< ciso
brief />
Tag Banner

All news with #account takeover tag

191 articles

Vishing campaign abuses Entra passkey enrollment

🔔 A threat actor is using voice-based fake security calls to trick Microsoft 365 users into enrolling a malicious Entra passkey. The attacker directs victims to realistic phishing pages that mimic the Microsoft enrollment flow and uses an operator-controlled PHP kit to capture credentials and MFA responses in real time. Okta attributes the campaign to O-UNC-066, linked to the extortion group Pink, which targets multiple industries and quickly exfiltrates data after account takeover.
read more →

Verification Step Emerges as New ATO Attack Surface

🛡️ Passkeys and passwordless flows are reducing credential stuffing, but attackers now target identity verification and recovery paths such as magic links, step-up flows, and re-enrollment. Generative AI has made impersonation and synthetic media widespread, increasing fraudulent verification attempts. Defenders must adopt biometric liveness, risk-based re-verification, intent binding, and network-effect signals to stay ahead as regulations and threats evolve.
read more →

Critical Writer AI flaw let attackers hijack sessions

🔒 Cybersecurity researchers disclosed a critical session isolation vulnerability in Writer, an enterprise generative AI platform, that allowed cross-tenant account takeover via a one-click exploit named WriteOut. An attacker could create an agent, share its live preview link, and when a logged-in user opened the link their session cookie would be forwarded into the attacker’s sandbox and exfiltrated. Writer has patched the issue by isolating session cookies and preventing them from being forwarded into sandbox previews.
read more →

ConsentFix and ClickFix: Microsoft 365 hijacks

🔒 Modern phishing variants like ClickFix and the newer ConsentFix convert routine user actions into account takeover opportunities. Attackers trick victims into executing keyboard shortcuts or dragging callback links, which hands over OAuth tokens and session access to Microsoft 365 services without passwords or MFA bypass. The technique relies on familiar workflows and readily available tooling, with public sharing of blueprints lowering the barrier to entry.
read more →

Alleged Scattered Spider member extradited to U.S.

🔎 A 19-year-old dual US-Estonian citizen, Peter Stokes, was extradited from Finland to the United States to face charges alleging membership in the Scattered Spider hacking collective. He is accused of participating in multiple intrusions and extortion schemes, including a March 2023 breach and a May 2025 attack on a multibillion-dollar retailer that led to over $2 million in losses. Stokes faces charges of fraud, conspiracy, and computer intrusion and has appeared in federal court in Chicago.
read more →

Why attackers target your email inbox aggressively

📧 Email accounts act as hubs for identity verification, password resets and long-term records, making them prime targets for cybercriminals. Attackers use phishing, account takeover, forwarding rules and abused tokens to maintain access, intercept codes and harvest sensitive information. Corporate inbox breaches can lead to data theft, ransomware or expensive fraud, while sophisticated tools like GenAI increase phishing success rates. Regularly review security settings, use MFA or passkeys, and remain vigilant to reduce risk.
read more →

DraftKings hacker 'Snoopy' sentenced to 18 months

🔒 A 21-year-old known as "Snoopy" was sentenced to 18 months in prison after pleading guilty to conspiracy to commit computer intrusion for his role in the November 2022 DraftKings account takeover. The attacker and co-conspirators compromised roughly 60,000 user accounts, added payment methods to 1,600 accounts, and stole $600,000. Authorities linked the scheme to online marketplaces and seller shops that trafficked access to stolen accounts.
read more →

JaredFromSubway MEV bot suffers $15M crypto theft

🔒 The JaredFromSubway Ethereum MEV bot lost $15 million after an attacker fed it fake pools and tokens to manipulate its opportunity detection and gain ERC-20 approvals. Blockaid detected the drain and JaredFromSubway confirmed the attacker deployed deceptive contracts that tricked the bot into issuing allowances to attacker-controlled helper contracts. The attacker used staged, benign-looking transactions to validate the bot’s routines, later exploiting open approvals via transferFrom to withdraw WETH, USDC, and USDT.
read more →

Search-Your-Target Market for Stolen Credentials

🔎 Flare analyzed 470 underground forum posts from January 2025 to June 2026 revealing a growing service layer that lets buyers query massive infostealer-derived credential collections for specific companies, platforms, domains, geographies, or account types. These sellers act as brokers, offering search, deduplication, formatting, and targeted delivery of credentials from databases claiming billions of records. Buyer feedback highlights gaps in quality, freshness, and validity, while the market partially overlaps with Initial Access Brokers and amplifies account takeover risks.
read more →

EvilTokens phishing abuses OAuth device code flow

🛡️ EvilTokens is a phishing-as-a-service kit that compromises Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow, tricking victims into authorizing attacker sessions via legitimate Microsoft login pages. Active since at least February 2026, the toolkit has been used in large account takeover and BEC campaigns, leveraging reconnaissance and decoy lures to obtain access and refresh tokens. Because victims complete real authentication — including 2FA — the attacks bypass traditional red flags like fake login pages. Organizations are advised to restrict device code flow, monitor unusual token activity, and update security awareness to address these modern phishing tactics.
read more →

French government’s Tchap messaging breach disclosed

🔒 The French government’s secure messaging platform, Tchap, was breached after an intruder took over a user account, according to DINUM. The agency blocked the compromised access and is investigating the extent of exposed information. While encryption was not broken, public chat rooms are unencrypted and the intruder reportedly accessed thousands of messages and files. DINUM reminded users that public rooms are visible to any account and should not contain sensitive content.
read more →

Rising Multi‑Layered Identity Crime Affects More Victims

🔍 The Identity Theft Resource Center's 2026 Trends in Identity Report, based on over 6,000 reports from April 1, 2025 to March 31, 2026, shows nearly 26% of victims experienced two or more concurrent identity incidents. Unauthorized device/PC access rose sharply to 27% of compromises and is now the primary threat for adults aged 35–64. Account takeovers made up 50% of misuse cases, while recovery rates dropped significantly when financial loss occurred. Experts warn that compromised devices enable broader attacks and call for testing and automation to improve incident response.
read more →

French government messaging platform breached by hijack

🔐 DINUM warned that a hijacked user account was used to breach Tchap, the French government's encrypted messaging platform. Developed with ANSSI in 2018 on the Matrix protocol, Tchap serves the French public sector and has grown rapidly since its mandated adoption in August 2025. DINUM and CNIL were alerted after ANSSI detected the intrusion and the compromised account was promptly blocked while investigations continue. A threat actor claimed responsibility and shared samples, alleging large-scale data and message exfiltration.
read more →

Ukraine’s resilience lessons for cybersecurity planning

🛡️ Dmytro Kuleba, Ukraine’s foreign minister from 2020–2024, told Infosecurity Europe that pre-planning and contingency-driven resilience underpinned Ukraine’s survival after the 2022 full-scale invasion. He described a December 2023 attack that knocked KyivStar offline via a single compromised employee account, and praised rapid recovery and hardened defences thereafter. Kuleba advised organisations to rehearse crisis responses, understand systems intimately, and build instinctive survival practices. He warned that even benign third-party CRM tools can be weaponised for targeted intelligence, urging technological sovereignty and strict data security.
read more →

Meta AI support flaw led to large Instagram account hijacks

🔒 Meta disclosed that a vulnerability in its AI-assisted High Touch Support (HTS) tool allowed threat actors to reset passwords and hijack over 20,000 Instagram accounts. Attackers exploited HTS by submitting email addresses not verified against target accounts, obtaining reset links for accounts without 2FA. Meta disabled the HTS system, invalidated generated reset links, secured impacted accounts, and required affected users to reset passwords and re-authenticate. The company said it will fix the verification check and review similar recovery flows across its platforms.
read more →

Attackers Exfiltrate Exchange Executive Mailbox

📧 Symantec and Carbon Black disclosed that unknown attackers maintained quiet access to a senior executive's Outlook mailbox at a major global stock exchange for at least five months, repeatedly copying messages and routing them through Dropbox and OneDrive to blend with normal cloud activity. The intruders used a mailbox stealer built on Aspose, ran binaries impersonating legitimate updaters and OneDrive, and staged additional backdoors before access likely ended in March 2026. Indicators point to espionage-focused credential theft and tunneling tooling rather than a financially motivated campaign.
read more →

Weedhack campaign targets Minecraft players via YouTube

🛡️ McAfee Labs reports a MaaS campaign called Weedhack that has been active since January 2026, using SEO poisoning and YouTube videos to trick Minecraft users into downloading malicious JAR files. The malware chain begins with a trojanized client and leverages the Ethereum blockchain for C2 resolution, ultimately delivering remote access and information-stealing payloads. The service is offered free and as a paid tier, enabling widespread abuse, account theft, and cyberbullying against younger victims.
read more →

When AI Support Workflows Become an Authorization Risk

🔒 Reporting suggests attackers used Meta’s AI support chatbot to change recovery emails on high-profile Instagram accounts, leading to notable takeovers. The core issue isn’t just prompt injection or a model jailbreak but that the AI operated within a sensitive account recovery workflow with insufficient independent verification. Organizations must treat AI-driven support actions as part of the security boundary and constrain authority, permissions, and verification around such agents.
read more →

AI Support Bot Exploit Lets Attackers Hijack Instagram

🔒 A wave of account takeovers targeted high-profile Instagram profiles after attackers shared instructions for tricking Meta’s AI support assistant into relinking accounts to attacker-controlled email addresses. The technique, circulated on Telegram on May 31, reportedly involved using a VPN to appear from the target’s locale, initiating a password reset, and persuading the AI bot to add a new email. Meta acknowledged a brief compromise of a dormant Obama White House account and pushed an emergency patch while asserting no backend database was breached. Experts warn AI-driven support flows introduce new attack surface and recommend strong MFA such as passkeys or security keys to mitigate risk.
read more →

Romanian sentenced for hacking Oregon government network

🔒 A Romanian national was sentenced to 56 months in federal prison after pleading guilty to aggravated identity theft and unauthorized access to an Oregon state government computer network. The 46-year-old, known online as "inthematrixl," also sold access and stolen personal data from other U.S. victims, causing at least $250,000 in losses. Authorities coordinated internationally to arrest and extradite him, and the court ordered forfeiture of cryptocurrency and supervised release.
read more →