All news with #account takeover tag

🔒 Google Threat Intelligence Group, working with industry partners, disrupted the IPIDEA residential proxy network by taking down domains, infected-device management systems, and proxy-traffic routing infrastructure. The operation targeted SDKs embedded in at least 600 trojanized Android apps and over 3,000 malicious Windows binaries, which collectively enrolled about 6.7 million devices worldwide. GTIG reported that more than 550 distinct threat groups abused IPIDEA for account takeovers, credential theft, botnet control, and DDoS support; users should avoid untrusted VPNs and apps that pay for bandwidth.

🔐 Identity providers like Okta are central to modern SaaS security, and subtle configuration gaps can create serious exposure. This article highlights six fundamental settings—password policies, phishing‑resistant MFA, ThreatInsight, admin session ASN binding, session lifetimes, and behavior rules—that reduce the risk of account takeovers and session hijacking. Complementing these controls with continuous monitoring from Nudge Security helps detect drift and remediate misconfigurations before they’re exploited.

🔒 A critical authentication vulnerability (CVE-2026-22794) in the Appsmith low-code platform allowed attackers to manipulate password reset links by supplying a malicious HTTP Origin header, causing reset tokens to be redirected to attacker-controlled infrastructure. Exploitation can lead to full account takeover, including administrator access. The flaw affects Appsmith 1.92 and earlier and was corrected in 1.93; internet scans identified 1,666 publicly accessible instances.

🔒 PcComponentes says it found no evidence of unauthorized access after investigating claims that a threat actor leaked a 16.3 million‑record customer dataset, but confirmed its platform was targeted in a credential stuffing campaign. The actor posted a 500,000‑record sample and offered the remainder for sale. The company asserts no payment details or passwords are stored and that only a small number of accounts showed exposure of personal data. PcComponentes has deployed CAPTCHA, mandated two‑factor authentication and invalidated active sessions.

🔐 Two 2025 analyses by NordPass and Comparitech show that simple numeric strings like '123456' continue to dominate leaked password lists worldwide. Across 44 countries, 25% of the top 1,000 passwords are purely numeric, while predictable entries such as 'admin', '12345678' and '12345' remain widespread, including in the US and UK. Security advice is clear: change weak or reused passwords, use a reputable password manager, and enable two‑factor authentication or passkeys to reduce account takeover risk. Organizations should combine technical controls with user training to mitigate large‑scale exposure.

🔓 Nicholas Moore, 24, pleaded guilty to hacking the U.S. Supreme Court's restricted electronic filing system and breaching AmeriCorps and VA accounts. Prosecutors say Moore used stolen credentials to access the Court's system at least 25 times between August and October 2023, sometimes logging in multiple times per day, and posted screenshots and victims' data to an Instagram account, @ihackedthegovernment. He also accessed an AmeriCorps account seven times and a VA My HealtheVet account five times, viewing sensitive personal and health information. Moore admitted to one count of computer fraud.

🔒 Security researchers at Socket have identified a set of malicious Google Chrome extensions that targeted major HR and ERP platforms including Workday, Netsuite and SAP SuccessFactors. The extensions, which masqueraded as productivity tools, stole authentication cookies and session tokens, uploading them to a command-and-control server and revisiting targets every 60 seconds. More than 2,300 users downloaded the extensions from the Chrome Web Store before they were removed. Socket recommends using Chrome Enterprise extension allowlists and monitoring for extensions with similar platform targeting and permission requests.

🔒 A cluster of five malicious Chrome extensions posed as productivity tools but exfiltrated session cookies to attacker-controlled infrastructure, enabling account takeover. Researchers from Socket.dev identified variants such as DataByCloud Access, Data By Cloud 1/2, Software Access and Tool Access 11 targeting HR and ERP platforms like Workday, NetSuite and SuccessFactors. Some extensions stole cookies as often as every 60 seconds and used cookie injection (e.g., chrome.cookies.set()) while others blocked admin security pages, hampering incident response.

⚠ Security researchers uncovered five malicious Chrome extensions that impersonate HR and ERP platforms, including Workday and NetSuite, to harvest authentication tokens and facilitate session takeovers. The add-ons exfiltrate cookies to attacker-controlled APIs, manipulate DOM content to block administrative pages, and can inject stolen cookies to hijack sessions. Most were removed from the Chrome Web Store but remain available on third-party download sites; affected users should remove the extensions, reset credentials, and audit for unauthorized access.

🔐 eSentire's 2025 Year in Review (published 15 Jan 2026) documents a 389% year‑over‑year surge in account compromises, which accounted for 55% of observed attacks. Credential access comprised 75% of malicious activity, with Microsoft 365 accounts heavily targeted and two‑thirds of compromises used for account takeovers. Phishing‑as‑a‑service (PhaaS) kits — including Tycoon2FA, FlowerStorm and EvilProxy — fueled many Business Email Compromise operations, while malware represented 25% of threats, down slightly from 2024.

🔒 If you learn your personal or financial data is on the dark web, act quickly: cybercriminals use stolen PII, credentials, session cookies and payment details to commit account takeover, identity theft and fraud. Immediately change compromised passwords, enable MFA (prefer authenticator apps or hardware keys), sign out of all devices, scan for infostealer malware and contact your bank to freeze or reissue cards. For longer-term protection, freeze credit, tighten privacy settings, use email aliasing and a password manager, and enroll in monitoring services such as HaveIBeenPwned.

🎮 Players of Apex Legends faced in-match disruptions over the weekend as external actors reportedly took control of characters, forced disconnects, and changed player nicknames. Respawn acknowledged "an active security incident" but said initial investigation found no evidence of an RCE or malware infection. The publisher reported the issue was resolved within hours and suggested cheating tools were involved while the investigation continues.

🔐 Credential stuffing exploits reused login credentials harvested from breaches or captured by infostealer malware, then systematically automates login attempts across services. Attackers increasingly use bots, IP rotation and AI-assisted scripts to mimic human behavior and evade basic defenses, enabling stealthier and larger-scale attacks. Because it uses valid credentials, it often bypasses alarms that detect brute-force failures. Protect yourself with a password manager, enable 2FA/MFA, and monitor for exposed credentials.

⚠️ A high-severity vulnerability (CVE-2025-64496) affecting Open WebUI versions 0.6.34 and earlier can enable account takeover when the Direct Connections feature is enabled. A malicious OpenAI-compatible model server can send a crafted server-sent events message that executes JavaScript in a connected user's browser and steals authentication tokens from localStorage. Open WebUI 0.6.35 and later block the malicious execute events; administrators should upgrade immediately, restrict Direct Connections to trusted endpoints, and strengthen authentication and sandboxing.

🔒 A former Coinbase customer support agent was arrested in Hyderabad after investigators linked the individual to a scheme that helped hackers access a company database earlier this year. Coinbase CEO Brian Armstrong said additional arrests are expected. The incident, tied to outsourced agents at TaskUs, affected about 69,500 customers and involved a $20 million ransom demand.

🚨 Ubisoft's Rainbow Six Siege suffered an in‑game abuse incident that allowed attackers to ban and unban players, display fake ban messages, and grant approximately 2 billion R6 Credits and Renown to accounts worldwide. Ubisoft confirmed the issue at 9:10 AM Saturday, intentionally shut down Siege and its Marketplace while teams investigated, and said transactions since 11:00 UTC will be rolled back. The company stated players will not be punished for spending the granted credits.

🔒 The U.S. Department of Justice announced it seized the domain web3adspanels.org and an associated database used as a backend panel to store and manipulate illegally harvested bank login credentials. Authorities say the group delivered fraudulent search ads that redirected victims to counterfeit banking sites containing malicious code that harvested credentials. The scheme affected 19 U.S. victims, causing attempted losses of about $28 million and actual losses of approximately $14.6 million.

🔒 Cybercriminals and state-sponsored actors are increasingly abusing OAuth device authorization to hijack enterprise Microsoft 365 accounts, often bypassing multifactor protections. Proofpoint reports campaigns have surged since September 2025 and shifted from targeted voice-phishing to scalable email-based social engineering. Attackers prompt victims to enter short-lived device codes on Microsoft’s verification page, validating tokens and granting access. Tools such as SquarePhish2 and Graphish automate the flow and lower the skill barrier for large-scale attacks.

🔒 Multiple threat actors are exploiting the OAuth device code flow to compromise Microsoft 365 accounts by tricking users into entering device codes on legitimate Microsoft device login pages, which results in victims authorizing attacker-controlled applications and granting persistent access without credential theft or direct MFA bypass. Proofpoint reports a significant volume increase since September and attributes activity to financially motivated groups such as TA2723 and a suspected Russia-aligned actor tracked as UNK_AcademicFlare. The campaigns use phishing kits like SquarePhish and Graphish and employ lures such as salary bonuses and spoofed OneDrive links. Organizations should enforce Microsoft Entra Conditional Access and implement sign-in origin policies to mitigate these attacks.

⚠️ Researchers at Gen Digital have identified a social-engineering technique dubbed GhostPairing that lets attackers add themselves as a trusted device to a victim’s WhatsApp account without passwords. By sending a malicious message that prompts the user to verify their phone number, attackers forward the generated pairing code and the user inadvertently approves the session. Once linked, the attacker can read and send messages in real time and propagate the scam to the victim’s contacts. Users should check Linked Devices and enable two-step verification.