ThinkableWhat is this?

Cryptography & Security

The Unlocked Door Nobody Noticed: How Most Hacks Actually Happen

The most dangerous hacker in the room is usually holding a phone and pretending to be from IT.

The Idea

Popular culture has handed us a specific image of hacking: a lone genius in a dark room, furiously typing code until some fortress of a system surrenders. The reality is far less cinematic — and far more unsettling. The majority of successful cyberattacks don't break through walls. They walk through doors that were already open, or that someone was tricked into opening. There are broadly three ways into a system. The first is exploiting a vulnerability — a bug or flaw in software that lets an attacker do something the system's designers never intended, like read memory it shouldn't expose, or execute commands it shouldn't accept. These flaws are real and serious, but finding and exploiting them at scale is genuinely hard. The second route is credential theft — getting hold of a valid username and password. This is far more common. Passwords get reused across services, leaked in data breaches, guessed from weak patterns, or captured by phishing. Once an attacker has legitimate credentials, they're not breaking in — they're logging in. The third, and arguably most effective, is social engineering: manipulating people rather than machines. A convincing email, a spoofed phone call, a fake login page — these exploit the most persistently exploitable vulnerability of all, which is human trust. What ties all three together is the concept of attack surface — the total number of possible entry points into a system. Every piece of software, every employee, every device connected to a network expands that surface. Security is less about building higher walls and more about understanding just how many doors you've left in them.

In the World

In 2011, security firm RSA — whose tokens were used by defence contractors, banks, and government agencies worldwide to authenticate employees — was breached. The attackers didn't overpower RSA's defences. They sent a single phishing email with the subject line '2011 Recruitment Plan' to a small group of employees. One person opened the attached Excel file. That file contained a zero-day exploit — a vulnerability unknown to the software's makers — hidden inside a Flash object. It ran silently, installed malware, and gave the attackers a foothold inside RSA's network. From there, they moved laterally — quietly navigating from machine to machine, escalating their access privileges — until they reached the crown jewels: the seed values that underpinned RSA's SecurID tokens, the very devices companies were using to secure their own systems. Months later, Lockheed Martin, a major US defence contractor, was targeted using the stolen RSA data. The whole chain began with one person, one email, one click. Not a supercomputer cracking encryption. Not an elite team dismantling firewalls. A plausible-looking spreadsheet in someone's inbox on an ordinary Tuesday. This pattern — patient reconnaissance, a small human-level entry point, then methodical escalation — is sometimes called an Advanced Persistent Threat, or APT. The 'advanced' part is often less about technical wizardry than about sustained discipline and the willingness to wait.

Why It Matters

Understanding how hacking actually works changes what you pay attention to. The instinct is to think of security as a technical problem, something for the IT department to solve with better software. But when the most common attack vector is a convincing email or a reused password, security becomes everyone's problem — a behavioural challenge as much as a technical one. This is why the security community has shifted so much attention toward concepts like zero-trust architecture — the idea that no user or device should be automatically trusted, even inside a network — and toward the relentless practice of phishing simulation, where organisations test their own employees with fake attacks before real ones arrive. For you personally, the insight is this: your own attack surface is probably larger than you think. Every service you've signed up for, every password you've reused, every time you've clicked 'log in with Google' is a thread someone could pull. The strongest encryption in the world doesn't help if your password is the same one that leaked in a 2019 forum breach. Knowing where attackers actually go looking is the first step toward not being the unlocked door they walk through.

A Question to Ponder

If the biggest vulnerability in most security systems is human behaviour rather than technical flaws, what does that imply about how we should think about trust — in institutions, in software, and in each other?

Get a new one of these every morning.

Start learning with Thinkable
One topic like this, every day.Start free