Zero Day Logs

ZDL

Welcome to Zero Day Logs, the podcast that dissects the most consequential cybersecurity breaches of our time. We go beyond the headlines to reconstruct exactly how the world's most heavily defended networks are actually dismantled—focusing not just on the technical exploits, but the structural flaws, human errors, and critical executive decisions that determine who survives and who pays. From billion-dollar hospitality empires brought to a standstill by a single, well-researched phone call to an IT help desk , to global identity gatekeepers compromised by contractor laptops and standard diagnostic files, each episode maps the attack path step-by-step. We break down the underlying enterprise architecture—explaining concepts like multi-factor authentication, federated identity, and zero-trust frameworks—so you understand the mechanics of the collapse. Whether you are a security professional defending a network, or simply someone trying to understand how the digital infrastructure we all depend on actually fails, Zero Day Logs provides the unvarnished autopsy. We explore the uncomfortable reality of modern digital defense: that the weakest link is rarely a piece of software, but the human processes and vendor relationships where trust is extended and verification is skipped. Find full technical breakdowns, attack timelines, and defensive configurations for every episode at zerodaylogs.com.

Episodes

  1. 6d ago

    Yahoo: 3 Billion Accounts, Four Years Hidden

    Three billion user accounts. Two separate breaches. Four FSB-directed operatives. And nearly two years of silence between what Yahoo's security team knew and what the public was told. This episode traces the full operation from the spear phishing campaign that opened the door, through the forged authentication cookies that bypassed every login screen, to the SEC enforcement action that established a new category of regulatory risk: the failure to disclose a known breach. Chapters: 0:00 — 3 Billion 1:47 — The Spear Phishing Campaign 3:26 — Inside Yahoo's Network 5:39 — The Stolen Database 7:28 — The Account Management Tool 9:14 — The Hybrid Model: State + Criminal 11:03 — The Silence 13:23 — The Disclosures 15:23 — The SEC Enforcement 17:14 — The Indictment 17:58 — Aftermath 18:20 — The Pattern Sources: DOJ indictment (United States v. Dokuchaev et al.), SEC enforcement order (Altaba Inc.), Yahoo SEC filings, Verizon acquisition disclosures. Full technical breakdown and free PDF summary at zerodaylogs.com.

    20 min

  2. May 29

    Colonial Pipeline: From Legacy VPN to Bitcoin Seizure — The Complete Breakdown

    One leaked password. No multi-factor authentication. Nine days undetected. In May 2021, a compromised VPN credential — found on the dark web, tied to a former employee's account, protected by nothing more than a single password — gave DarkSide ransomware operators access to Colonial Pipeline's IT network. What followed: 100 gigabytes of stolen data, encrypted systems, a $4.4 million Bitcoin ransom, a six-day shutdown of 5,500 miles of fuel infrastructure, and a DOJ operation that clawed back 63.7 of the 75 Bitcoin using a method that remains partially redacted from the public record. This episode traces the complete chain: the entry vector, the nine-day dwell time, the franchise model behind DarkSide, the IT/OT boundary decision that shut down physically intact infrastructure, the ransom payment calculus, and the regulatory reckoning that followed. Primary sources: Senate testimony, CISA advisory, FBI seizure affidavit, GAO report. Free PDF breakdown: https://zerodaylogs.com 00:00 — The Escalation 01:30 — Introduction 01:35 — What Is a VPN? 02:39 — The Forgotten Door 03:34 — One Password, No Second Factor 04:40 — DarkSide: Ransomware-as-a-Service 05:39 — Anatomy of the Attack 07:29 — 100 Gigabytes Out the Door 08:34 — Two Buildings, One Boundary 11:12 — Seventy Minutes 11:44 — The Shutdown Decision 13:08 — The $4.4 Million Question 14:02 — The Vault 15:10 — The DOJ Strikes Back 15:54 — Three Missing Controls 17:55 — Eleven Years Without an Update 18:21 — The Aftermath

    20 min

  3. May 22

    Target — Certified Compliant, Breached Eight Weeks Later

    On September 20, 2013, Target Corporation was certified compliant with the Payment Card Industry Data Security Standard. Eight weeks later, malware was running on nearly every cash register in the company's 1,793 stores. This episode traces the full attack path — from a stolen HVAC contractor password to 40 million compromised payment cards — and examines why every control that could have stopped the breach already existed in published security guidance years before it happened. We cover: the Fazio Mechanical entry point, the network segmentation gap, how BlackPOS exploited the moment card data exists as plaintext in RAM, why FireEye's alerts went unacknowledged for 12 days, the exfiltration architecture that moved stolen data through three countries during peak shopping hours, and the compliance paradox at the center of it all. Full technical breakdown: zerodaylogs.com Primary sources: U.S. Senate Commerce Committee "Kill Chain" analysis, Target SEC filings, multistate AG settlement, NIST and PCI-DSS standards.

    27 min

  4. May 15

    How Equifax Lost 147 Million Social Security Numbers

    A critical vulnerability was disclosed. A patch was released the same day. Equifax was warned directly. The patch was never applied. Two months later, attackers walked through the door — and spent seventy-six days inside a system holding 147 million Social Security numbers. Episode 5 covers the full 2017 Equifax breach — the Apache Struts vulnerability, the scanner that missed, the certificate that was blind for over a year, the breach response that made everything worse, and the PLA indictment that revealed what the stolen data was really for.  0:00 — Introduction 0:42 — What Is Equifax 1:17 — The Data You Never Chose to Give 1:42 — Growth vs. Security 2:05 — ACIS: A 1970s System on the Public Internet 2:25 — CVE-2017-5638: The OGNL Injection 4:19 — The Missed Scan 5:37 — The Honour System 6:16 — CEO vs. Committee 6:37 — May 13th: The Door Opens 7:13 — No Walls: Lateral Movement 8:20 — The Harvest: 147 Million Records 9:31 — The Expired Certificate 10:45 — Found by Accident 11:09 — The Response Timeline 12:35 — The Response That Made Everything Worse 13:52 — Insider Trading 14:28 — Executive Departures 14:52 — The Settlement 15:34 — PLA Attribution 16:23 — The Intelligence Mosaic 17:05 — Entirely Preventable 17:47 — Closing Full technical breakdown: zerodaylogs.com

    18 min

  5. May 12

    The Twitter/X Breach — July 2020

    On July 15, 2020, the verified Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Apple, and Uber were hijacked simultaneously. Every account posted the same Bitcoin scam. The attacker was a 17-year-old in Tampa, Florida. This episode reconstructs how a series of phone calls defeated Twitter's multi-factor authentication through a real-time credential relay, how a single admin tool called Agent Tools gave unrestricted access to every account on the platform, and how the attack escalated from stealing OG usernames to hijacking the accounts of world leaders. The New York Department of Financial Services investigated and found five specific security controls that would have prevented the breach — all of which existed, were documented, and were available. None were deployed. Based on the NY DFS Report (October 14, 2020), United States v. Graham Ivan Clark, and Twitter's own incident disclosures.  📄 Free technical breakdown PDF: zerodaylogs.com 0:00 — Introduction 0:50 — The Phone Call 2:33 — Real-Time Credential Relay 3:59 — Why MFA Failed 6:04 — Agent Tools: The God Mode Panel 7:06 — Inside the Admin System 9:23 — Three Phases of the Attack 12:22 — The Cascade: World Leaders Hijacked 14:34 — Twitter Breaks Its Own Platform 17:02 — The Damage Report 17:47 — The Deeper Harm: Private Messages 19:23 — Tracing the Attackers 21:44 — Arrests and Sentencing 24:38 — No CISO 25:16 — Five Missing Controls 28:44 — Why Security Controls Go Undeployed 29:01 — Should Platforms Be Stress Tested? 30:30 — What Twitter Changed After the Breach 31:39 — The Pattern Repeats: MGM 2023 32:33 — The Question That Remains  #cybersecurity #twitter #databreach #infosec #zerodaylogs

    34 min

  6. May 5

    SolarWinds: The Update That Wasn't

    In the spring of 2020, up to 18,000 organizations installed a software update from a trusted vendor. It was signed. It was verified. Every security check said it was clean. Every one of those checks was correct. What they couldn't verify was what was inside the package before the seal was applied. This is the full story of SUNBURST — how Russia's SVR compromised SolarWinds' build pipeline, turned a routine software update into a backdoor, and spent nine months reading emails inside the U.S. Treasury, the Department of Homeland Security, the State Department, and dozens of Fortune 500 companies. How FireEye discovered it by investigating their own breach, burned their own toolkit to stop it, and exposed one of the largest intelligence operations in history — in a single day. Zero Day Logs is an investigative audio documentary built entirely from the public record: official security advisories, customer post-incident reports, court documents, and verified forensic findings. Every breach. One episode. Real consequences. Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review. ____________________ CHAPTERS 00:00 Cold Open — In 2020, They Were Invited 00:41 The Routine Update 01:14 18,000 Organizations 02:07 What Orion Could See 03:58 Inside the Treasury 05:46 Why Every Security Scan Passed 09:16 The Build Pipeline 10:10 Code Signing: The Wax Seal 11:31 The Printing Press Analogy 12:16 Inside the Build Pipeline 14:51 Sunburst Activates 16:52 The DNS Covert Channel 19:36 100 Out of 18,000 19:57 Hands-On Access 25:54 Nine Months of Access 28:03 FireEye's Response 28:44 Pulling the Thread 29:53 December 13, 2020 34:09 Attribution and Sanctions 36:53 The solarwinds123 Password 39:18 The Three Missing Controls 42:32 Defense in Depth 43:08 The Cost of Remediation 48:49 Trust and Verification 54:24 Technical Breakdown + Resources 54:41 Next on Zero Day Logs

    55 min

  7. Apr 28

    The Support Ticket That Opened Every Door

    In 2022, a teenager posted screenshots from inside the company that controls the login page for 18,000 organisations — not by breaking through a firewall, but through a contractor's compromised laptop. Twenty months later, it happened again. This time through a diagnostic file uploaded to a support ticket. This is the full story of both Okta breaches — how a contractor's laptop, a credential saved to a personal Google account via Chrome's password sync, and a file format most people have never heard of gave attackers a window into Cloudflare, 1Password, BeyondTrust, and thousands of others. And how one company was told something was wrong — and stayed silent for 18 days. Zero Day Logs is an investigative audio documentary built entirely from the public record: official security advisories, customer post-incident reports, court documents, and verified forensic findings. Every breach. One episode. Real consequences. Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review. ____________________________ CHAPTERS 00:00 Cold Open — Screenshots on Telegram 03:52 The Invisible Gatekeeper 06:07 Lapsus$ — Not a Nation State 07:52 What Actually Happened in 2022 08:03 How Authentication Actually Works 11:43 The Contractor's Laptop 19:53 Twenty Months Later 23:13 The 2023 Breach 24:17 The HAR File — A Flight Data Recorder 25:03 Session Cookies and Stolen Wristbands 27:55 The November 29th Disclosure 30:03 Cloudflare, 1Password, BeyondTrust 34:15 The Supply Chain Problem 36:38 Zero Trust and Assume Breach 40:31 Eighteen Days of Silence 41:43 The Three Missing Controls 43:23 The Credential That Left the Building 47:06 What Changed After 48:20 The Chain of Trust 53:09 Outro 53:35 Next: SolarWinds ____________________________ SOURCES & FURTHER READING - Okta Security Advisory — October 2023 - Okta Expanded Disclosure — November 29, 2023 - Okta Security Advisory — March 2022 - Cloudflare blog: "How Cloudflare mitigated yet another Okta compromise" - 1Password Security Incident Report (2023) - BeyondTrust Incident Disclosure (2023) - CISA Identity Security Guidance - Lapsus$ public reporting / Arion Kurtaj UK conviction (2023)

    55 min

  8. Apr 21

    How One Phone Call Cost MGM $100 Million

    In September 2023, one of the largest casino and hospitality companies on Earth was brought to a standstill — not by malware, not by a state-sponsored strike, but by a single phone call to an IT help desk. This is the full story of how Scattered Spider exploited the gap between trust and verification — from a LinkedIn search to a rogue Identity Provider inside MGM's Azure AD tenant — and how a $100M containment decision brought the casino floor dark. Zero Day Logs is an investigative audio documentary built entirely from the public record: SEC filings, court documents, government advisories, and verified forensic findings. Every breach. One episode. Real consequences. Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ CHAPTERS  00:00 Cold Open — Las Vegas Goes Dark  00:19 The Casino Floor Stops  01:38 The Help Desk: Where It All Started  03:42 OSINT — They Opened LinkedIn  04:43 Vishing: The Phone Call  05:47 Inside Okta — The MFA Reset  06:12 How Multi-Factor Authentication Works  09:49 Lateral Movement — Mapping the Network  11:53 Federated Identity Explained  16:10 SAML Assertion Forgery  18:25 The ESXi Architecture  20:08 MGM Pulls the Plug  20:48 What One MFA Reset Actually Cost ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ SOURCES & FURTHER READING Okta Security Advisory (2023)CISA Advisory AA23-320AMGM SEC 8-K filing, September 2023Microsoft DART case study

    39 min
  • 8 Episodes

About

Welcome to Zero Day Logs, the podcast that dissects the most consequential cybersecurity breaches of our time. We go beyond the headlines to reconstruct exactly how the world's most heavily defended networks are actually dismantled—focusing not just on the technical exploits, but the structural flaws, human errors, and critical executive decisions that determine who survives and who pays. From billion-dollar hospitality empires brought to a standstill by a single, well-researched phone call to an IT help desk , to global identity gatekeepers compromised by contractor laptops and standard diagnostic files, each episode maps the attack path step-by-step. We break down the underlying enterprise architecture—explaining concepts like multi-factor authentication, federated identity, and zero-trust frameworks—so you understand the mechanics of the collapse. Whether you are a security professional defending a network, or simply someone trying to understand how the digital infrastructure we all depend on actually fails, Zero Day Logs provides the unvarnished autopsy. We explore the uncomfortable reality of modern digital defense: that the weakest link is rarely a piece of software, but the human processes and vendor relationships where trust is extended and verification is skipped. Find full technical breakdowns, attack timelines, and defensive configurations for every episode at zerodaylogs.com.

Information

  • Creator
    ZDL
  • Years Active
    2K
  • Episodes
    8
  • Rating
    Clean
  • Copyright
    © 2026 Zero Day Logs
  • Show Website
    Zero Day Logs

You Might Also Like