 hours into a crisis

Fair question. I’d been in every meeting, written half the comms, coordinated with external teams, and somehow still hadn’t ‘fixed’ anything within his area of responsibility.

After managing dozens of crises since 2019, I’ve learned the crisis lead role is invisible when it works—and catastrophic when it doesn’t.

But, then again, what exactly do I do here?

Here’s what that role actually entails, depending on the victim organization’s maturity in crisis-management capabilities.

Coordination and governance

• Ensure cross-functional coordination between all stakeholders (CIO, CISO, business units, executive management, external service providers)

• Ensure the proper functioning of crisis cells (decision-making and technical)

• Verify that crisis cells are effectively staffed and operational, and raise alerts in case of failure

• Define (if not already in place) and enforce the cadence of crisis meetings (frequency, duration, attendees)

• Maintain alignment between the decision-making cell and the technical cell throughout the crisis

Advisory role and interface with executive management

• Provide executives with the information required to make informed decisions

• Clarify technical, legal, and communication-related risks

• Help translate technical issues into business language for the executive committee

• Advise management on strategic trade-offs (restart priorities, resource allocation)

• Frame discussions around a potential ransom payment (in ransomware incidents) using factual, objective elements

• Contribute to drafting (or, in many cases, directly writing) internal and external communications

Operational sequencing and steering

• Contribute, when requested, to defining the sequencing of actions based on how the situation evolves

• Ensure consistency between isolation and remediation actions

• Validate prerequisites for a phased restart of information systems (initial compromise date, available indicators)

• Track the progress of incident response and forensic investigation teams

• Coordinate the transition from emergency response to reconstruction

Documentation and traceability

• Ensure proper logging and incident diaries are maintained within each crisis cell

• Advise teams on traceability of checks performed on systems prior to restart

Coordination with external parties

• Coordinate interactions with external incident response teams (CERT/CSIRT)

• Organize technical communications with interconnected customers and partners

• Support the industrialization of reassurance processes toward third parties (technical commitments, evidence of controls)

• Facilitate interactions with authorities when required (national cybersecurity agencies, law enforcement)

Remediation and security advisory

• Advise, when appropriate, on the deployment of emergency cybersecurity solutions (EDR, monitoring)

• Validate conditions for the progressive reopening of Internet access

• Ensure hardening measures are integrated into the reconstruction plan

• Support the definition of criteria for pre-restart control checkpoints

Human and logistical management

• Alert management to the risk of burnout among key personnel

• Monitor team cohesion and morale throughout the crisis and raise alerts if degradation could jeopardize crisis operations

Preparing for crisis exit

• Define objective exit criteria with the decision-making cell

• Prepare the handover to internal teams for the return to normal operations

• Contribute to organizing the post-incident review

• Identify security initiatives to be launched after the crisis

Of course, every crisis and every organization is different, so the balance across these areas can vary. Some internal functions may fully take over certain tasks from the crisis lead—but he or she must still maintain visibility over them, either to contribute directly or to enrich collective decision-making.

Today, this role is better understood, yet remains just as difficult to staff (internally and externally). It is often split across several profiles, particularly within organizations. But this inevitably increases the coordination burden—which is then frequently outsourced.

After another crisis ended, a CTO confessed: “I wasn’t convinced we needed you. But I get it now. You were the glue.”

That’s the crisis lead role: the glue nobody sees until everything falls apart without it.

I've sat in 50+ crisis rooms during major ransomware incidents. The organizations that recovered fastest weren't the ones with the best playbooks. They were the ones willing to fail fast, kill bad ideas, and try something else.

Here's why crisis management is closer to startup mode than anyone admits...

Crises are, by definition, “out-of-framework” events. They push us beyond the boundaries of contingency plans. For if there were a plan that could simply be followed to resolve the situation, then strictly speaking we wouldn’t be in a crisis.

An organization that activates a contingency plan is not, in my view, in crisis: it may be operating in a degraded mode, for sure. But it is relying on an existing plan and well-defined steps and resources to return to normal. In that context, the framework still holds—and it is obviously not desirable to “fail fast and often.”

Contingency measures must be applied, and they must work. If they don’t, then the real problem lies elsewhere.

A situation becomes a crisis when there is no plan—or when contingency measures fail. And in such circumstances, clinging to the framework can be dangerous.

A framework limits options; it defines a territory shaped by the pre-crisis state: a state designed for day-to-day operations and long-term stability. Above all, it is a state whose mission is to drive the organization toward its usual objectives… which are not necessarily the objectives that matter during a crisis.

Crisis Organization Is Not Day-to-Day Organization

That is precisely why crisis organization rarely mirrors day-to-day organization. Managing a crisis ultimately means switching into “startup mode”: tapping into the creativity and energy of highly motivated teams operating closely within a very flat structure—namely the crisis cell.

It also means rapidly and efficiently surfacing ideas from the field, and above all maintaining a short feedback loop between observation, analysis, decision, and action (the famous OODA loop developed by Colonel John Boyd). These are things that, in normal operations, either don’t work or require an unsustainable level of energy and micromanagement once an organization reaches a certain size.

Most importantly, startup mode makes it possible to test things—lots of things. Not solutions meant to be permanent, but initiatives that, when they work, help move the organization one step closer to exiting the crisis, or at least keep it afloat long enough to try something else.

This inevitably involves making mistakes. Errors in judgment or assessment are unavoidable when you have to move forward with partial information and a rapidly evolving situation. These mistakes must be identified quickly (thanks to a short OODA loop) and discarded just as quickly, to make room for a better approach. Crisis time is constrained; there is no room for unnecessary wandering. Wasting time on doomed approaches can be fatal.

The goal of crisis management, in my view, is therefore to create the conditions that enable this way of working: allowing rapid, blame-free failure so that good ideas can emerge through iteration. Putting safeguards in place to limit the impact of failed initiatives, while knowing how to capitalize on those that succeed. And ultimately, discovering the path out of the crisis—a path that was not written in advance, that will inevitably be unique, and whose every step must be documented to feed the final lessons-learned process.

A Startup Mindset—But a Responsible One

This does not mean doing just anything. Startup mode, yes—but a responsible startup. An organization cannot simply disregard its legal and contractual obligations because it is in crisis (national public crises are, of course, a different matter). Some things can be renegotiated, but broadly speaking, an organization has very few “jokers” when dealing with third parties—unless it relies on their understanding, which actually does happen more often than one might think (I even saw competitors ready to help a major pig breeder brought to a complete standstill by ransomware).

It is therefore essential that the crisis organization is also capable of ensuring compliance with these obligations, so as not to add a second crisis on top of the first.

Poor decisions can worsen the situation, open a new legal front or trigger a secondary public communications crisis. This is a delicate balancing act: between formalism and openness to all proposals, between controlled chaos and the discipline of proper logging and traceability. In short, it’s a profession in its own right.

Above All, a Matter of Culture

Let me be clear: I am not suggesting that crisis management consists of trying everything at random until something finally works. What I want to emphasize is the importance of agility and humility in steering a crisis—and the need to foster a culture of initiative rather than blame (I will probably write about my worst crises someday… including toxic corporate cultures and a lot of blame being thrown around).

Rapid iteration, killing bad ideas, and keeping only the good ones is only possible within a very specific culture. One where failure is not stigmatized (far from the infamous “career-limiting moves” so dear to the most suffocating organizations), and where everyone—because they are professionals whose expertise is respected—can speak up and make proposals before the crisis cell’s director decides. Crisis time is not the time for blame: neither for the origin of the crisis nor for exit strategies that fail.

Under these conditions, the crisis cell may fail often. But it will fail safely, within a controlled framework—and that is precisely what will allow it to uncover the path out of the crisis.

What about your own experience? Have you ever been in a crisis where blame was flying around and failure was stigmatized—where trying things and failing was discouraged? How did it go?

The seemingly endless stream of announcements about multi-million-user account breaches is a good opportunity to revisit industry best practices: how do serious web services and applications actually protect your passwords?

Answer: they cook them.

In this article, we’ll step behind the counter and see what really happens in the kitchen of a well-run online service. How does a careful developer—our digital chef—go about protecting users’ passwords?

Over 15 years as a tech journalist, I interviewed some of the people who built these foundations. Including Bruce Schneier and two of the creators of the RSA algorithm (Rivest, Shamir, Adleman).

Here’s what they got right about password protection—and why all three now argue passwords should be killed entirely.

Before stepping into the kitchen, it’s worth revisiting the problem the chef is trying to solve. The developer doesn’t know you, has never met you, yet still needs to reliably recognize you when you return to the service.

The simplest way to do this is to ask you, during registration, to choose a secret (your password), which they store carefully—usually in a database accessible to the web application. From that point on, anyone claiming to be you must provide the same secret. The developer simply compares what you enter with what they have on file. If they match, you’re in; if not, try again.

An attentive reader will notice that this implies all user passwords are stored in a database fully accessible to the web application. That’s unavoidable with traditional password-based authentication: the application must be able to receive your password and compare it against a stored value—which is precisely why the industry has been searching for better alternatives for quite some time (biometrics, certificates, pass-phrases, physical tokens...)

But let’s get back to passwords. So how do you prevent an attacker from simply reading the database directly and walking away with every password?

Short answer: it’s hard.

Of course, there are well-known basic protections. The database itself is password-protected and typically not exposed directly to the internet—only the web application is allowed to query it. A conscientious developer will also design the application so attackers can’t trick it into revealing passwords (notably via classic SQL injection attacks). Beyond that, there are more advanced measures to protect the infrastructure itself—and even to restrict what people with database access can do.

But a realistic developer assumes that, sooner or later, the password database will fall into attackers’ hands. The real goal is then to make life as difficult as possible for anyone who steals it.

Chop Finely

The first technique is to hash passwords. Not with a butcher’s knife, but with a mathematical function known as a hash function.

Starting from a readable password, a hash function produces a completely different sequence of letters and numbers. For example, the word “Casimir” (a very poor password, by the way) becomes:

8a7b9eadc09b43afa96ce42c5febdca94ea8ac04

when run through the (now deprecated) SHA-1 algorithm (just one hash function among many).

Important point: this is not encryption. Anyone can compute the hash of “Casimir”; no secret key is required. Hash algorithms are public and you can easily try them yourself online.

So what’s the point of hashing passwords?

It prevents attackers from immediately reading them in the stolen database.

In normal use, when you log in, you enter your password in plain text (“Casimir”). The web application hashes it and compares the result with the hash stored in the database. The password itself is never stored—or even seen—in clear text.

This process is invisible to users, but for attackers it makes things much harder. If all they have is the hash 8a7b9eadc09b43afa96ce42c5febdca94ea8ac04, and they want to know that the actual password is “Casimir,” they must try every possible word, hash each one, and compare the results to the stolen hashes. Done properly, this can take quite a long time.

At this point, it should be obvious why choosing common dictionary words as passwords is a bad idea. To save time, attackers long ago automated dictionary attacks: they hash every word from dictionaries (in multiple languages) and automatically check whether any of those hashes appear in the stolen database. When they find a match, they’ve cracked a password and can log in.

To slow them down, security specialists, and especially mathematicians, whom we should thank for not giving up during high-school math, designed hash functions that deliberately take a noticeable amount of time to compute. We’re talking milliseconds, but the difference matters.

The idea is simple: when a legitimate user logs in, the web application has all the time it needs to compute a single hash. Adding a few extra milliseconds doesn’t matter to the real human who is trying to log in. But when an attacker steals hundreds of millions of passwords, those milliseconds add up. Potentially to years of computation.

That’s time during which the victim organization can notify users and force password resets. Every passing hour reduces the number of valid passwords left to crack—and therefore the value of the stolen data.

Today, the state of the art is to use functions like Argon2id, which can be configured to make large-scale hash computation prohibitively expensive.

Pre-Cooked Meals: Rainbow Tables

Attackers, of course, didn’t stop there. Since they can’t take months or years to compute hashes after a breach, they took a shortcut: pre-computing hashes for the most common passwords. We are talking millions of them.

These pre-computed datasets are known as rainbow tables. When attackers obtain a new password database, comparison becomes instant: they simply look up matches in their tables.

Now you can see why choosing “123456” (or “Casimir”) is such a terrible idea. Those passwords have been sitting in rainbow tables for years. They’re the first to fall.

Add Salt—Generously

Defenders responded quickly. To prevent attackers from relying on pre-computed hashes, systems now add a random value to each password before hashing it. This value is unique per user and is appended to the password in plain text prior to hashing.

So even though you enter “Casimir” into the password field, what actually gets hashed behind the scenes might look like:

494301c9-2e9c-48ef-965e-2a74ac373dc9::Casimir

That extra value is called the salt.

Each user gets a unique salt. It doesn’t need to be secret and can be stored openly in the database next to the password hash. Its sole purpose is to make rainbow tables useless.

Attackers are extremely unlikely to already have rainbow tables computed for every dictionary word combined with your specific salt and then again for every other user’s in that database. So they’re forced to start from scratch and compute hashes in real time for each password. Goodbye, rainbow tables.

Add Pepper for Extra Bite

At this point, we’re already following good practice: passwords hashed with a strong algorithm like Argon2id and salted per user give attackers a serious headache. But defenders still have one last ace up their sleeve: pepper.

Pepper is the opposite of salt. It’s a single value shared by all passwords (unlike salt), but this time it must remain secret (unlike salt). It’s stored outside the database, usually directly in the application code or configuration.

Pepper is applied just like salt: it’s added to the password (and its salt) before hashing.

Why bother?

Because in many breaches, attackers only access the database. Either they can’t fully compromise the servers and infrastructure (for example, they exploited an SQL injection and only were able to dump the database’s content), or they’re short on time, can’t audit the code to locate the salt and thus grab the easiest target before moving on: the database.

By adding a secret value outside the database, you dramatically increase the attacker’s workload. You’ve effectively strengthened every password by increasing its length and complexity with a value they don’t have—unless they also gain deeper access to the system, such as the application source code or configuration files.

How Bad Is the Breach?

Hopefully, you can now better judge the severity of the next mega-breach you read about:

• “Passwords were stored in clear text” → disaster (and arguably professional malpractice)

• “Passwords were not salted” → almost as bad

• “Passwords were hashed, salted (and peppered for bonus points)” → relax for now… They’re still out there, waiting for someone to crack them one day. At least you’ve got time to change them

So, bon appétit… and now that you understand everything that can go wrong with passwords and how much of it is out of your control, try to move away from them whenever and wherever you can.

French national television invited me to expose AI-generated fraud sites targeting retirees. The 3-minute segment couldn't cover everything I found. Here's the full investigation.

What’s this all about?

For several months now, we’ve been seeing a rise in fake news websites put together very crudely. They all follow a very similar template and publish alarmist articles about pensions: loss of contribution quarters, supposed legislation leading to reduced benefits, and so on. And when it’s not pensions, it’s gardening…

In short, someone is clearly targeting seniors. But why?

AI-generated sites and content

Everything is fake, obviously. In fact, these sites don’t even really try to hide it. On one of them, the following notice appears at the top of every article:

“Our site is based on entirely fictional facts generated by artificial intelligence. No content should be interpreted as real or factual.”

An interesting detail: this disclaimer is displayed as an image, not as text. As a result, search engines don’t index it, and it doesn’t appear in search results. The goal is clearly to mislead readers who land on these articles coming from a search engine.

Where’s the scam?

The goal of the sites we identified is merely to generate large amounts of web traffic in order to earn advertising revenue. In that sense, it’s not strictly a scam, but rather disinformation: false information knowingly spread as such. It’s rather petty and not really worht investigating per se.

Visitors to these sites are therefore not directly at financial risk. Only their gullibility is exploited to generate ad revenue. That’s the lesser evil—but as we’ll see, it could easily go much further.

How it works

On the sites we analyzed, everything is fake: the articles, obviously, but also the “journalists,” their bios, and even their photos. After all, generative AI can do all of that, so why not use it?

Step one is to generate the most alarming articles possible on topics that matter to the target audience (here, retirees, who are often more vulnerable to digital disinformation).

Step two is to distribute this content as widely as possible to expose the target audience. The aim is to get it shared as much as possible—which explains the deliberately inflammatory themes.

To reach retirees, Facebook groups are the obvious channel. And indeed, a simple Google search such as site:facebook.com scammydomain.com shows that these articles are very frequently shared by users. And these users then express outrage in the comments, and go on sharing the false information themselves. And the cycle continues.

The operators behind these sites are actually quite good at SEO. I looked into one of them before my evening news segment, and it ranks first on Google for the query “pension seniors news”

Who’s behind this?

Potentially anyone. All it takes is an account with an online ad network to start cashing in. In that sense, it’s similar—ethically speaking—to the so-called “toxic content” monetized on YouTube.

I looked into one of these sites before yesterday’s broadcast, and it turns out to be operated by a small digital marketing company based in a small French town

That immediately explains the site’s strong search rankings.

Incidentally, I’m not surprised to find this kind of professional behind such practices. For those just joining and not yet familiar with my deep affection for digital marketing agencies, feel free to check my previous article, where I describe their harmful—and often dangerous—spam-related practices.

The domain name itself, registered only 46 days ago, appears to have previously belonged to an asbestos removal company in eastern France, whose last Facebook post dates back five years. It smells like a recovered expired domain, likely in the hope of benefiting from its previously “clean” history.

Is it illegal?

Apparently not—and that’s precisely why it’s so easy to trace the site back to its operator (and, with a bit of entry-level OSINT, to some of their clients as well).

To cover themselves, the site owner makes a point of stating at the top of each article that everything is fake. It’s clever. Beyond that, when you compare this to legitimate satire websites, which are in the business of publishing fake news, there are actually fewer differences than one might hope.

We’re likely in a grey area. The approach is clearly unethical, but not obviously illegal (I’m not a lawyer—if any legal professionals are reading, I’d welcome your take in the comments).

How to identify these sites

It’s fairly straightforward. The domain names are usually ridiculous, completely unknown, and the headlines are almost always alarmist, exploiting the classic scammer biases: urgency, fear of missing out, and—when targeting retirees—the fear of seeing their pension reduced.

Since their purpose is to maximize ad revenue, these sites are also easy to spot by the sheer volume of advertising compared to a legitimate editorial site. There’s a lot of it.

These sites also tend to be short-lived. The one I investigated had existed for only 46 days. Another similar one: 39 days. Once again, I strongly recommend checking the creation date of sites before trusting them. Tools like https://www.whatsmydns.net/domain-age are often very revealing.

Legal notices can also be a useful indicator. If they’re missing, that’s obviously a bad sign. In this case, it’s even more amusing: they are present, but list nothing except the hosting provider (which, of course, has nothing to do with the scheme—but from the scammer’s point of view it at least provides an address to display).

The rest is almost comical:

• The site publisher? Simply “an independent, passionate editorial team.”

• The person responsible for publication? You get a description of what a publishing director is, their role and responsibilities—but no name, obviously.

At this point, I’m inclined to blame it on AI hallucination rather than an intentional attempt at concealment, since the company behind the site is actually very easy to identify.

Why it could get worse

In this case, we’re “only” dealing with disinformation designed to attract traffic and generate advertising revenue. Ultimately, the real damage is done to social cohesion: these sites quietly fuel distrust, pessimism, and sometimes even hatred, contributing to divisions within society. They become useful idiots for genuinely malicious disinformation operations run from abroad (see the Doppelgänger campaign).

Here at least, the visitors themselves aren’t directly at risk.

However, as soon as you combine elderly people and money, the next step is unfortunately rather easy to predict.

While the sites discussed here don’t go that far, foreign-based criminal gangs certainly do. Every day, on dedicated forums and mailing lists, I see pleas for help from victims—or their families—who have lost a lifetime of savings after being persuaded to invest in a so-called “revolutionary” investment platform.

This is a massive transfer of wealth. Losses regularly reach several hundred thousand euros or dollars per victim. Some have even taken out loans to “invest more.” They’re left destitute, burdened with debt, often having lost their homes and torn their families apart.

You can clearly see how these fake news sites—relatively harmless in this specific case—could quickly become extremely dangerous bait in the wrong hands.

That’s why it’s vital to educate seniors on how to spot this kind of online deception. And that’s why I was genuinely pleased that a national TV news program took the time to shed light on this practice, even if only for a few minutes.

Now, how to avoid financial scams?

I go into much more detail on these mechanisms during presentations for my clients, but in summary:

• Any unsolicited offer of investment help (coaching, mentoring, “trading signals” to copy, “investor clubs”) is almost certainly a scam—especially if it quickly moves to instant messaging platforms like WhatsApp or Telegram groups (where the victim is often alone, surrounded by bots creating the illusion that everyone is making money).

• Dozens of fake trading platforms are created every day, particularly in crypto. They’re extremely convincing and appear fully functional—except that everything is fake. On-screen “profits” are virtual, and any money sent is lost the moment it’s transferred. Scammers use every possible tactic to funnel victims to these platforms: fake romances, fake advice on public forums, hijacked social media accounts posing as real friends, and so on. It’s therefore essential to invest only on well-established, reputable platforms—and to know how to identify them.

• For victims who have already been scammed, any offer claiming to help recover lost funds is invariably another scam designed to extract additional fees.

The basics of verification

• Check which carrier operates the contact phone number. “Exotic” or virtual operators are automatically suspicious.

• How long has the website existed? Check via https://www.whatsmydns.net/domain-age. A domain that’s only weeks or months old is suspicious—especially if it was registered for just one year, the bare minimum.

• Legal notices: do they clearly identify the individuals and the company behind the site and service? And is it really them? Finally, does the bank account (IBAN) used for transfers match the legal information? Any discrepancy is of course a major red flag (special mention for “investment firms” using a personal bank account).

• Google. A simple search often turns up victim testimonials—or, as I recently saw during an engagement, reveals that the company is outright blacklisted by the national financial markets regulator. It doesn’t get much more red-flagged than that.

• One last trick: copy a few sentences from the site and search for them verbatim on Google, in quotation marks. If the same text appears on multiple other sites under different names… that’s suspicious to say the least.

In my professional work, I’ve traced back operations of this kind and these methods have helped expose hostile campaigns. They could just as easily have prevented them—if the victims had used them. And honestly, it’s not that complicated.

And this is everything I wish I could have crammed into that short TV slot the other night but could not!

For once, I won’t be talking about cybersecurity, but about reputational risk.

Receiving a spam email promoting a local company led me to try to trace the origins of this rigged market that claims to sell “qualified” and “legal” email addresses.

What I uncovered were concealment practices that go as far as abusing one client’s trust to serve another. And this is in Europe, where a privacy law such as GDPR is supposed to be in full swing.

The spam too many

It all started with yet another spam email, this time advertising a software solution. Let’s call it ACME.com. The email was unsolicited (and thus landed straight in my spam folder).

I don’t know this company, I’ve never interacted with it, and I’ve never asked to receive information from it. This is therefore a clear case of illegal collection of my email address. The company would in fact be unable to prove my “opt-in” (I’ll come back in a future article to how scammers obtain such email addresses illegitimately).

Still, since the company is local, I decide to unsubscribe. Naively, I assume that such a company doing email outreach, even if illegally at first, must at least comply with the famous GDPR when it comes to unsubscribe requests.

And while looking at the unsubscribe link (old habits die hard), I discover that it points to a very respectable national industrial group specializing in industrial cleaning, including dry ice blasting. Let’s call it Group-clean.com.

Dry ice blasting might be useful to some people’s email databases, but as things stand, I struggle to see the connection between these two companies. I struggle even more to imagine a perfectly legitimate industrial group, with nothing to do with digital marketing, lending its domain to spammers. At this point, I am also tempted to rule out a domain compromise for the sakes of Occam’s razor. I’m therefore very curious to understand what Group-clean.com is doing in this spam setup.

A ménage à trois…

By following the unsubscribe link, I discover that it points to a well-known email marketing platform. Let’s call it TheEmailer.com.

These perfectly legitimate platforms do not provide email lists; they allow their customers to send bulk emails using their own lists. And TheEmailer.com’s terms and conditions are very clear: customers may only use email addresses collected in compliance with GDPR. In particular, the recipient must have explicitly agreed to be contacted, and must know what they are agreeing to be contacted about.

Clearly, the email I received is in blatant violation of the platform’s terms of use.

The question remains: who sent it?

And that’s where we tumble down the rabbit hole.

Thanks to the magic of LinkedIn, I reach out to everyone involved to try to understand how this ménage à trois works: ACME.com, Group-clean.com, and TheEmailer.com.

And everyone appears genuinely surprised…

…then four

ACME.com seems shocked—borderline outraged—to be labeled a spammer. Their head of marketing tells me they use their own tool for email campaigns, that they do not do cold spamming, and that I’m not even in their database.

More importantly, they don’t know the salesperson who supposedly signed the email—despite it clearly being sent in their name.

That’s when I notice that although the signature displayed ACME.com, the email was actually sent from the domain ACME-software.com. A small but very real difference.

A quick WHOIS lookup later, a fourth player enters the picture: a Paris-based marketing agency promising “high value-added leads” on its website. Let’s call it MegaLeads.fr.

They registered the ACME-software.com domain less than two weeks ago. I then look at the mobile number shown in the spam signature. It turns out to be with an MVNO, and a quick OSINT search yields nothing. Most likely a temporary number, used only for spam campaigns.

I inform ACME.com’s head of marketing, who tells me she has never heard of MegaLeads.fr.

Not believing in the concept of the benevolent spammer, I start imagining a scenario where someone at ACME.com decided to launch a campaign on their own, without informing marketing. That would explain the use of ACME-software.com: since the agency cannot send emails from the main domain without proof of ownership (email platforms require this), it’s easier to impersonate the client by registering a similar domain under their own control (yes, criminals do exactly this for phishing campaigns).

In short, we already knew about shadow IT. Welcome to shadow marketing.

The magic of social networks

We’ve made progress, but I still need to understand what Group-clean.com is doing in this mess.

That’s when I’m contacted privately by someone who clearly knows the territory. They suggest I check whether Group-clean.com might also be a client of MegaLeads.fr, just in case.

One quick Google dork later, I have my answer: Group-clean.com does indeed appear to be a MegaLeads.fr client. I suggest my contact consider a career in Cyber Threat Intelligence. He simply replies: “When you see enough shit, you can smell it from far away.”. Good enough.

LinkedIn comes to the rescue once again. Through a mutual contact, I finally manage to speak with the CEO of Group-clean.com. He confirms having worked with MegaLeads.fr, but to his knowledge only for SEO. Which should not involve creating such a subdomain in his company’s name—let alone using it as an unsubscribe link in another company’s spam campaign.

Unsurprisingly, he is furious.

MegaLeads’ response to its client

Meanwhile, ACME.com’s head of marketing is conducting her own investigation. She learns that a newly hired sales manager took it upon herself—without informing marketing—to order a campaign from MegaLeads.fr. When contacted, MegaLeads.fr acknowledged a “cache error” that supposedly caused the wrong domain to be used for the unsubscribe link (my LinkedIn contact, for his part, had previously bet on “an intern’s mistake, sorry”. Close enought to give him the win).

We will obviously never know the full truth. Human error is entirely possible. However, when I reviewed the spam emails I’ve received from MegaLeads.fr over the past six months, I found several similar “cache errors”:

• Two domains registered by MegaLeads.fr itself (one about cyber resilience, one about TLS certificates) used as unsubscribe links for mobile app development studios. Completely unrelated. Likely an attempt at concealment—but at least the unsubscribe domain is under MegaLeads.fr’s control.

• Two sister companies whose domains are swapped between the spam sender and the unsubscribe link. Still deceptive, but at least it stays in the family.

• A deactivated domain (for rugged laptop sales) registered by the Cayman Islands branch of an Israeli company selling IT asset management solutions. This improbable domain is used as the unsubscribe link for spam promoting a French corporate expense management company. I assume they are unaware of this little arrangement.

• The domain of a company reselling the HubSpot CRM, used as the unsubscribe link in spam for a French generalist consulting firm. I’d bet the former doesn’t know either.

That’s a lot of cache errors.

How to protect yourself

First and foremost, understand that a qualified lead can only come from a content campaign (white paper, study, etc.) or from an event the user attended and explicitly agreed that you could contact them. And they expect you to contact them about the specific topic that led them to give you their email address in the first place.

I’m not a GDPR expert, but even the famous checkbox saying “I agree to receive information from our business partners” doesn’t really meet the requirements in this context.

So agencies that sell “high value-added leads” without being able to clearly explain where they come from are, in reality, selling hot air.

An agency that sells genuinely qualified leads will support you in creating high-value content or organizing events, and will orchestrate the whole thing (there’s plenty to do). In other words, it helps you talk about you to your prospects, and then collects their consent. That’s a real profession.

How can anyone seriously imagine that some generic agency can magically provide you with entire lists of contacts who are dying to hear from you? It doesn’t exist. It’s called spam. These contacts didn’t ask for anything, don’t know you, and when they receive your email, many will at best ignore you—and at worst, actively dislike you.

And if, on top of that, you end up in Group-clean.com’s position, you find yourself unwillingly associated with a spam campaign that has nothing to do with you, simply because a few months earlier you picked the wrong horse for a basic SEO engagement.

Worse still: by associating your domain name with a spam campaign, the agency risks lowering its trust score, which can eventually cause problems for your employees. Legitimate emails may land in spam more often—or be rejected outright.

In short, rather than dreaming of “magically” buying prospects, it’s far better to roll up your sleeves and build a real, solid content marketing strategy, and to participate in relevant events. That’s the only way to generate qualified leads. Real ones.