All news with #credential stuffing tag

🔒 LastPass warns of a targeted phishing campaign that spoofs support email threads to trick users into revealing vault credentials. The messages impersonate a LastPass representative by abusing the display name and use subject lines that mimic forwarded internal conversations about changing an account's primary email. Recipients are urged to click links such as “report suspicious activity” that lead to a fake login page on the domain "verify-lastpass[.]com". LastPass says its systems were not compromised and reminds users never to disclose their master password and to report suspicious messages to abuse@lastpass.com.

🔐 Flare researchers found widespread trading of compromised cPanel credentials across fraudulent groups, observing over 200,000 posts in a seven-day sample that reveal a highly commoditized, templated marketplace. Sellers advertise tiered pricing and bulk discounts (e.g., bundles of 100–1,000 accounts), and buyers use panels to host phishing kits, create SMTP accounts, deploy backdoors, and exfiltrate data. Because access uses valid credentials, abuse often bypasses traditional defenses; organizations should enable MFA, enforce strong unique passwords, restrict admin IPs, and monitor file integrity and outbound SMTP.

📧 A financially motivated threat group dubbed Diesel Vortex has run an extensive phishing campaign since September 2025 targeting freight and logistics operators across the U.S. and Europe, using roughly 52 domains to harvest credentials. Researchers at Have I Been Squatted and partner Ctrl-Alt-Intel discovered exposed repositories and Telegram webhook logs revealing the group's tooling, communications, and an internal mind map describing a call-center style operation. The campaign stole 1,649 unique credential pairs and employed sophisticated evasion — Cyrillic homoglyphs, a nine-stage cloaking chain, voice phishing, Telegram infiltration, and pixel-perfect clones — before coordinated takedowns disrupted the infrastructure.

🔒 The ShinyHunters extortion gang claims it stole millions of user records from Dutch telecom Odido, adding the company to its dark‑web leak site and asserting nearly 21 million records were taken. Odido disclosed the incident on February 12, reporting that attackers accessed its customer contact system on February 7 and that exposed fields vary by customer. The carrier said no Mijn Odido passwords, call records, location data, billing data, or identity scans were exposed; ShinyHunters, however, alleges internal corporate data and plaintext passwords were also taken. Odido reported the breach to the Dutch Data Protection Authority, blocked the attackers' access, and engaged external cybersecurity specialists while investigations continue.

📬 Cybercriminals are mailing phishing letters impersonating Trezor and Ledger to trick hardware wallet owners into surrendering recovery phrases. The letters pressure recipients with deadlines for an Authentication Check or Transaction Check and instruct them to scan QR codes that lead to cloned setup pages. Those pages prompt entry of 24-, 20- or 12-word seed phrases, which are then sent to attacker-controlled servers, allowing funds to be stolen. Never share your recovery phrase; manufacturers will never ask for it.

🎰 Two Connecticut residents, Amitoj Kapoor and Siddharth Lillaney, were federally indicted on 45 counts alleging a wide-ranging identity theft and gambling fraud scheme that generated about $3 million in illicit profits. Prosecutors say the men bought PII for roughly 3,000 victims on darknet markets and Telegram, used background-check services to pass verifications, and opened fraudulent accounts on FanDuel, DraftKings and BetMGM. Winnings were routed through virtual stored-value cards and then moved into accounts controlled by the defendants. Both were released on $300,000 bonds; the charges remain allegations.

🔒 Cybersecurity researcher Jeremiah Fowler uncovered a publicly accessible database containing 149 million login credentials, including usernames, plaintext passwords and direct login URLs. Affected accounts span major tech and streaming providers, with about 48 million Gmail entries, 17 million Facebook and 6.5 million Instagram records. Fowler attributes the collection to keyloggers and infostealer malware and warns the dataset enables automated credential-stuffing, targeted fraud and convincing phishing campaigns.

🔒 PcComponentes has denied claims by an online actor using the alias 'daghetiaw' that it stole personal data for 16.3 million people. Security platform Hackrisk.io reported the claim and a shared 500,000-line sample, while PcComponentes says there was no unauthorized access to its databases. The retailer attributes the activity to credential stuffing, stresses that raw payment card data were not stored, and says it has implemented measures to strengthen account protection.

🔒 PcComponentes says it found no evidence of unauthorized access after investigating claims that a threat actor leaked a 16.3 million‑record customer dataset, but confirmed its platform was targeted in a credential stuffing campaign. The actor posted a 500,000‑record sample and offered the remainder for sale. The company asserts no payment details or passwords are stored and that only a small number of accounts showed exposure of personal data. PcComponentes has deployed CAPTCHA, mandated two‑factor authentication and invalidated active sessions.

🔒 A large-scale phishing campaign in Peru has used polished fake loan applications to collect valid card numbers, online banking passwords and 6-digit PINs, according to Group-IB. Active since 2024, the operation leverages targeted social media ads and roughly 370 domains, including 16 impersonating a major Peruvian bank. The flow deliberately breaks facial verification so victims are steered toward card entry, and card numbers are filtered with the Luhn check to ensure usability. Group-IB urges stronger customer education, multi-factor authentication and cross-industry intelligence sharing to counter the threat.

🔐 Two 2025 analyses by NordPass and Comparitech show that simple numeric strings like '123456' continue to dominate leaked password lists worldwide. Across 44 countries, 25% of the top 1,000 passwords are purely numeric, while predictable entries such as 'admin', '12345678' and '12345' remain widespread, including in the US and UK. Security advice is clear: change weak or reused passwords, use a reputable password manager, and enable two‑factor authentication or passkeys to reduce account takeover risk. Organizations should combine technical controls with user training to mitigate large‑scale exposure.

🔒 U.S. prosecutors charged an Illinois man with running a phishing operation that targeted nearly 600 women’s Snapchat accounts between May 2020 and February 2021. Kyle Svara allegedly used social engineering to collect emails, phone numbers, and usernames, then impersonated Snap representatives to request access codes and harvest credentials, ultimately accessing at least 59 accounts and downloading private images. He is accused of advertising hacking services on Reddit, directing accomplices to encrypted channels such as Kik, and selling or trading stolen content. Svara faces federal counts including aggravated identity theft, wire fraud, computer fraud, and making false statements related to child pornography, and is scheduled to appear in Boston federal court on February 4.

🔐 Credential stuffing exploits reused login credentials harvested from breaches or captured by infostealer malware, then systematically automates login attempts across services. Attackers increasingly use bots, IP rotation and AI-assisted scripts to mimic human behavior and evade basic defenses, enabling stealthier and larger-scale attacks. Because it uses valid credentials, it often bypasses alarms that detect brute-force failures. Protect yourself with a password manager, enable 2FA/MFA, and monitor for exposed credentials.

🔐 A threat actor known as Zestix is offering corporate data reportedly stolen from dozens of companies after breaching ShareFile, Nextcloud, and OwnCloud instances. Hudson Rock links initial access to credentials harvested by infostealers such as RedLine, Lumma, and Vidar, often delivered via malvertising or ClickFix campaigns. Many affected accounts lacked multi-factor authentication, enabling unauthorized access and large-scale data exfiltration.

🔎 This post summarizes a cross‑national pattern of LinkedIn job scams in which fake employers and recruiters extract money or credentials from prospective employees. Tactics vary by market: tech‑job baiting in India, referral‑style fraud in Kenya, fake formal roles in Mexico, and credential‑harvesting schemes in Nigeria. The author emphasizes these are employer‑side frauds and distinct from scams where attackers pose as employees to secure remote work.

🔐 TRM Labs says encrypted vault backups stolen in the 2022 LastPass breach have been incrementally cracked by attackers exploiting weak master passwords, resulting in cryptocurrency drains as recently as late 2025. The firm traces over $35 million in siphoned assets, much of it laundered through CoinJoin and Russian-linked exchanges. TRM highlights how demixing and operational analysis linked activity to Russia-associated infrastructure and warns users who did not rotate credentials remain at risk.

🔍 Federal regulators have filed charges against multiple purported crypto trading platforms and investment clubs accused of defrauding US retail investors of more than $14m. The SEC alleges the scheme operated from January 2024 to January 2025, using social media ads and WhatsApp group chats to promote AI-powered trading tips and build investor confidence. Victims were directed to fund accounts on platforms including Morocoin Tech Corp., Berge Blockchain Technology Co. Ltd. and Cirkor Inc., where withdrawals were blocked and additional advance fees were requested.

🔍 Group-IB has uncovered a coordinated campaign of professionally produced fake job ads targeting MENA remote workers, exploiting the region's shift to remote roles. Ads on Facebook, Instagram and TikTok impersonate banks, e-commerce platforms and government bodies, then move conversations to WhatsApp and Telegram to harvest personal and financial data. Scammers promise quick earnings, use localized language and currencies, and reuse scripts and fake sites to scale and evade detection. Individuals are advised to verify employers, avoid sharing sensitive information and report suspicious listings.

🔒 The FBI has seized the domain web3adspanels.org and the backend database used to host thousands of stolen U.S. bank login credentials collected via phishing ads on Google and Bing. Authorities report confirmed financial losses of about $14.6 million and attempted losses near $28 million, affecting at least 19 victims including two companies in the Northern District of Georgia. The seizure, conducted with help from Estonian and other international partners, removed a server that was active as recently as November; no arrests have been announced.

🔒 Cyber criminals are increasingly recruiting insiders at banks, telecoms, and tech firms to obtain network and cloud access. Darknet adverts offer payouts ranging from $3,000 to $15,000 for account credentials or direct access, and threat actors target crypto exchanges, banks, and major cloud providers. Effective prevention requires employee education, enforced access controls, and active darknet monitoring.