< ciso
brief />
Tag Banner

All news with #token theft tag

49 articles · page 3 of 3

Microsoft Entra ID Flaw Could Allow Tenant-Wide Hijack

🔒 A critical token validation flaw in Microsoft Entra ID could permit full tenant compromise by abusing undocumented, unsigned actor tokens issued by a legacy Access Control Service. Researcher Dirk-jan Mollema showed that when paired with a vulnerability in the deprecated Azure AD Graph API (CVE-2025-55241) those tokens could impersonate any user — including Global Administrators — across tenants without leaving tenant logs. Microsoft confirmed a fix after the July report and later patched the CVE.
read more →

Entra ID Actor Token Flaw Lets Attackers Impersonate Admins

🔒 Researchers disclosed a max-severity vulnerability in Microsoft Entra ID that allowed attackers to request and reuse internal Actor tokens to impersonate any user, including Global Administrators, across tenants. The issue stemmed from a legacy Azure AD Graph API that failed to validate the originating tenant, enabling cross-tenant impersonation without triggering MFA, Conditional Access, or audit logs. Microsoft patched the flaw, tracked as CVE-2025-55241, and rolled a global fix but experts warn that lack of historical visibility leaves uncertainty about past exploitation.
read more →

PyPI Invalidates Tokens Stolen in GhostAction Attack

🔐 The Python Software Foundation has invalidated PyPI publishing tokens that were exfiltrated during the early-September GhostAction supply chain attack. GitGuardian first reported malicious GitHub Actions workflows attempting to steal secrets, and PyPI found no evidence that the stolen tokens were used to publish malware. Affected maintainers were contacted and advised to rotate credentials and adopt short-lived Trusted Publishers tokens for GitHub Actions. PyPI also recommended reviewing account security history for suspicious activity.
read more →

Webinar: Securing the Modern Web Edge from Browser Threats

🔒 On September 29 at 12:00 PM ET, BleepingComputer and SC Media will host a live webinar featuring browser security experts from Push Security to examine how modern web browsers have become a primary enterprise attack surface. The session will cover malicious and shadow extensions, session token theft, OAuth abuse, and emerging ClickFix and FileFix techniques, plus mitigation strategies. Attendees will learn practical detection and response approaches to protect SaaS sessions, restore visibility at the web edge, and close gaps missed by traditional endpoint and identity controls.
read more →

Token Management Risks in the Third-Party Supply Chain

🔐 This Unit 42 report describes how compromised OAuth tokens in third‑party integrations create severe supply‑chain exposure, using recent incidents as examples. It highlights three recurring weaknesses: dormant integrations, insecure token storage and long‑lived credentials, and explains how attackers exploit these to exfiltrate data and pivot. The authors recommend token posture management, encrypted secret storage and centralized runtime monitoring to detect and revoke abused tokens quickly.
read more →

How Cybercriminals Bypass Logins Using Stolen Credentials

🔐 Cybercriminals increasingly target corporate credentials, authentication tokens and session cookies to bypass MFA and impersonate legitimate users. Stolen credentials accounted for a large share of recent breaches and estimates indicate billions of credentials were exposed in 2024. Organizations can reduce risk with Zero Trust, robust MFA, realistic training and continuous behavioral monitoring to detect suspicious sessions.
read more →

Salesloft token theft exposes wide-ranging integrations

🔐 The mass theft of authentication tokens from Salesloft’s Drift chatbot has exposed integrations across hundreds of customers, according to Google. Attackers stole valid tokens for services including Slack, Google Workspace, Amazon S3, Microsoft Azure and OpenAI. GTIG said the campaign, tracked as UNC6395, siphoned large amounts of Salesforce data and searched the haul for credentials such as AWS keys, VPN logins and Snowflake access. Customers were urged to immediately invalidate and reauthenticate all Salesloft-connected tokens while Salesloft and incident responders investigate.
read more →

Salesloft Drift Supply-Chain Attacks Also Hit Google

🔒 Google and security vendors say the Salesloft Drift supply-chain campaign is broader than initially reported. Threat actors tracked as UNC6395 harvested OAuth tokens from the Salesloft Drift integration with Salesforce and also accessed a very small number of Google Workspace accounts. Organizations should treat any tokens connected to Drift as potentially compromised, revoke and rotate credentials, review third-party integrations, and investigate connected systems for signs of unauthorized access.
read more →

postMessage Risks: Token Exposure and Trust Boundaries

🔒 MSRC presents a deep dive into misconfigured postMessage handlers across Microsoft services and the systemic risk posed by overly permissive trust models. The report, authored by Jhilakshi Sharma on August 25, 2025, documents token exfiltration, XSS, and cross-tenant impact in real-world case studies including Bing Travel, web.kusto.windows.net, and Teams apps. It summarizes mitigations such as removing vulnerable packages, tightening Teams app manifests, enforcing strict origin checks for postMessage, and applying CSP constraints to reduce attack surface.
read more →