Signal Encounters Social Engineering Waves, Not Encryption Breaches

Signal users in Germany targeted by Russian hackers using social engineering to take over accounts. No encryption was broken. Learn how to protect yourself.

#SignalHack, #SocialEngineering, #CyberSecurity, #RussiaHacking, #AccountTakeover

https://newsletter.tf/signal-account-takeover-social-engineering-russia/

Around 300 Signal accounts were targeted by Russian hackers, a significant number aiming to bypass security.

#SignalHack, #SocialEngineering, #CyberSecurity, #RussiaHacking, #AccountTakeover
https://newsletter.tf/signal-account-takeover-social-engineering-russia/

Device code phishing is exploding across the threat landscape, with new device code phishing tools emerging every week.

Research blog: https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover?utm_source=twitter&utm_medium=social_organic

The technique abuses legitimate enterprise resources for account takeovers. It involves social engineering to trick a target into authorizing a malicious app on their enterprise email accounts.

It was first observed around 2020 but has grown in popularity over recent years due to the publication of criminal device code phishing tools and on-demand code generation.

Successful attacks can lead to:

• Full account takeover
• Theft of sensitive information
• Fraud and business email compromise
• Lateral movement within a compromised environment
• Ransomware

Our new research blog explores why adoption of this technique has surged over the past year, shows real campaign examples, and offers defense recommendations.

#socialengineering #accounttakeover #BEC #fraud

🚀 New Talk Confirmed for BSides Luxembourg 2026!

Leaky API Keys, Log Tampering, and Account Takeover – Aleksa Zatezalo

Modern cloud systems are highly secure in isolation, but real-world risk emerges at the seams — where services integrate. This talk explores how seemingly minor misconfigurations in logging pipelines, API integrations, and third-party services can quietly escalate into high-impact security breaches.

Through three real-world inspired vulnerability scenarios, the session demonstrates how leaked API keys from client-side logs, misconfigured S3 uploads, and insecure integrations (such as Supabase and financial data pipelines) can be chained into account takeover paths. The focus is on understanding the underlying anti-patterns rather than isolated bugs.

Attendees will leave with a structured framework to identify these cross-service weaknesses and practical remediation strategies that go beyond patching symptoms — targeting the architectural root causes that enable entire classes of exploitation.

Aleksa Zatezalo is a security engineer and software developer with experience in cloud security consulting, offensive security tooling, and contributions to Metasploit. He currently works at Praetorian and is OSCP-certified, pursuing OSCE3, with a strong focus on applied offensive security research.

📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/
📅 Schedule: https://pretalx.com/bsidesluxembourg-2026/schedule/

📱 Want an easy way to follow the schedule?
Use Hacker Tracker: https://hackertracker.app/schedule?conf=BSIDESLUX2026

#BSidesLuxembourg2026 #CloudSecurity #APIKeys #AccountTakeover #DevSecOps #CyberSecurity

One does not simply exfiltrate a reset token using an email array.

And yet, Frodo (Matei "Mal" Bădănoiu) and Samwise (Raul Bledea) from Pentest-Tools.com did exactly that in FuelCMS.

Know someone's email? That's enough. Slip your address alongside theirs in a “forgot password” request and the token lands in your inbox. Their account is yours. You shall not (safely) parse!🧙

Chain it with PTT-2025-026 and you're looking at a 9.8 Critical unauthenticated RCE. One array to rule them all! 💍

Full PoC here: https://pentest-tools.com/research

#offensivesecurity #vulnerabilityresearch #infosec #accounttakeover

How I Found a Critical IDOR Leading to Account Takeover in Two EdTech Platforms
The vulnerability was an Insecure Direct Object Reference (IDOR) in two EdTech platforms, allowing account takeover through user profile manipulation. The flaw resulted from improper input validation, leading to user profiles being accessible via URL parameters. By constructing carefully crafted URLs containing other users' IDs, the researcher accessed their profiles without proper authentication. The attack vector involved using Burp Suite's Intruder tool to automate IDOR requests, sending payloads with incremental user IDs. The mechanism revolved around the application trusting the provided IDs without verifying their ownership or performing proper authorization checks. This IDOR flaw enabled the researcher to impersonate other users, potentially causing serious account takeovers. The researcher did not disclose specific bounty amounts or program responses. Proper mitigation requires implementing strict input validation and enforcing proper access control checks. Key lesson: Always validate user inputs and enforce proper access control to prevent unauthorized data access. #BugBounty #Cybersecurity #WebSecurity #IDOR #AccountTakeover #InputValidation

https://medium.com/@impyhacker/how-i-found-a-critical-idor-leading-to-account-takeover-in-two-edtech-platforms-44439a66ceb3?source=rss------bug_bounty-5

XSS Bypass to Zero Click Account Takeover in AI Chatbot
This vulnerability involves an XSS attack that leads to a zero-click account takeover in an AI chatbot. The application failed to sanitize user input when rendering messages, allowing the injection of malicious JavaScript. By exploiting this flaw, the attacker crafted a payload that overwrote the account token (JSESSIONID) with a malicious cookie, thereby gaining access to the victim's account without clicking any links or performing any further actions. The chatbot did not enforce any Content Security Policy (CSP), making it vulnerable to such attacks. The researcher received a $5,000 bounty for discovering and reporting this critical vulnerability. To prevent similar attacks, enforce strict CSP policies, validate user input, and ensure proper input sanitization. Key lesson: Never trust user input blindly, especially in critical areas like session tokens. #BugBounty #Cybersecurity #WebSecurity #XSS #AccountTakeover

https://infosecwriteups.com/xss-bypass-to-zero-click-account-takeover-in-ai-chatbot-a19acee8266f?source=rss------bug_bounty-5

Operational Summary:
Jurisdiction: Poland / Germany
Target Platform: Facebook
Impact: 100,000+ credentials seized
Suspects Charged: 11
Alleged Crimes: 400+

Tactics Observed:
• Fake news portal infrastructure
• Credential harvesting via spoofed login forms
• Account takeover operations
• Fraud leveraging payment systems (BLIK referenced)
• Money laundering

Strategic lesson:
Phishing + credential reuse + weak authentication continues to scale across borders.

Mitigation priorities:
• Phishing-resistant MFA
• FIDO2 / hardware keys
• Domain monitoring & takedown speed
• User education + anomaly detection

Source: https://the420.in/poland-cybercrime-bureau-facebook-phishing-100k-logins-germany-case/

Follow @technadu for threat intelligence updates.

Add your technical mitigation strategies below.

#Infosec #ThreatIntel #Phishing #AccountTakeover #FacebookSecurity #FraudPrevention #MFA #Cybercrime #SecurityOperations #EUCyber #TechNadu

“Starkiller” phishing service proxies real login pages and relays MFA in real time.
Targets include brands like Microsoft and Google.

Result:
Passwords captured.
MFA intercepted.
Session cookies stolen.
Reported by Abnormal AI.

Phishing is evolving into enterprise-grade tooling.

Source: https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/

Are passkeys the only sustainable defense?
Follow @technadu for independent cybersecurity reporting.

Join the discussion below.

#CyberSecurity #Phishing #MFA #AccountTakeover #ZeroTrust #Infosec #DigitalIdentity #ThreatIntel