The FBI and CISA have updated an earlier warning about Russian intelligence targeting Signal accounts, noting the operators have added a step: tricking targets into handing over their Signal backup recovery key. With that key, an attacker can restore the account's backup, read its private and group message history, and take over the account, and the key keeps working afterward. The campaign uses social engineering against high-value targets such as government officials, military personnel, and journalists. It reflects a broader shift toward stealing the recovery and session secrets that sit behind multi-factor authentication rather than attacking the login directly.
Cybernews researchers found an unprotected Elasticsearch database holding 24 billion records and over 8 terabytes of data, most of it infostealer logs: stolen usernames, passwords, and the services they unlock. The collection also pulls from Telegram channels and older breach dumps. Oddly, it included thousands of records tracking CVE vulnerabilities, breach news articles, and social-media posts about cyber incidents, with content as recent as 2026, suggesting the owner is actively curating and refreshing the stash with new leaks. The researchers could not determine how many records are duplicates, how old the data is, or who owns it.
France's government messaging platform Tchap, the in-house, Matrix-based app that civil servants are required to use instead of WhatsApp or Signal, was breached after a threat actor hijacked a single user account, no software exploit needed. The cyber agency ANSSI detected it on June 7. Officials say data tied to about 73,000 accounts, roughly 9 percent of users, was exposed: the attacker scraped everything shared in public chat rooms, which are not encrypted, while private end-to-end conversations stayed protected. The haul includes over 13.5GB of documents and media plus hardcoded LDAP credentials leaked in a PowerShell script. Entry was via the education ministry's server.
Meta has confirmed that attackers took over 20,225 Instagram accounts by abusing a flaw in its AI-assisted account recovery tool, called High Touch Support. A bug meant the system never checked that the email address someone supplied actually belonged to the account, so an attacker could request a password reset for any account and have the link sent to their own inbox, then walk in, unless the target had two-factor authentication on. High-profile accounts, reportedly including the Obama White House and US Space Force personnel, were hijacked and sold on the dark web. Meta has secured the accounts and is fixing the verification check before relaunching the tool.
Krebs on Security reports that attackers social-engineered Meta's newly-deployed conversational AI account-recovery assistant to hijack high-value, short Instagram handles allegedly worth over half a million dollars. Meta had rolled out the AI layer to reduce friction in common recovery workflows - relinking emails, triggering password resets, verifying ownership - that previously required weeks of back-and-forth with automated ticketing. Just as human support staff can be tricked into granting unauthorized access, the AI assistant proved equally eager to help and vulnerable to manipulation. Meta pushed an emergency patch over the weekend and says no back-end database was breached. Critically, the exploit failed against any account with MFA enabled.
Google has made Device Bound Session Credentials (DBSC) generally available in Chrome, rolling it out to all users to blunt session-cookie theft. First announced in 2024 and in beta since April, DBSC cryptographically binds session cookies to a specific device using the hardware security chip - the TPM on Windows or the Secure Enclave on macOS. Because the public/private keys are generated inside the security chip and never leave it, stolen cookies become useless on any other machine, defeating the infostealer-to-account-takeover pipeline that bypasses MFA. Google frames it as a shift from reactive detection to proactive prevention. The protection is most effective where sites adopt the DBSC server-side protocol.
Der Spiegel reported on April 25 that German government sources now blame Russia for a large-scale Signal phishing campaign that compromised the account of Bundestag President Julia Klöckner. At least 300 Signal accounts of German political figures were targeted; investigators say attackers accessed chat histories, files, and phone numbers. Chancellor Friedrich Merz was in the same CDU group chat as Klöckner but his device showed no signs of compromise. The attack used pure social engineering - operators posed as Signal support and asked victims to share verification codes or PINs.