Trust Without Validation

The LAPD system accepted a credential set harvested from a prior, unrelated breach and issued an active session with access to internal document repositories containing sensitive operational data. Authentication completed normally. The credential matched a stored record. The record held a privileged role. The role permitted document access. Each step executed as designed. The system then maintained that session — and the access rights attached to it — without re-evaluating whether the identity presenting the credential still had legitimate standing to use it.

The trust model the system was built on treated authentication as a terminal event. A credential verified at login established identity for the lifetime of that session, and explicit administrative revocation was the only mechanism by which that identity could be invalidated. The model assumed that credential ownership was stable — that the account presenting a token was the account to which it had been originally issued. It assumed that compromise, when it occurred, would propagate through administrative channels fast enough to prevent reuse. Multi-factor authentication was not enforced on the affected privileged accounts. The system had no integration with external credential intelligence feeds, no mechanism to cross-reference known breach datasets, and no behavioral baseline against which anomalous session activity could be flagged. Access control was a function of identity state: if the account held the right role, access was granted, regardless of when that role was assigned, whether the session originated from a recognized device, or whether the usage pattern was consistent with prior behavior.

What changed was not attacker capability. Credential stuffing — the automated testing of breach-derived credential pairs against live authentication endpoints — is not a novel technique. What changed was the persistence of trust in an identity whose provenance had been invalidated in a different system, months earlier, without that invalidation propagating to any system the LAPD operated. The original environment where the credentials were stolen had cycled past the incident. The LAPD’s authentication layer had received no signal. The accounts remained active, their session parameters unchanged, their access scopes intact.

The mechanism is not credential theft. It is the absence of any re-evaluation loop between initial authentication and ongoing access. Once authenticated, the identity moved laterally across internal systems — traversing permission structures that had been defined for legitimate users and remained intact for compromised ones. The attacker did not escalate privilege; they traversed it. Role membership was not reviewed against current risk signals. Step-up authentication was not triggered by access to sensitive document stores. The system resolved trust through a chain of references: the credential matched a record, the record held a role, the role permitted access, the access was granted. Each step was a lookup against a stored state. None of them was a verification of current legitimacy.

This is the operational shape of lateral movement when trust is inherited rather than validated: the attacker does not need to break anything. They move through the permission structure as it exists, using an identity the system has already accepted. The control surface is not the authentication event — it is every subsequent access decision made on the assumption that authentication was sufficient and permanent. Credential stuffing gets the attacker through the door; inherited trust keeps the door open.

This failure mode is not bounded to identity systems. Software supply chains accept signed packages without verifying whether the signing key has been rotated since the prior release or exposed in an intervening breach. Network segments grant access to a source IP without confirming whether the host at that address has been compromised since it was last enumerated. In each case, an artifact — a credential, a signature, a role assignment — functions as a proxy for current trustworthiness. The proxy is consulted; the underlying claim is not re-examined. The system acts on what it knows rather than what it can verify about the present state of the thing it trusts.

Systems resolve trust once and reuse the result. The LAPD breach is the predictable output of a design that treats authorization as a permanent state rather than a continuously validated condition. The credential worked. The login succeeded. The session was issued. Each of those events was correct. What was absent was any mechanism to ask whether correct was still appropriate — whether this identity, presenting this credential, in this context, at this time, should still be trusted. Trust was established at enrollment and never revisited. The attacker did not break the system. The system handed them access, and then kept handing it to them, document by document, for as long as the session ran.