WASHINGTON (Reuters) -Bleach maker Clorox said Tuesday that it has sued information technology provider Cognizant over a devastating 2023 cyberattack, alleging the hackers gained access by asking the tech company's staff for its employees' passwords.

Clorox was one of several major companies hit in August 2023 by the hacking group dubbed Scattered Spider, which specializes in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom.

The group is often described as unusually sophisticated and persistent, but in acase filed in California state court on Tuesday, Clorox said one of Scattered Spider's hackers was able to repeatedly steal employees' passwords simply by asking for them.

"Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," according to a copy of the lawsuit reviewed by Reuters. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over."

Cognizant, in an emailed statement, pushed back, saying it did not manage cybersecurity for Clorox and it was only hired for limited help desk services.

"Clorox has tried to blame us for these failures, but the reality is that Clorox hired Cognizant for a narrow scope of help desk services which Cognizant reasonably performed," Cognizant said.

The suit was not immediately visible on the public docket of the Superior Court of Alameda County. Clorox provided Reuters with a receipt for the lawsuit from the court.

Three partial transcripts included in the lawsuit allegedly show conversations between the hacker and Cognizant support staff in which the intruder asks to have passwords reset and the support staff complies without verifying who they are talking to, for example by quizzing them on their employee identification number or their manager's name.

"I don't have a password, so I can't connect," the hacker says in one call. The agent replies, "Oh, OK. OK. So let me provide the password to you OK?"

The apparent ease with which the hackers got what they wanted wasn't necessarily an indication that they weren't skilled, said Maxie Reynolds, a security expert who has specialized in social engineering and is not a party to the case.

"They just tried what typically works," she said.

Reynolds said the full transcripts were needed to offer a fair evaluation of what happened in 2023 but said that, "if all they had to do was call and ask straight out, that’s not social engineering and it is negligence/non-fulfillment of duty."

The 2023 hack at Clorox caused $380 million in damages, the suit said, about $50 million of which was tied to remedial costs and the rest attributable to Clorox's inability to ship products to retailers in the wake of the hack.

Clorox said the clean-up was hampered by other failures by Cognizant's staff, including failure to de-activate certain accounts or properly restore data.

(Reporting by Raphael Satter; Editing by Chris Reese, Daniel Wallis and Christian Schmollinger)