In 2026 stolen credentials and unmanaged machine identities drive breaches—small buys, phone scams, and weak IAM make identity the real perimeter; prioritize inventory, least privilege, and stronger auth.

The post Why Attackers no Longer Need to Break in: The Rise of Identity-Based Attacks  appeared first on Security Boulevard.

A 149M-credential breach shows why encryption alone isn’t enough. Infostealer malware bypasses cloud security by stealing passwords at the endpoint—where encryption offers no protection.

The post Another Credential Leak, Another Dollar appeared first on Security Boulevard.

Security researchers from LayerX discovered 16 malicious Chrome extensions created by the same threat actor designed to intercept users' interaction with ChatGPT chatbots and steal their account credentials, the latest instance in a growing trend.

The post LayerX Discovers Malicious Chrome Extensions Stealing ChatGPT Accounts appeared first on Security Boulevard.

The U.S. Department of Justice has announced a major disruption of a bank account takeover fraud operation that led to more than $28 million in unauthorized bank transfers from victims across the United States. Federal authorities seized a web domain and its supporting database that played a central role in helping criminals steal bank login details and drain victim accounts. The seized domain, web3adspanels.org, was used as a backend control panel to store and manage stolen login credentials. According to investigators, the domain supported an organized scheme that targeted Americans through advanced impersonation scams and phishing advertisements designed to look like legitimate bank services.

How the Bank Account Takeover Fraud Worked

Court documents reveal that the criminal group relied heavily on fraudulent search engine advertisements. These phishing advertisements appeared on popular platforms such as Google and Bing and closely mimicked sponsored ads from real financial institutions. [caption id="attachment_108029" align="aligncenter" width="1000"] Image Source: https://www.justice.gov/[/caption] When users clicked on these fraudulent search ads, they believed they were visiting their bank’s official website. In reality, they were redirected to fake bank websites controlled by the attackers. Once victims entered their usernames and passwords, malicious software embedded in the fake pages captured those details in real time. The stolen login credentials were then used to access legitimate bank accounts. From there, the criminals initiated unauthorized bank transfers, effectively draining funds before victims realized their accounts had been compromised. Investigators confirmed that the seized domain continued hosting stolen credentials and backend infrastructure as recently as November 2025.

Financial Impact and Victims Identified

So far, the FBI has identified at least 19 confirmed victims across multiple U.S. states. This includes two businesses located in the Northern District of Georgia. The scheme resulted in attempted losses of approximately $28 million, with actual confirmed losses reaching around $14.6 million. The server linked to the seized domain contained thousands of stolen login credentials, suggesting that the total number of affected individuals and organizations could be significantly higher. Authorities believe the web domain seizure has cut off the criminals’ ability to access and exploit this sensitive data.

Rising Threat Highlighted by FBI IC3 Data

Since January 2025, the FBI’s Internet Crime Complaint Center (IC3) has received more than 5,100 complaints related to bank account takeover fraud. Reported losses from these incidents now exceed $262 million nationwide. In response, the FBI has issued public warnings urging individuals and businesses to remain vigilant. Recommended steps include closely monitoring financial accounts, using saved bookmarks instead of search engine links to access banking websites, and staying alert for impersonation scams and phishing attempts.

International Cooperation and Ongoing Investigation

The investigation is being led by the FBI Atlanta Field Office, with prosecutors from the U.S. Attorney’s Office for the Northern District of Georgia and the Justice Department’s Computer Crime and Intellectual Property Section (CCIPS). International partners played a critical role, including law enforcement agencies from Estonia and Georgia. Estonian authorities preserved and collected key evidence from servers hosting the phishing pages and stolen login credentials. The Department of Justice’s Office of International Affairs also provided substantial assistance, highlighting the importance of cross-border cooperation in tackling cybercrime. Since 2020, CCIPS has secured convictions against more than 180 cybercriminals and obtained court orders returning over $350 million to victims. Officials say the seizure of web3adspanels.org represents another important step in disrupting global cyber fraud networks and protecting victims from future financial harm.

Google has released an update for its Chrome browser that includes 13 security fixes, four of which are classified as high severity. One of these was found in Chrome’s Digital Credentials feature–a tool that lets you share verified information from your digital wallet with websites so you can prove who you are across devices.

Chrome is by far the world’s most popular browser, with an estimated 3.4 billion users. That scale means when Chrome has a security flaw, billions of users are potentially exposed until they update.

That’s why it’s important to install these patches promptly. Staying unpatched means you could be at risk just by browsing the web, and attackers often exploit these kinds of flaws before most users have a chance to update. Always let your browser update itself, and don’t delay restarting the browser as updates usually fix exactly this kind of risk.

How to update Chrome

The latest version number is 143.0.7499.40/.41 for Windows and macOS, and 143.0.7499.40 for Linux. So, if your Chrome is on version 143.0.7499.40 or later, it’s protected from these vulnerabilities.

The easiest way to update is to allow Chrome to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To update manually, click the More menu (three dots), then go to Settings > About Chrome. If an update is available, Chrome will start downloading it. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.

You can also find step-by-step instructions in our guide to how to update Chrome on every operating system.

Technical details

One of the vulnerabilities was found in the Digital Credentials feature and is tracked as CVE-2025-13633. As usual Google is keeping the details sparse until most users have updated. The description says:

Use after free in Digital Credentials in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

That sounds complicated so let’s break it down.

Use after free (UAF) is a specific type of software vulnerability where a program attempts to access a memory location after it has been freed. That can lead to crashes or, in some cases, let an attackers run their own code.

The renderer process is the part of modern browsers like Chrome that turns HTML, CSS, and JavaScript into the visible webpage you see in a tab. It’s sandboxed for safety, separate from the browser’s main “browser process” that manages tabs, URLs, and network requests. So, for HTML pages, this is essentially the browser’s webpage display engine.

The heap is an area of memory made available for use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

A “remote attacker who had compromised the renderer” means the attacker would already need a foothold (for example, via a malicious browser extension) and then lure you to a site containing specially crafted HTML code.

So, my guess is that this vulnerability could be abused by a malicious extension to steal the information handled through Digital Credentials. The attacker could access information normally requiring a passkey, making it a tempting target for anyone trying to steal sensitive information.

Some of the fixes also apply to other Chromium browsers, so if you use Brave, Edge, or Opera, for example, you should keep an eye out for updates there too.

---

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Platforms that developers use to format their input unintentionally share “thousands” of secrets, according to new research. Researchers from watchTowr captured a dataset of more than 80,000 saved pieces of JSON from code formatting tools JSONFormatter and CodeBeautify and parsed the dataset to discover “thousands of secrets” such as Active Directory and AWS credentials, authentication and API keys, and more. In typical watchTowr snark, the researchers noted, “it went exactly as badly as you might expect.”

Code Formatting Tools Create Shareable Links

In a post titled, “Stop Putting Your Passwords Into Random Websites,” the researchers noted that users of the code formatting tools can create “a semi-permanent, shareable link to whatever you just formatted.” “[I]t is fairly apparent that the word ‘SAVE’ and being given shareable link was not enough to help most users understand that, indeed yes, the content is saved and the URL is shareable - enabling anyone to recover your data when armed with the URL,” the researchers wrote. Those links follow common, intuitive formats, they said, and JSONformatter and CodeBeautify also have “Recent Links” pages that allow a random user to browse all saved content and associated links, along with the titles, descriptions, and dates. “This makes extraction trivial - because we can behave like a real user using legitimate functionality,” the researchers said. “For every provided link on a Recent Links page, we extracted the id value, and requested the contents from the /service/getDataFromID endpoint to transform it into the raw content we’re really after.”

Data Shared by Code Formatting Tools

Among the sensitive data found by the researchers were credentials for Docker Hub, JFrog, Grafana and Amazon RDS for a “Data-lake-as-a-service” provider. A cybersecurity company “had actually pasted a bunch of encrypted credentials for a very sensitive configuration file ... to this random website on the Internet.” A financial services company had uploaded sensitive “know your customer” (KYC) data. A consultancy leaked GitHub tokens, hardcoded credentials, and URLs pointed at delivery-related files on GitHub. In the process of uploading an entire configuration file for a tool, “a GitHub token was disclosed that, based on the configuration file, we infer (guess) had permissions to read/write to files and folders on the main consultancy organization’s account.” An MSSP employee uploaded an onboarding email “complete with Active Directory credentials ... they also included a second set: credentials for the MSSP’s largest, most heavily advertised client - a U.S. bank.” A ”major financial exchange” leaked production AWS credentials “directly associated with Splunk SOAR automation at a major international stock exchange.” “[W]e realised we’d found a Splunk SOAR playbook export,” the researchers said. “Embedded in that export were credentials to an S3 bucket containing detection logic and automation logs - essentially the brain powering parts of an incident-response pipeline. “This was not your average organization, but a truly tier-0 target in-scope of the most motivated and determined threat actors, who would absolutely capitalize on being able to leverage any ability to blind or damage security automation. We promptly disclosed them to the affected stock exchange for remediation.”

Researchers Set Up Test Credentials

To make sure that they weren’t the only ones accessing the data, watchTowr set up test credentials with a 24-hour expiry. “[I]f the credentials were used after the 24-hour expiry, it would indicate that someone had stored the upload from the ‘Recent Links’ page before expiry and used it after it had technically expired,” they said. Sure enough, someone started poking around the test datasets a day after the link had expired and the “saved” content was removed. watchTowr told The Cyber Express that if a user chooses to “save” their content, it remains accessible for the duration they configured. "And because most users never set a short — or any — expiry period, that data often sat exposed far longer than they realized," watchTowr said. "Once the configured window passed, the links did technically expire and should no longer have been reachable. But the core issue is that the vast majority of users left content saved indefinitely, creating long-tail exposure that attackers could easily abuse." The researchers concluded: “We’re not alone - someone else is already scraping these sources for credentials, and actively testing them.”

Microsoft is warning of a scam involving online payroll systems. Criminals use social engineering to steal people’s credentials, and then divert direct deposits into accounts that they control. Sometimes they do other things to make it harder for the victim to realize what is happening.

I feel like this kind of thing is happening everywhere, with everything. As we move more of our personal and professional lives online, we enable criminals to subvert the very systems we rely on.