Every organization has a human attack surface. Most have no idea how big it is. Using basic scraping methods against public social media platforms, we built a graph database that disambiguates profiles across platforms and resolves fragmented online identities into confirmed employees. The graph maps organizational hierarchies, team structures, reporting relationships, and personal details. This talk covers the architecture, the data sources, and how the disambiguation engine works at scale, then shows what an entire organization looks like when you query it through the lens of someone building a target list.
Armed with intelligence from the graph, we deployed an AI voice agent to call a Fortune 100 help desk. The agent passed identity verification, convinced the analyst to initiate a password reset, and achieved account takeover without any technical exploitation. We'll play the distorted call recording and break down exactly where the verification process fell apart.
Help desks were designed for a world where the caller was human and the information they had was hard to get. Neither of those things is true anymore. We'll cover practical steps security teams can take to harden their help desks, reduce their human attack surface, and prepare for a threat model where the attacker already knows everything about your employees before they ever pick up the phone.
