Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: account-takeover (7 articles)Clear

FBI warns Russian hackers now steal Signal backup recovery keys to hijack accounts

The FBI and CISA have updated an earlier warning about Russian intelligence targeting Signal accounts, noting the operators have added a step: tricking targets into handing over their Signal backup recovery key. With that key, an attacker can restore the account's backup, read its private and group message history, and take over the account, and the key keeps working afterward. The campaign uses social engineering against high-value targets such as government officials, military personnel, and journalists. It reflects a broader shift toward stealing the recovery and session secrets that sit behind multi-factor authentication rather than attacking the login directly.

Check
High-risk users should review who could have prompted them to share a Signal backup or recovery key, and check Signal for unexpected linked devices or signs their account history was restored elsewhere.
Affected
Signal users targeted by Russian intelligence, especially officials, military personnel, journalists, and activists; a stolen backup recovery key exposes full message history and grants lasting account takeover.
Fix
Never share your Signal backup or recovery key, store it offline, regenerate it if you suspect exposure, verify linked devices, and distrust anyone guiding you through backup steps.

Exposed database leaks 24 billion stolen credentials from infostealer logs

Cybernews researchers found an unprotected Elasticsearch database holding 24 billion records and over 8 terabytes of data, most of it infostealer logs: stolen usernames, passwords, and the services they unlock. The collection also pulls from Telegram channels and older breach dumps. Oddly, it included thousands of records tracking CVE vulnerabilities, breach news articles, and social-media posts about cyber incidents, with content as recent as 2026, suggesting the owner is actively curating and refreshing the stash with new leaks. The researchers could not determine how many records are duplicates, how old the data is, or who owns it.

Check
Check whether your email or domains appear in breach-tracking services, watch for credential-stuffing and account-takeover attempts, and look for infostealer infections on endpoints that could feed such collections.
Affected
Anyone whose credentials were captured by infostealer malware or exposed in past breaches; reused passwords are especially dangerous given the dataset's scale and the attacker's apparent effort to keep it current.
Fix
Reset reused passwords from clean devices, adopt a password manager with unique passwords, enable phishing-resistant MFA everywhere, and run endpoint scans to find and remove infostealer infections at the source.

French government messenger Tchap breached, hitting 73,000 public servants

France's government messaging platform Tchap, the in-house, Matrix-based app that civil servants are required to use instead of WhatsApp or Signal, was breached after a threat actor hijacked a single user account, no software exploit needed. The cyber agency ANSSI detected it on June 7. Officials say data tied to about 73,000 accounts, roughly 9 percent of users, was exposed: the attacker scraped everything shared in public chat rooms, which are not encrypted, while private end-to-end conversations stayed protected. The haul includes over 13.5GB of documents and media plus hardcoded LDAP credentials leaked in a PowerShell script. Entry was via the education ministry's server.

Check
Review what your organization shares in unencrypted public or group chat channels, and scan scripts and config files for hardcoded credentials like the LDAP secret exposed in this breach.
Affected
Around 73,000 French public-sector Tchap accounts; data posted in unencrypted public chat rooms was exposed, while end-to-end-encrypted private conversations were not. The entry point was one hijacked account.
Fix
Enforce phishing-resistant MFA so single accounts cannot be hijacked, remove hardcoded credentials from scripts, treat public chat rooms as non-confidential, and monitor for bulk data access across collaboration platforms.

Instagram AI recovery flaw let attackers hijack 20,000 accounts

Meta has confirmed that attackers took over 20,225 Instagram accounts by abusing a flaw in its AI-assisted account recovery tool, called High Touch Support. A bug meant the system never checked that the email address someone supplied actually belonged to the account, so an attacker could request a password reset for any account and have the link sent to their own inbox, then walk in, unless the target had two-factor authentication on. High-profile accounts, reportedly including the Obama White House and US Space Force personnel, were hijacked and sold on the dark web. Meta has secured the accounts and is fixing the verification check before relaunching the tool.

Check
Confirm two-factor authentication is enabled on your Instagram and other Meta accounts, and review login activity and linked email addresses for unauthorized changes since mid-April.
Affected
Instagram accounts (about 20,225 confirmed), particularly high-value or verified accounts without two-factor authentication, that could be reset through the flawed High Touch Support recovery tool.
Fix
Turn on two-factor authentication, review and remove unrecognized linked emails and active sessions, and reset your password. Meta has secured affected accounts and is patching the recovery flow.

Hackers social-engineer Meta's new AI account-recovery bot to hijack high-value Instagram handles; MFA-enabled accounts were unaffected

Krebs on Security reports that attackers social-engineered Meta's newly-deployed conversational AI account-recovery assistant to hijack high-value, short Instagram handles allegedly worth over half a million dollars. Meta had rolled out the AI layer to reduce friction in common recovery workflows - relinking emails, triggering password resets, verifying ownership - that previously required weeks of back-and-forth with automated ticketing. Just as human support staff can be tricked into granting unauthorized access, the AI assistant proved equally eager to help and vulnerable to manipulation. Meta pushed an emergency patch over the weekend and says no back-end database was breached. Critically, the exploit failed against any account with MFA enabled.

Check
For high-value social accounts, enable phishing-resistant MFA (passkey or security key) now. Review whether any platforms you depend on use AI bots for sensitive account-recovery workflows.
Affected
High-value Instagram accounts without MFA. More broadly, any platform deploying AI chatbots for account recovery creates a social-engineerable attack surface, just like human support staff.
Fix
Enable the strongest MFA available - even SMS codes blocked this exploit. Treat AI-driven account-recovery flows as a new attack surface and require step-up verification for high-value account changes.

Google Chrome rolls out Device Bound Session Credentials to all users, binding cookies to TPM/Secure Enclave against theft

Google has made Device Bound Session Credentials (DBSC) generally available in Chrome, rolling it out to all users to blunt session-cookie theft. First announced in 2024 and in beta since April, DBSC cryptographically binds session cookies to a specific device using the hardware security chip - the TPM on Windows or the Secure Enclave on macOS. Because the public/private keys are generated inside the security chip and never leave it, stolen cookies become useless on any other machine, defeating the infostealer-to-account-takeover pipeline that bypasses MFA. Google frames it as a shift from reactive detection to proactive prevention. The protection is most effective where sites adopt the DBSC server-side protocol.

Check
Confirm managed Chrome fleets are updated to the DBSC-capable release. For your own web properties, evaluate adopting the server-side DBSC protocol to bind user sessions to device hardware.
Affected
Organizations relying on session cookies without device binding remain exposed to infostealer-driven account takeover that bypasses MFA. DBSC only protects sessions where both browser and server support it.
Fix
Roll out DBSC-capable Chrome via policy. Implement the DBSC server-side protocol on high-value web apps. Pair with phishing-resistant MFA and short session lifetimes for defense in depth.

Russia behind Signal phishing campaign that compromised Bundestag President Julia Klöckner - 300+ German officials affected

Der Spiegel reported on April 25 that German government sources now blame Russia for a large-scale Signal phishing campaign that compromised the account of Bundestag President Julia Klöckner. At least 300 Signal accounts of German political figures were targeted; investigators say attackers accessed chat histories, files, and phone numbers. Chancellor Friedrich Merz was in the same CDU group chat as Klöckner but his device showed no signs of compromise. The attack used pure social engineering - operators posed as Signal support and asked victims to share verification codes or PINs.

Check
Brief executives, board members, and political-staff who use Signal that anyone messaging them claiming to be 'Signal support' is hostile - Signal never asks for codes by message.
Affected
Signal users in any role attractive to a state intelligence service: politicians, military, diplomats, defense contractors, investigative journalists, NGOs working on Russia or Ukraine, and the executives and assistants of all of the above. The attack works by tricking users into sharing codes - it does not exploit a Signal flaw.
Fix
Train high-risk staff that Signal will never ask for verification codes via message. Enable Signal's Registration Lock PIN. Periodically check Linked Devices and remove anything unfamiliar. Add detection for Signal phishing pages on perimeter URL filters and add Signal account-takeover scenarios to your tabletop catalogue.