The second factor became useless. The door opened.
In early 2022, Portugal's largest telecommunications provider fell not to an elaborate technical assault, but to the oldest vulnerability in digital security: a human being with access. RTP's investigation revealed that attackers stole a single employee's credentials and cloned their SIM card to defeat two-factor authentication — a method so straightforward it reframes the entire question of what it means to defend a modern network. The breach is less a story about hackers than about the persistent fragility of trust placed in ordinary points of entry.
- A major telecommunications network serving millions was brought down not by elite hacking tools, but by a stolen username, a password, and a cloned SIM card.
- Two-factor authentication — widely regarded as a reliable second line of defense — was rendered useless the moment attackers duplicated the employee's physical device and intercepted login codes.
- RTP journalists went beyond the breach itself, speaking directly with prominent ransomware operators and Portuguese business owners who quietly paid ransoms to recover their systems.
- A shadow economy emerges from the reporting: companies are targeted, data is held hostage, and many organizations calculate that paying is cheaper than the reputational and operational cost of refusal.
- The investigation, broadcast on A Prova dos Factos weeks after the attack, landed a warning that the immediate crisis had obscured — the conditions that enabled the breach remain fully intact.
The cyberattack that knocked Vodafone's services offline across Portugal in early 2022 did not demand extraordinary technical skill. It demanded something more accessible and more dangerous: the login credentials of one employee, and the knowledge of how to clone a mobile SIM card.
RTP's investigation reconstructed the method with clarity. Attackers acquired a Vodafone employee's username and password — the reporting does not detail how — but credentials alone were insufficient. The network was protected by two-factor authentication, a second layer designed to stop intruders even when valid login details are compromised. The attackers neutralized this by cloning the employee's SIM, allowing them to intercept the one-time codes generated during login. The second lock opened. The breach proceeded.
What the investigation underlines is not the ingenuity of the attack but its banality. Employee credentials are the most common entry point into major organizations — easier to steal than to crack, and devastatingly effective once obtained. The attacker needs no genius. They need access and patience.
RTP's reporting extended into the ecosystem surrounding such attacks. Journalists spoke with some of the most active figures in the ransomware world, as well as Portuguese business owners who had paid — sometimes significantly — to recover encrypted systems and prevent data exposure. The picture that emerges is one of brutal market logic: companies are compromised, leverage is applied, and many choose payment over the alternative.
Broadcast on A Prova dos Factos on a Friday evening, the investigation arrived after the Vodafone story had already receded from the headlines. But the vulnerability it exposed had not receded at all. Across Portugal and beyond, employees continue to hold credentials that can be stolen, and SIM cards that can be cloned — ordinary people standing at the threshold of systems that depend entirely on their protection.
The Vodafone attack that disrupted service across Portugal in early 2022 did not require sophisticated zero-day exploits or months of patient reconnaissance. It required something simpler and more damaging: the stolen credentials of a single employee, and the technical skill to clone a mobile SIM card.
RTP's investigation established the mechanics of the breach with precision. Attackers obtained a Vodafone employee's login credentials—username and password—through means the reporting does not specify. But credentials alone are not enough to penetrate a modern network. The company had layered its defenses with two-factor authentication, a second lock that should have stopped intruders even if they possessed valid login information. The attackers circumvented this by cloning the employee's SIM card. With a duplicate of the legitimate device, they could intercept the one-time codes sent during login attempts. The second factor became useless. The door opened.
What makes this attack notable is not its technical sophistication but its ordinariness. Employee credentials are the most common entry point for breaches at major organizations. They are easier to steal than to crack—a phishing email, a compromised personal device, a data leak from an unrelated service. And once obtained, they are remarkably effective. The attacker does not need to be a genius. They need access and patience.
RTP's reporting went beyond the mechanics of the Vodafone breach. The investigation ventured into the darker corners of the internet, where the people who conduct these attacks operate and communicate. Journalists spoke with some of the world's most active hackers, the ones who orchestrate ransomware campaigns and sell stolen data. They also interviewed Portuguese business owners who had paid ransoms—sometimes substantial sums—after their networks were compromised. These conversations reveal a market that functions with brutal efficiency. Companies are attacked, data is encrypted or threatened with release, and many choose to pay rather than face the alternative: exposure of customer information, operational shutdown, reputational damage.
The Vodafone case sits at the intersection of two realities. First, the technical reality: modern security is only as strong as its weakest link, and that link is often human. An employee's credentials, obtained through social engineering or theft, can grant an attacker access that no firewall or encryption can prevent. Second, the economic reality: once inside a major network, attackers have leverage. They can extract data, encrypt systems, and demand payment. Many organizations, facing the prospect of exposure or extended downtime, decide that paying is the rational choice.
The investigation aired on RTP's program A Prova dos Factos—The Proof of Facts—on a Friday evening following the main news broadcast. By that time, the Vodafone attack was already weeks old, its immediate impact fading from headlines. But the underlying vulnerability it exposed remained. Somewhere in Portugal, and across the world, other employees were using passwords that could be guessed or stolen. Other SIM cards could be cloned. Other networks waited to be breached by attackers who understood that the most direct path to a company's secrets often runs through an ordinary person with access.
Notable Quotes
The attack was carried out using an employee's login and password, with the attackers cloning the employee's SIM card to bypass two-factor authentication— RTP investigation findings
The Hearth Conversation Another angle on the story
How did the attackers actually get the employee's login credentials in the first place?
The reporting doesn't specify the method—it could have been phishing, a compromised personal device, or credentials leaked from another service entirely. The investigation focused on how they used the credentials once obtained, not necessarily how they acquired them.
And the SIM cloning—that's the part that defeats two-factor authentication?
Exactly. Two-factor authentication is supposed to require something you know (your password) and something you have (your phone). By cloning the SIM, the attacker had both. When the system sent a one-time code to the employee's number, it went to the attacker's cloned card instead.
So the second layer of security became irrelevant?
Completely. It's like having a deadbolt on your door when someone has already copied your key and your house number.
Why did RTP talk to hackers and ransom-paying companies?
To show that this isn't an isolated incident. The Vodafone breach is one example of a much larger ecosystem where attackers operate openly, sell stolen data, and companies regularly decide that paying is cheaper than the alternative.
What does that tell us about how vulnerable major companies really are?
That their defenses are only as strong as the people inside them. And that once you're inside, you have enormous leverage.