News

Esta semana trajo varios incidentes importantes, y todos apuntan en la misma dirección. La escala del compromiso de credenciales sigue batiendo récords. FortiBleed: 86.000 dispositivos en 194 países. La filtración de Elasticsearch: 24 mil millones de registros de decenas de fuentes. HIBP añadió 124 millones de contraseñas robadas por infostealers en el momento de uso. Estos datos ya están en circulación.

• Dos métodos de ataque recibieron confirmación concreta esta semana. Los atacantes cada vez más evitan las contraseñas por completo: la brecha de Klue comenzó con una cuenta de servicio olvidada y terminó con tokens OAuth robados — sin introducir ninguna contraseña en ningún momento.
• Los agentes de IA se han convertido en un vector de ataque independiente: un repositorio de prueba de código envenenado permitió a un atacante exfiltrar credenciales de AWS desde la estación de trabajo de un desarrollador en 111 segundos, sin generar alertas en el endpoint.
• La presión regulatoria avanza en dos frentes. En Europa, el Consejo de Europa y la plataforma gubernamental francesa Tchap fueron vulnerados, la autoridad italiana Garante multó a una empresa por almacenar contraseñas en texto plano, y se publicaron nuevas plantillas de notificación de incidentes del EDPB y NIS2 — todo en una sola semana.
• En EE. UU., el presidente Trump firmó dos órdenes ejecutivas estableciendo plazos federales estrictos para la migración a criptografía poscuántica, señalando que la ventana de preparación es más corta de lo que la mayoría de las organizaciones habían asumido.

Este resumen cubre los 14 eventos más significativos del 15 al 22 de junio de 2026.

EE. UU. establece plazos federales para la migración a criptografía poscuántica (PQC)

El 22 de junio de 2026, el presidente Trump firmó dos órdenes ejecutivas sobre tecnología cuántica. La orden ejecutiva «Securing the Nation Against Advanced Cryptographic Attacks» requiere que las agencias federales designen un responsable de migración PQC, transicionen los activos de alto valor a criptografía poscuántica para 2030 y completen la migración total para 2031.

Una segunda orden dirige el desarrollo de un ordenador cuántico tolerante a fallos para 2028. Ambas órdenes citan los ataques «harvest now, decrypt later» como el principal factor de amenaza — adversarios recopilando datos cifrados hoy para descifrarlos en el futuro. Barron's informa que algunos analistas sitúan la capacidad viable de descifrado cuántico tan pronto como 2029.

Por qué es importante: Los plazos federales de 2030-2031 no permanecerán dentro del gobierno. Los contratos de adquisición y la regulación sectorial específica tienden a seguir el precedente federal, por lo que cualquier organización que interactúe con infraestructura gubernamental u opere en una industria regulada debería tratar esto como una señal temprana. El punto de partida práctico es saber qué se tiene: qué sistemas dependen de RSA o ECC, dónde residen realmente las claves criptográficas y los certificados, y quién los controla.

Fuente: Reuters / White House — 22 jun 2026

FortiBleed: Más de 86.000 credenciales de dispositivos Fortinet comprometidas en 194 países

Una campaña de robo de credenciales a gran escala ha compilado una base de datos verificada de más de 86.644 credenciales funcionales para firewalls FortiGate de Fortinet y dispositivos SSL VPN expuestos a internet — aproximadamente el 50% de todos esos dispositivos expuestos a internet. La campaña incluyó interceptación de autenticación SSL VPN, descifrado de hashes en un clúster de 45 GPU y pivoteo en Active Directory.

Los atacantes ejecutaron aproximadamente 1.160 millones de intentos de credenciales contra más de 320.000 objetivos FortiGate. CISA emitió un aviso urgente el 18 de junio de 2026, requiriendo que las organizaciones terminen las sesiones activas, restablezcan todas las credenciales, habiliten MFA resistente al phishing y apliquen hash de contraseñas PBKDF2 para cuentas de administrador. Huntress confirmó que 845 organizaciones asociadas fueron directamente afectadas.

Por qué es importante: Las organizaciones que parchearon las vulnerabilidades de Fortinet pero nunca rotaron las credenciales permanecen completamente expuestas. Este es el evento de seguridad de credenciales definitorio de la semana. Cualquier organización con infraestructura Fortinet expuesta a internet debería tratar esto como un incidente activo que requiere rotación inmediata de credenciales — no como una tarea de mantenimiento programada.

Fuente: SecurityWeek — 19 jun 2026

24 mil millones de credenciales robadas expuestas en una filtración colosal de Elasticsearch

Investigadores de Cybernews descubrieron un clúster de Elasticsearch públicamente accesible que contenía 24 mil millones de registros de credenciales robadas en 8,3 terabytes de datos, extraídos de 36 fuentes distintas incluyendo registros de malware infostealer, canales de cibercrimen en Telegram y compilaciones de brechas. Más de 1.700 millones de registros se originaron en canales de Telegram.

Críticamente, el clúster también contenía aproximadamente 9.500 registros CVE vinculados a repositorios activos de GitHub — evidencia de que el operador estaba construyendo un pipeline de priorización de ataques para cruzar referencias de vulnerabilidades explotables con credenciales robadas disponibles. La base de datos ha sido desconectada, pero las credenciales permanecen en circulación activa.

Por qué es importante: El pipeline de ataque enriquecido con CVE cambia el cálculo de riesgo: rotar credenciales después de una brecha puede ser demasiado tarde si un atacante ya sabe qué servicios sin parchear desbloquean. Los registros frescos de infostealer también contienen cookies de sesión activas que evitan el MFA por completo. Las credenciales únicas por servicio siguen siendo la defensa estructural principal.

Fuente: Cybernews — 17 jun 2026

124 millones de contraseñas únicas de infostealer añadidas a Have I Been Pwned

El 15 de junio de 2026, Have I Been Pwned (HIBP) incorporó 56,3 millones de direcciones de correo electrónico únicas y 124 millones de contraseñas únicas provenientes de registros de malware infostealer. A diferencia de los datos de brechas tradicionales, estas credenciales fueron robadas directamente de los dispositivos de las víctimas en el momento de uso — lo que significa que son actuales y no han sido rotadas. El conjunto de datos ahora es consultable a través de la API de Pwned Passwords, que está integrada en numerosos gestores de contraseñas empresariales y plataformas de identidad.

Por qué es importante: Las organizaciones que utilizan gestores de contraseñas con integración HIBP ahora verán alertas para un grupo sustancialmente mayor de credenciales en riesgo. El peligro aquí es la frescura: los empleados que no han cambiado sus contraseñas desde que su dispositivo fue infectado permanecen completamente expuestos. Este es un impulso directo para ejecutar una auditoría de credenciales comprometidas en toda su organización.

Fuente: Have I Been Pwned — 15 jun 2026

Ataque a la cadena de suministro SaaS de Klue: Tokens OAuth robados, datos CRM exfiltrados de múltiples proveedores de seguridad

Un nuevo grupo de extorsión llamado Icarus (activo desde abril de 2026) obtuvo acceso inicial a la plataforma de inteligencia de mercado Klue a través de una credencial heredada comprometida asociada con una cuenta de servicio de integración abandonada. Los atacantes luego robaron tokens OAuth utilizados por los clientes de Klue para conectarse a Salesforce y Gong, y ejecutaron scripts automatizados contra la REST API de Salesforce durante hasta 24 horas de extracción masiva de datos CRM.

Las víctimas confirmadas incluyen Huntress, Recorded Future, Tanium, Gong, Sprout Social, Jamf e Insurity. Salesforce deshabilitó la integración de Klue.

Por qué es importante: Una credencial de cuenta de servicio heredada olvidada fue el vector de acceso inicial. Una vez dentro, el atacante no necesitó contraseñas ni códigos MFA — el token OAuth robado era la identidad desde la perspectiva de Salesforce. El ataque se ejecutó sin ser detectado durante 24 horas. Las credenciales de cuentas de servicio y las integraciones OAuth de terceros merecen la misma disciplina de monitoreo que las cuentas de empleados.

Fuente: The Hacker News — 19 jun 2026

Más de 1.230 claves API y tokens JWT codificados encontrados en archivos de instrucciones de agentes IA en más de 7.000 repositorios públicos

Mitiga Labs escaneó más de 50.000 archivos de instrucciones de IA (reglas de Cursor, CLAUDE.md, configuraciones MCP, archivos de cerebro de agentes) en más de 7.000 repositorios públicos de GitHub y encontró más de 1.230 claves API y tokens JWT codificados en servicios que incluyen Anthropic Claude, OpenAI GPT-5, Google Gemini, Databricks, Supabase, Vercel y Google Cloud Storage.

Por separado, GitGuardian informó que 28,65 millones de secretos fueron filtrados en GitHub público en 2025 (un aumento interanual del 34%) con filtraciones de servicios de IA aumentando un 81%.

Por qué es importante: Los archivos de configuración de agentes de IA se están convirtiendo en un vector principal para la exposición de credenciales codificadas. Estos archivos son frecuentemente creados por usuarios sin conciencia de seguridad — product managers, investigadores, fundadores — que no aplican las prácticas estándar de higiene de secretos. Las políticas de escaneo de secretos de la mayoría de las organizaciones aún no cubren archivos de instrucciones, configuraciones MCP y archivos de contexto de agentes. Deberían hacerlo.

Fuente: Mitiga Labs — 15 jun 2026

Una prueba de código envenenada causa que un agente IA robe credenciales de AWS en menos de 2 minutos

Mitiga documentó un ataque del mundo real en el que un repositorio falso de evaluación de código para llevar a casa contenía instrucciones ocultas en archivos .cursor/rules, README.md y CLAUDE.md. Cuando un desarrollador abrió el repositorio en Cursor con la ejecución automática habilitada, el agente de codificación IA ejecutó de forma autónoma cat ~/.aws/credentials, aws sts get-caller-identity, cat ~/.kube/config, terraform state list y un grep de secretos — luego exfiltró todos los datos recopilados a un endpoint controlado por el atacante a través de una llamada de herramienta MCP envenenada. Toda la cadena se completó en 1 minuto y 51 segundos. No se instaló malware; no se generaron alertas en el endpoint.

Por qué es importante: Las credenciales de nube de larga duración almacenadas en estaciones de trabajo de desarrolladores son ahora un objetivo principal para ataques mediados por agentes IA. Cada acción fue realizada por una herramienta legítima usando comandos legítimos — ningún control de endpoint se activó. La mitigación principal es reemplazar las credenciales de larga duración con tokens OIDC de corta duración y autenticación federada.

Fuente: Mitiga Labs — 19 jun 2026

ShinyHunters reclama la brecha del Consejo de Europa: 297 GB de registros de RRHH, nóminas y médicos expuestos

El colectivo hacker ShinyHunters reclamó la responsabilidad de una brecha en el Consejo de Europa, alegando el robo de 297 GB de datos que comprenden más de 429.000 archivos — incluyendo 409.000 nóminas que cubren más de 10.000 empleados durante 15 años, 14.000 CVs, 3.700 expedientes de personal y registros sensibles incluyendo direcciones domiciliarias, salarios, datos bancarios, información fiscal y registros médicos. A fecha del 21 de junio de 2026, ShinyHunters publicó los datos de forma permanente después de que el Consejo de Europa no respondiera a las demandas de rescate.

Por qué es importante: Los registros expuestos crean vectores efectivos de spear-phishing contra una institución sensible. ShinyHunters ahora ha reclamado la Comisión Europea (marzo de 2026), el Consejo de Europa (junio de 2026) y la teleco holandesa Odido (febrero de 2026) en un solo año. Los equipos de seguridad europeos deberían tratar esto como una campaña de ataque sostenida, no como incidentes aislados.

Fuente: Cybernews — 15 jun 2026

La plataforma de mensajería gubernamental francesa Tchap vulnerada: 73.467 cuentas de funcionarios comprometidas

La plataforma soberana de mensajería gubernamental de Francia, Tchap (utilizada por más de 825.000 empleados gubernamentales), fue vulnerada el 7 de junio de 2026 por un actor de amenazas autodenominado «misere». DINUM confirmó que 73.467 cuentas gubernamentales fueron afectadas, con datos expuestos que incluyen nombres, direcciones de correo electrónico y entidades gubernamentales afiliadas.

El actor de amenazas además afirma haber robado 13,5 GB de archivos incluyendo más de 643.000 mensajes. Se cree que el vector de ataque involucra el secuestro de cuentas, posiblemente a través de credenciales obtenidas de registros de stealer.

Por qué es importante: La brecha ilustra cómo el compromiso de credenciales (potencialmente a través de registros de stealer) puede ser utilizado como arma contra la infraestructura de comunicación gubernamental soberana a escala. Los expertos en seguridad señalaron que el ataque puede no haber requerido zero-days: la extracción de datos basada en API utilizando credenciales legítimas es suficiente para esta escala de exfiltración. Bajo NIS2, los servicios digitales gubernamentales están clasificados como entidades esenciales, lo que activa la notificación obligatoria de incidentes a ANSSI.

Fuente: SecurityWeek — 15 jun 2026

Velvet Ant (nexo con China) instala puertas traseras en módulos PAM de Linux y OpenSSH para robo de credenciales durante una década

El equipo de respuesta a incidentes de Sygnia descubrió la Operación Highland, una campaña de espionaje de casi una década por el actor de amenazas Velvet Ant vinculado a China. Activo desde al menos 2016-2017, el grupo modificó los Módulos de Autenticación Conectables (PAM) de Linux — específicamente pam_unix.so — para aceptar una contraseña de puerta trasera codificada, recolectar credenciales de intentos de autenticación legítimos y suprimir todo el registro de actividad del atacante. Se encontraron nueve instancias del módulo PAM con puerta trasera en los hosts comprometidos. El grupo también instaló puertas traseras en binarios de OpenSSH para mantener acceso persistente.

Por qué es importante: Este ataque no robó contraseñas — subvirtió la capa de autenticación en sí. Al modificar los módulos PAM, Velvet Ant podía autenticarse como cualquier usuario y recolectar cada contraseña introducida en los hosts comprometidos. Las contraseñas fuertes no ofrecen protección cuando la pila de autenticación está comprometida. Los operadores de infraestructura crítica en energía, manufactura y defensa enfrentan riesgos directamente análogos.

Fuente: CyberSecurityNews / Sygnia — 15 jun 2026

La autoridad italiana Garante multa a una consultora con 85.000 € por almacenar contraseñas en texto plano tras una brecha de 61.000 usuarios

La autoridad de protección de datos de Italia, la Garante, impuso una multa de 85.000 € a una consultora tras una brecha de datos que expuso datos personales de más de 61.000 usuarios. La Garante encontró que ciertas contraseñas estaban almacenadas en texto plano o protegidas con algoritmos criptográficos obsoletos, y que las credenciales de sistemas no utilizados se habían conservado más allá de su período necesario. Los individuos afectados fueron notificados aproximadamente dos meses después del descubrimiento — y solo después de que se emitiera una orden correctiva.

Por qué es importante: La Garante citó explícitamente el almacenamiento de contraseñas en texto plano y la criptografía obsoleta como las principales infracciones del RGPD. Esto establece un precedente claro de aplicación: el Artículo 32 requiere hash moderno de contraseñas, y retener credenciales para sistemas fuera de servicio viola el principio de limitación del almacenamiento. Las organizaciones de la UE deberían auditar sus implementaciones de almacenamiento de contraseñas contra esta decisión.

Fuente: Gibson Dunn Europe Data Protection — 15 jun 2026

El EDPB adopta una plantilla armonizada de notificación de brechas de datos para toda la UE bajo el RGPD

El Comité Europeo de Protección de Datos (EDPB) ha adoptado una plantilla estandarizada para las notificaciones de brechas de datos personales bajo el Artículo 33 del RGPD, abierta a consulta pública hasta el 5 de agosto de 2026. La plantilla proporciona a las organizaciones de toda la UE un único formulario estructurado para informar brechas de datos personales a las autoridades de supervisión, reemplazando los formatos nacionales actualmente fragmentados.

Por qué es importante: La plantilla armonizada afecta directamente cómo las organizaciones informan incidentes de exposición de credenciales bajo el Artículo 33 del RGPD, requiriendo divulgación estructurada de tipos de datos comprometidos, individuos afectados y consecuencias probables. Los equipos de cumplimiento y legales deberían revisar el borrador antes de la fecha límite de consulta del 5 de agosto.

Fuente: LexisNexis UK/EU Risk & Compliance — 18 jun 2026

ANSSI dejará de certificar productos de seguridad sin cifrado resistente a la computación cuántica a partir de 2027

La agencia nacional de ciberseguridad de Francia, ANSSI, anunció que dejará de certificar productos de seguridad (incluyendo gestores de contraseñas, VPNs y soluciones de autenticación) que no incorporen criptografía resistente a la computación cuántica (poscuántica) a partir de 2027.

El anuncio acompaña a la estrategia cibernética nacional más amplia de Francia, que incluye una inversión gubernamental de 200 millones de euros en infraestructura de ciberseguridad y herramientas de criptografía poscuántica.

Por qué es importante: Los gestores de contraseñas y bóvedas de credenciales dependen de primitivas criptográficas teóricamente vulnerables a ataques de computación cuántica. El requisito de certificación de ANSSI exige algoritmos poscuánticos para la aprobación del gobierno francés, convirtiendo a Francia en el primer estado miembro de la UE en establecer una fecha límite estricta. El marco de ANSSI es ampliamente referenciado en toda Europa y se espera que influya en el Esquema Europeo de Certificación de Ciberseguridad de ENISA.

Fuente: Reuters — 16 jun 2026

Gartner identifica tres cambios en la gestión de secretos que los equipos de seguridad no pueden ignorar

Gartner identifica tres cambios estratégicos en la gestión de secretos:

1. Gestión de acceso de cargas de trabajo — pasar de secretos estáticos a emisión de credenciales dinámicas y justo a tiempo para cargas de trabajo.
2. Arquitectura sin secretos — eliminar completamente los secretos de larga duración en favor del acceso basado en identidad usando SPIFFE/SPIRE.
3. Gobernanza multi-bóveda — gestionar secretos de forma consistente a través de múltiples plataformas de bóvedas a medida que las organizaciones acumulan almacenes de secretos dispares en HashiCorp Vault, AWS Secrets Manager, Azure Key Vault y otros.

Por qué es importante: Estos tres cambios mapean directamente a los modos de fallo expuestos esta semana. FortiBleed demuestra el riesgo de credenciales estáticas nunca rotadas (Cambio 1). La brecha OAuth de Klue demuestra el riesgo de credenciales heredadas de larga duración (Cambio 2). La deriva de credenciales a través de entornos multi-nube es el problema que aborda el Cambio 3. Este marco proporciona a los líderes de seguridad y TI una forma estructurada de evaluar su madurez actual en gestión de secretos frente a los incidentes de la semana.

Fuente: Akeyless Blog (citando investigación de Gartner) — 17 jun 2026

Resumen de esta semana

El patrón a través de los incidentes de esta semana es lo suficientemente consistente como para nombrarlo: credenciales estáticas, cuentas de servicio olvidadas y tokens de larga duración son los puntos de entrada que los atacantes están explotando activamente.

La aplicación regulatoria está alcanzando. La multa de 85.000 € de la Garante italiana por almacenamiento de contraseñas en texto plano, los plazos federales de PQC de EE. UU. y el límite de certificación de ANSSI para 2027 añaden una dimensión prospectiva: los fundamentos criptográficos del almacenamiento de credenciales están bajo un plazo estricto.

Tres acciones se derivan directamente de los eventos de esta semana:

• Primero, audite las cuentas de servicio e integraciones OAuth de terceros — el ataque de Klue comenzó con una olvidada.
• Segundo, ejecute una verificación de credenciales comprometidas contra el conjunto de datos de HIBP ahora expandido con 124 millones de contraseñas provenientes de infostealers.
• Tercero, revise cómo viven los secretos en las estaciones de trabajo de los desarrolladores. Las credenciales de nube de larga duración son ahora un objetivo explícito de agentes IA.

Las credenciales fuera de cualquier sistema gestionado son la raíz común — claves API codificadas, credenciales de VPN no rotadas, contraseñas en texto plano en servicios fuera de servicio. Passwork proporciona a los equipos de TI y seguridad visibilidad centralizada sobre las contraseñas corporativas y los secretos técnicos, con registros de acceso, seguimiento de rotación y alertas de credenciales comprometidas integrados. Comience con lo que puede controlar

Ciclo de vida de rotación de secretos: Desde la creación hasta la revocación

La rotación de secretos falla cuando se trata como una tarea programada en lugar de un ciclo de vida. Esta guía cubre las siete etapas — desde la creación y propiedad hasta la rotación segura, revocación de emergencia y evidencia de auditoría.

Passwork BlogAlex Muntyan

10 fallos de seguridad en el trabajo remoto (y cómo solucionarlos)

10 fallos de seguridad en el trabajo remoto — y el único principio detrás de todos ellos: la seguridad se rompe donde el camino seguro tiene más fricción que el inseguro. Casos reales, soluciones realistas, una línea base de 5 capas contra la que su equipo puede auditar.

Passwork BlogAlex Muntyan

Controles de acceso NIS2 para la seguridad de la cadena de suministro

El 48% de las brechas ahora involucran a terceros. El Artículo 21 de NIS2 convierte la gobernanza del acceso de proveedores en una obligación legal. Aquí se explica cómo mapear el acceso de proveedores, aplicar MFA y privilegio mínimo, y mantener la evidencia de auditoría que demuestre que sus controles funcionan.

Passwork BlogAlex Muntyan

Diese Woche brachte mehrere schwerwiegende Vorfälle, und alle weisen in dieselbe Richtung. Das Ausmaß der Credential-Kompromittierung bricht weiterhin Rekorde. FortiBleed: 86.000 Geräte in 194 Ländern. Das Elasticsearch-Leck: 24 Milliarden Datensätze aus Dutzenden von Quellen. HIBP fügte 124 Millionen Passwörter hinzu, die von Infostealern zum Zeitpunkt der Nutzung gestohlen wurden. Diese Daten sind bereits im Umlauf.

• Zwei Angriffsmethoden erhielten diese Woche konkrete Bestätigung. Angreifer umgehen Passwörter zunehmend vollständig: Der Klue-Breach begann mit einem vergessenen Dienstkonto und endete mit gestohlenen OAuth-Tokens — ohne dass an irgendeinem Punkt ein Passwort eingegeben wurde.
• KI-Agenten sind zu einem eigenständigen Angriffsvektor geworden: Ein vergiftetes Coding-Test-Repository ermöglichte es einem Angreifer, AWS-Credentials von der Workstation eines Entwicklers in 111 Sekunden zu exfiltrieren, ohne dass Endpoint-Alerts ausgelöst wurden.
• Der regulatorische Druck bewegt sich an zwei Fronten. In Europa wurden der Europarat und die französische Regierungsplattform Tchap kompromittiert, die italienische Garante verhängte eine Geldstrafe gegen ein Unternehmen wegen Speicherung von Passwörtern im Klartext, und neue EDPB- sowie NIS2-Meldepflichtvorlagen wurden veröffentlicht — alles innerhalb einer einzigen Woche.
• In den USA unterzeichnete Präsident Trump zwei Executive Orders, die verbindliche Bundesfristen für die Migration zur Post-Quanten-Kryptographie festlegen. Dies signalisiert, dass das Zeitfenster zur Vorbereitung kürzer ist, als die meisten Organisationen angenommen haben.

Dieser Digest behandelt die 14 bedeutendsten Ereignisse vom 15. bis 22. Juni 2026.

USA setzen Bundesfristen für die Migration zur Post-Quanten-Kryptographie (PQC)

Am 22. Juni 2026 unterzeichnete Präsident Trump zwei Executive Orders zur Quantentechnologie. Die EO „Securing the Nation Against Advanced Cryptographic Attacks" verpflichtet Bundesbehörden, einen PQC-Migrationsverantwortlichen zu benennen, hochwertige Vermögenswerte bis 2030 auf Post-Quanten-Kryptographie umzustellen und die vollständige Migration bis 2031 abzuschließen.

Eine zweite Anordnung weist die Entwicklung eines fehlertoleranten Quantencomputers bis 2028 an. Beide Anordnungen nennen „Harvest Now, Decrypt Later"-Angriffe als primären Bedrohungstreiber — Angreifer sammeln heute verschlüsselte Daten für eine zukünftige Entschlüsselung. Barron's berichtet, dass einige Analysten eine funktionsfähige Quantenentschlüsselungsfähigkeit bereits für 2029 prognostizieren.

Warum es wichtig ist: Die Bundesfristen 2030–2031 werden nicht innerhalb der Regierung bleiben. Beschaffungsverträge und branchenspezifische Regulierungen folgen typischerweise dem Bundesvorbild, daher sollte jede Organisation, die mit Regierungsinfrastruktur zu tun hat oder in einer regulierten Branche tätig ist, dies als frühes Signal betrachten. Der praktische Ausgangspunkt ist zu wissen, was man hat: Welche Systeme von RSA oder ECC abhängen, wo sich kryptographische Schlüssel und Zertifikate tatsächlich befinden und wer sie kontrolliert.

Quelle: Reuters / White House — 22. Jun 2026

FortiBleed: Über 86.000 Fortinet-Geräte-Credentials in 194 Ländern kompromittiert

Eine groß angelegte Credential-Diebstahl-Kampagne hat eine verifizierte Datenbank mit über 86.644 funktionierenden Credentials für internetfähige Fortinet FortiGate Firewalls und SSL-VPN-Appliances zusammengestellt — etwa 50 % aller solcher dem Internet ausgesetzten Geräte. Die Kampagne umfasste das Abfangen von SSL-VPN-Authentifizierung, Hash-Cracking auf einem 45-GPU-Cluster und Active-Directory-Pivoting.

Angreifer führten ungefähr 1,16 Milliarden Credential-Versuche gegen über 320.000 FortiGate-Ziele durch. CISA gab am 18. Juni 2026 eine dringende Warnung heraus, die Organisationen verpflichtet, aktive Sitzungen zu beenden, alle Credentials zurückzusetzen, Phishing-resistente MFA zu aktivieren und PBKDF2-Passwort-Hashing für Admin-Accounts anzuwenden. Huntress bestätigte, dass 845 Partnerorganisationen direkt betroffen waren.

Warum es wichtig ist: Organisationen, die Fortinet-Schwachstellen gepatcht, aber ihre Credentials nie rotiert haben, bleiben vollständig exponiert. Dies ist das entscheidende Credential-Sicherheitsereignis der Woche. Jede Organisation mit internetfähiger Fortinet-Infrastruktur sollte dies als aktiven Vorfall behandeln, der eine sofortige Credential-Rotation erfordert — nicht als geplante Wartungsaufgabe.

Quelle: SecurityWeek — 19. Jun 2026

24 Milliarden gestohlene Credentials durch massives Elasticsearch-Leck exponiert

Cybernews-Forscher entdeckten einen öffentlich zugänglichen Elasticsearch-Cluster mit 24 Milliarden gestohlenen Credential-Datensätzen über 8,3 Terabyte an Daten, die aus 36 verschiedenen Quellen stammten, darunter Infostealer-Malware-Logs, Telegram-Cybercrime-Kanäle und Breach-Sammlungen. Mehr als 1,7 Milliarden Datensätze stammten von Telegram-Kanälen.

Kritisch ist, dass der Cluster auch ungefähr 9.500 CVE-Datensätze enthielt, die mit aktiven GitHub-Repositories verknüpft waren — ein Beweis dafür, dass der Betreiber eine Angriffs-Priorisierungspipeline aufbaute, um ausnutzbare Schwachstellen mit verfügbaren gestohlenen Credentials abzugleichen. Die Datenbank wurde offline genommen, aber die Credentials befinden sich weiterhin im aktiven Umlauf.

Warum es wichtig ist: Die CVE-angereicherte Angriffspipeline verändert die Risikokalkulation: Die Rotation von Credentials nach einem Breach kann zu spät sein, wenn ein Angreifer bereits weiß, welche ungepatchten Dienste sie entsperren. Frische Infostealer-Logs enthalten auch aktive Session-Cookies, die MFA vollständig umgehen. Einzigartige Credentials pro Dienst bleiben die primäre strukturelle Verteidigung.

Quelle: Cybernews — 17. Jun 2026

124 Millionen einzigartige Infostealer-Passwörter zu Have I Been Pwned hinzugefügt

Am 15. Juni 2026 nahm Have I Been Pwned (HIBP) 56,3 Millionen einzigartige E-Mail-Adressen und 124 Millionen einzigartige Passwörter auf, die aus Infostealer-Malware-Logs stammen. Anders als traditionelle Breach-Daten wurden diese Credentials direkt von den Geräten der Opfer zum Zeitpunkt der Nutzung gestohlen — was bedeutet, dass sie aktuell und nicht rotiert sind. Der Datensatz ist jetzt über die Pwned Passwords API durchsuchbar, die in zahlreiche Unternehmens-Passwort-Manager und Identitätsplattformen integriert ist.

Warum es wichtig ist: Organisationen, die Passwort-Manager mit HIBP-Integration verwenden, werden nun Warnungen für einen wesentlich größeren Pool gefährdeter Credentials anzeigen. Die Gefahr hier ist die Aktualität: Mitarbeiter, die ihre Passwörter seit der Infektion ihres Geräts nicht geändert haben, bleiben vollständig exponiert. Dies ist ein direkter Anlass, ein Audit kompromittierter Credentials in Ihrer gesamten Organisation durchzuführen.

Quelle: Have I Been Pwned — 15. Jun 2026

Klue-SaaS-Supply-Chain-Angriff: OAuth-Tokens gestohlen, CRM-Daten von mehreren Sicherheitsanbietern exfiltriert

Eine neue Erpressergruppe namens Icarus (aktiv seit April 2026) verschaffte sich über ein kompromittiertes Legacy-Credential, das mit einem aufgegebenen Integrations-Dienstkonto verknüpft war, Erstzugang zur Market-Intelligence-Plattform Klue. Die Angreifer stahlen dann OAuth-Tokens, die von Klues Kunden zur Verbindung mit Salesforce und Gong verwendet wurden, und führten automatisierte Skripte gegen die Salesforce REST API für bis zu 24 Stunden Massen-CRM-Datenextraktion aus.

Bestätigte Opfer sind Huntress, Recorded Future, Tanium, Gong, Sprout Social, Jamf und Insurity. Salesforce deaktivierte die Klue-Integration.

Warum es wichtig ist: Ein vergessenes Legacy-Dienstkonto-Credential war der initiale Zugangsvektor. Einmal eingedrungen, benötigte der Angreifer keine Passwörter und keine MFA-Codes — das gestohlene OAuth-Token war aus Salesforce-Perspektive die Identität. Der Angriff lief 24 Stunden unentdeckt. Dienstkonto-Credentials und OAuth-Integrationen von Drittanbietern verdienen dieselbe Überwachungsdisziplin wie Mitarbeiterkonten.

Quelle: The Hacker News — 19. Jun 2026

Über 1.230 hartcodierte API-Schlüssel und JWT-Tokens in KI-Agenten-Anweisungsdateien in über 7.000 öffentlichen Repos gefunden

Mitiga Labs scannte über 50.000 KI-Anweisungsdateien (Cursor-Regeln, CLAUDE.md, MCP-Configs, Agent-Brain-Dateien) in über 7.000 öffentlichen GitHub-Repositories und fand über 1.230 hartcodierte API-Schlüssel und JWT-Tokens für Dienste wie Anthropic Claude, OpenAI GPT-5, Google Gemini, Databricks, Supabase, Vercel und Google Cloud Storage.

Separat berichtete GitGuardian, dass 28,65 Millionen Secrets 2025 auf öffentlichem GitHub geleakt wurden (ein Anstieg von 34 % im Jahresvergleich), wobei Leaks von KI-Diensten um 81 % zunahmen.

Warum es wichtig ist: KI-Agenten-Konfigurationsdateien werden zu einem primären Vektor für die Exponierung hartcodierter Credentials. Diese Dateien werden häufig von Benutzern ohne Sicherheitsbewusstsein erstellt — Produktmanager, Forscher, Gründer — die keine standardmäßigen Secrets-Hygienepraktiken anwenden. Die Secrets-Scanning-Richtlinien der meisten Organisationen decken Anweisungsdateien, MCP-Configs und Agent-Kontextdateien noch nicht ab. Das sollten sie.

Quelle: Mitiga Labs — 15. Jun 2026

Vergifteter Coding-Test veranlasst KI-Agenten, AWS-Credentials in unter 2 Minuten zu stehlen

Mitiga dokumentierte einen realen Angriff, bei dem ein gefälschtes Take-Home-Coding-Assessment-Repository versteckte Anweisungen in .cursor/rules-, README.md- und CLAUDE.md-Dateien enthielt. Als ein Entwickler das Repository in Cursor mit aktiviertem Auto-Run öffnete, führte der KI-Coding-Agent autonom cat ~/.aws/credentials, aws sts get-caller-identity, cat ~/.kube/config, terraform state list und einen Grep nach Secrets aus — und exfiltrierte dann alle gesammelten Daten über einen vergifteten MCP-Tool-Aufruf zu einem vom Angreifer kontrollierten Endpunkt. Die gesamte Kette wurde in 1 Minute 51 Sekunden abgeschlossen. Es wurde keine Malware installiert; es wurden keine Endpoint-Alerts generiert.

Warum es wichtig ist: Langlebige Cloud-Credentials, die auf Entwickler-Workstations gespeichert sind, sind jetzt ein primäres Ziel für KI-Agenten-vermittelte Angriffe. Jede Aktion wurde von einem legitimen Tool mit legitimen Befehlen durchgeführt — keine Endpoint-Kontrollen wurden ausgelöst. Die primäre Gegenmaßnahme ist das Ersetzen langlebiger Credentials durch kurzlebige OIDC-Tokens und föderierte Authentifizierung.

Quelle: Mitiga Labs — 19. Jun 2026

ShinyHunters beansprucht Europarat-Breach: 297 GB an HR-, Gehalts- und Medizindaten exponiert

Das Hackerkollektiv ShinyHunters übernahm die Verantwortung für einen Breach des Europarats und behauptete, 297 GB an Daten mit über 429.000 Dateien gestohlen zu haben — darunter 409.000 Gehaltsabrechnungen für über 10.000 Mitarbeiter über 15 Jahre, 14.000 Lebensläufe, 3.700 Personalakten und sensible Datensätze einschließlich Privatadressen, Gehälter, Bankdaten, Steuerinformationen und Krankenakten. Zum 21. Juni 2026 veröffentlichte ShinyHunters die Daten dauerhaft, nachdem der Europarat nicht auf Lösegeldforderungen reagiert hatte.

Warum es wichtig ist: Die exponierten Datensätze schaffen effektive Spear-Phishing-Vektoren gegen eine sensible Institution. ShinyHunters hat nun innerhalb eines einzigen Jahres die Europäische Kommission (März 2026), den Europarat (Juni 2026) und den niederländischen Telekommunikationsanbieter Odido (Februar 2026) für sich beansprucht. Europäische Sicherheitsteams sollten dies als eine anhaltende gezielte Kampagne betrachten, nicht als isolierte Vorfälle.

Quelle: Cybernews — 15. Jun 2026

Frankreichs Tchap-Regierungs-Messaging-Plattform gehackt: 73.467 Beamtenkonten kompromittiert

Frankreichs souveräne Regierungs-Messaging-Plattform Tchap (genutzt von über 825.000 Regierungsangestellten) wurde am 7. Juni 2026 von einem Bedrohungsakteur namens „misere" gehackt. DINUM bestätigte, dass 73.467 Regierungskonten betroffen waren, wobei die exponierten Daten Namen, E-Mail-Adressen und zugehörige Regierungsstellen umfassten.

Der Bedrohungsakteur behauptet zusätzlich, 13,5 GB an Dateien einschließlich über 643.000 Nachrichten gestohlen zu haben. Der Angriffsvektor soll Account-Hijacking beinhalten, möglicherweise über Infostealer-gestützte Credentials.

Warum es wichtig ist: Der Breach illustriert, wie Credential-Kompromittierung (möglicherweise über Stealer-Logs) gegen souveräne Regierungs-Kommunikationsinfrastruktur in großem Maßstab als Waffe eingesetzt werden kann. Sicherheitsexperten stellten fest, dass der Angriff möglicherweise keine Zero-Days erforderte: API-basierte Datenextraktion mit legitimen Credentials reicht für dieses Ausmaß an Exfiltration aus. Unter NIS2 werden digitale Regierungsdienste als wesentliche Einrichtungen klassifiziert, was eine obligatorische Vorfallsmeldung an ANSSI auslöst.

Quelle: SecurityWeek — 15. Jun 2026

Velvet Ant (China-Nexus) installiert Backdoors in Linux-PAM-Modulen und OpenSSH für jahrzehntelangen Credential-Diebstahl

Das Incident-Response-Team von Sygnia deckte Operation Highland auf, eine fast zehn Jahre andauernde Spionagekampagne des mit China verbundenen Bedrohungsakteurs Velvet Ant. Seit mindestens 2016–2017 aktiv, modifizierte die Gruppe Linux Pluggable Authentication Modules (PAM) — insbesondere pam_unix.so — um ein hartcodiertes Backdoor-Passwort zu akzeptieren, Credentials aus legitimen Authentifizierungsversuchen zu sammeln und jegliche Protokollierung von Angreiferaktivitäten zu unterdrücken. Neun Instanzen des mit Backdoor versehenen PAM-Moduls wurden auf kompromittierten Hosts gefunden. Die Gruppe installierte auch Backdoors in OpenSSH-Binärdateien, um persistenten Zugang aufrechtzuerhalten.

Warum es wichtig ist: Dieser Angriff stahl keine Passwörter — er unterwanderte die Authentifizierungsschicht selbst. Durch die Modifizierung von PAM-Modulen konnte Velvet Ant sich als beliebiger Benutzer authentifizieren und jedes auf kompromittierten Hosts eingegebene Passwort abgreifen. Starke Passwörter bieten keinen Schutz, wenn der Authentifizierungs-Stack kompromittiert ist. Betreiber kritischer Infrastrukturen in den Bereichen Energie, Fertigung und Verteidigung stehen vor direkt analogen Risiken.

Quelle: CyberSecurityNews / Sygnia — 15. Jun 2026

Italienische Garante verhängt Geldstrafe von 85.000 € gegen Beratungsfirma wegen Speicherung von Passwörtern im Klartext nach 61.000-Benutzer-Breach

Italiens Datenschutzbehörde, die Garante, verhängte eine Geldstrafe von 85.000 € gegen eine Beratungsfirma nach einem Datenschutzvorfall, bei dem personenbezogene Daten von mehr als 61.000 Benutzern exponiert wurden. Die Garante stellte fest, dass bestimmte Passwörter im Klartext gespeichert oder mit veralteten kryptographischen Algorithmen geschützt waren und dass Credentials für nicht mehr genutzte Systeme über ihre notwendige Aufbewahrungsdauer hinaus gespeichert worden waren. Betroffene Personen wurden etwa zwei Monate nach der Entdeckung benachrichtigt — und erst nach Erlass einer Korrekturanordnung.

Warum es wichtig ist: Die Garante nannte ausdrücklich die Speicherung von Passwörtern im Klartext und veraltete Kryptographie als primäre DSGVO-Verstöße. Dies etabliert einen klaren Durchsetzungspräzedenzfall: Artikel 32 erfordert modernes Passwort-Hashing, und das Aufbewahren von Credentials für stillgelegte Systeme verstößt gegen das Grundprinzip der Speicherbegrenzung. EU-Organisationen sollten ihre Implementierungen zur Passwortspeicherung anhand dieser Entscheidung überprüfen.

Quelle: Gibson Dunn Europe Data Protection — 15. Jun 2026

EDPB verabschiedet harmonisierte EU-weite Vorlage für Datenschutzverletzungsmeldungen gemäß DSGVO

Der Europäische Datenschutzausschuss (EDPB) hat eine standardisierte Vorlage für Meldungen von Verletzungen des Schutzes personenbezogener Daten gemäß DSGVO Artikel 33 verabschiedet, die bis zum 5. August 2026 zur öffentlichen Konsultation steht. Die Vorlage bietet Organisationen in der gesamten EU ein einheitliches strukturiertes Formular zur Meldung von Verletzungen des Schutzes personenbezogener Daten an Aufsichtsbehörden und ersetzt die derzeit fragmentierten nationalen Formate.

Warum es wichtig ist: Die harmonisierte Vorlage wirkt sich direkt darauf aus, wie Organisationen Credential-Expositionsvorfälle gemäß DSGVO Artikel 33 melden. Sie erfordert eine strukturierte Offenlegung der kompromittierten Datentypen, betroffenen Personen und wahrscheinlichen Folgen. Compliance- und Rechtsteams sollten den Entwurf vor Ablauf der Konsultationsfrist am 5. August prüfen.

Quelle: LexisNexis UK/EU Risk & Compliance — 18. Jun 2026

ANSSI wird ab 2027 keine Sicherheitsprodukte mehr ohne quantenresistente Verschlüsselung zertifizieren

Frankreichs nationale Cybersicherheitsbehörde ANSSI kündigte an, dass sie ab 2027 keine Sicherheitsprodukte (einschließlich Passwort-Manager, VPNs und Authentifizierungslösungen) mehr zertifizieren wird, die keine quantenresistente (Post-Quanten) Kryptographie integrieren.

Die Ankündigung begleitet Frankreichs breitere nationale Cyber-Strategie, die eine staatliche Investition von 200 Millionen Euro in Cybersicherheitsinfrastruktur und Post-Quanten-Kryptographie-Tools umfasst.

Warum es wichtig ist: Passwort-Manager und Credential-Tresore basieren auf kryptographischen Primitiven, die theoretisch anfällig für Quantencomputing-Angriffe sind. ANSSIs Zertifizierungsanforderung schreibt Post-Quanten-Algorithmen für die französische Regierungszulassung vor, womit Frankreich der erste EU-Mitgliedstaat ist, der eine harte Frist setzt. Das ANSSI-Rahmenwerk wird in ganz Europa weithin referenziert und wird voraussichtlich das Europäische Cybersicherheits-Zertifizierungsschema der ENISA beeinflussen.

Quelle: Reuters — 16. Jun 2026

Gartner identifiziert drei Veränderungen im Secrets-Management, die Sicherheitsteams nicht ignorieren können

Gartner identifiziert drei strategische Veränderungen im Secrets-Management:

1. Workload Access Management — der Wechsel von statischen Secrets zu dynamischer, Just-in-Time-Credential-Ausgabe für Workloads.
2. Secretless Architecture — die vollständige Eliminierung langlebiger Secrets zugunsten von identitätsbasiertem Zugriff mittels SPIFFE/SPIRE.
3. Multi-Vault Governance — konsistentes Management von Secrets über mehrere Tresor-Plattformen hinweg, da Organisationen unterschiedliche Secrets-Speicher über HashiCorp Vault, AWS Secrets Manager, Azure Key Vault und andere ansammeln.

Warum es wichtig ist: Diese drei Veränderungen korrespondieren direkt mit den diese Woche aufgedeckten Fehlermodi. FortiBleed demonstriert das Risiko statischer, nie rotierter Credentials (Veränderung 1). Der Klue-OAuth-Breach demonstriert das Risiko langlebiger Legacy-Credentials (Veränderung 2). Credential-Drift über Multi-Cloud-Umgebungen ist das Problem, das Veränderung 3 adressiert. Dieses Rahmenwerk gibt Sicherheits- und IT-Führungskräften eine strukturierte Möglichkeit, ihre aktuelle Secrets-Management-Reife anhand der Vorfälle dieser Woche zu bewerten.

Quelle: Akeyless Blog (unter Berufung auf Gartner-Forschung) — 17. Jun 2026

Zusammenfassung dieser Woche

Das Muster über die Vorfälle dieser Woche hinweg ist konsistent genug, um es zu benennen: Statische Credentials, vergessene Dienstkonten und langlebige Tokens sind die Einstiegspunkte, die Angreifer aktiv ausnutzen.

Die regulatorische Durchsetzung holt auf. Die Geldstrafe von 85.000 € der italienischen Garante für Klartext-Passwortspeicherung, die US-Bundesfristen für PQC und ANSSIs Zertifizierungsfrist 2027 fügen eine zukunftsorientierte Dimension hinzu: Die kryptographischen Grundlagen der Credential-Speicherung selbst stehen unter einer harten Frist.

Drei Maßnahmen ergeben sich direkt aus den Ereignissen dieser Woche:

• Erstens: Prüfen Sie Dienstkonten und OAuth-Integrationen von Drittanbietern — der Klue-Angriff begann mit einem vergessenen Konto.
• Zweitens: Führen Sie eine Prüfung kompromittierter Credentials gegen den HIBP-Datensatz durch, der jetzt um 124 Millionen Infostealer-gestützte Passwörter erweitert wurde.
• Drittens: Überprüfen Sie, wie Secrets auf Entwickler-Workstations gespeichert werden. Langlebige Cloud-Credentials sind jetzt ein explizites KI-Agenten-Ziel.

Credentials außerhalb jedes verwalteten Systems sind die gemeinsame Wurzel — hartcodierte API-Schlüssel, nicht rotierte VPN-Credentials, Klartext-Passwörter in stillgelegten Diensten. Passwork bietet IT- und Sicherheitsteams zentrale Transparenz über Unternehmenspasswörter und technische Secrets, mit integrierten Zugriffsprotokollen, Rotations-Tracking und Warnungen zu kompromittierten Credentials. Beginnen Sie mit dem, was Sie kontrollieren können

Secrets-Rotations-Lebenszyklus: Von der Erstellung bis zum Widerruf

Secret-Rotation scheitert, wenn sie als geplante Aufgabe statt als Lebenszyklus behandelt wird. Dieser Leitfaden behandelt alle sieben Phasen — von der Erstellung und Eigentümerschaft bis zur sicheren Rotation, Notfall-Widerruf und Audit-Nachweisen.

Passwork BlogAlex Muntyan

10 Sicherheitsfehler bei Remote-Arbeit (und wie man sie behebt)

10 Sicherheitsfehler bei Remote-Arbeit — und das eine Prinzip hinter allen: Sicherheit bricht dort zusammen, wo der sichere Weg mehr Reibung hat als der unsichere. Echte Fälle, realistische Lösungen, eine 5-Schichten-Baseline, gegen die Ihr Team prüfen kann.

Passwork BlogAlex Muntyan

NIS2-Zugriffskontrollen für Supply-Chain-Sicherheit

48 % der Breaches betreffen mittlerweile Drittparteien. NIS2 Artikel 21 macht Lieferanten-Zugangs-Governance zur rechtlichen Pflicht. So kartieren Sie Lieferantenzugang, setzen MFA und Least Privilege durch und bewahren die Audit-Nachweise auf, die belegen, dass Ihre Kontrollen funktionieren.

Passwork BlogAlex Muntyan

This week brought several major incidents, and all of them point in the same direction. The scale of credential compromise keeps breaking records. FortiBleed: 86,000 devices across 194 countries. The Elasticsearch leak: 24 billion records from dozens of sources. HIBP added 124 million passwords stolen by infostealers at the moment of use. This data is already in circulation.

• Two attack methods received concrete confirmation this week. Attackers are increasingly bypassing passwords altogether: the Klue breach started with a forgotten service account and ended with stolen OAuth tokens — no password entered at any point. 
• AI agents have become an independent attack vector: a poisoned coding test repository allowed an attacker to exfiltrate AWS credentials from a developer's workstation in 111 seconds, with no endpoint alerts generated.
• Regulatory pressure is moving on two fronts. In Europe, the Council of Europe and French government platform Tchap were breached, the Italian Garante fined a firm for storing passwords in cleartext, and new EDPB and NIS2 incident reporting templates dropped — all within a single week. 
• In the U.S., President Trump signed two executive orders setting hard federal deadlines for post-quantum cryptography migration, signaling that the window for preparation is shorter than most organizations have assumed.

This digest covers the 14 most significant events from 15 to 22 June 2026.

U.S. sets federal deadlines for post-quantum cryptography (PQC) migration

On 22 June 2026, President Trump signed two executive orders on quantum technology. EO "Securing the Nation Against Advanced Cryptographic Attacks" requires federal agencies to designate a PQC migration lead, transition high-value assets to post-quantum cryptography by 2030, and complete full migration by 2031.

A second order directs development of a fault-tolerant quantum computer by 2028. Both orders cite "harvest now, decrypt later" attacks as the primary threat driver — adversaries collecting encrypted data today for future decryption. Barron's reports that some analysts put viable quantum decryption capability as early as 2029.

Why it matters: The 2030–2031 federal deadlines will not stay inside the government. Procurement contracts and sector-specific regulation tend to follow federal precedent, so any organization that touches government infrastructure or operates in a regulated industry should treat this as an early signal. The practical starting point is knowing what you have: which systems depend on RSA or ECC, where cryptographic keys and certificates actually live, and who controls them.

Source: Reuters / White House — 22 Jun 2026

FortiBleed: 86,000+ fortinet device credentials compromised across 194 countries

A large-scale credential theft campaign has compiled a verified database of over 86,644 working credentials for internet-facing Fortinet FortiGate firewalls and SSL VPN appliances — roughly 50% of all such devices exposed to the internet. The campaign involved SSL VPN authentication interception, hash-cracking on a 45-GPU cluster, and Active Directory pivoting.

Attackers executed approximately 1.16 billion credential attempts against 320,000+ FortiGate targets. CISA issued an urgent advisory on 18 June 2026, requiring organizations to terminate active sessions, reset all credentials, enable phishing-resistant MFA, and apply PBKDF2 password hashing for admin accounts. Huntress confirmed 845 partner organizations were directly impacted.

Why it matters: Organizations that patched Fortinet vulnerabilities but never rotated credentials remain fully exposed. This is the defining credential security event of the week. Any organization with internet-facing Fortinet infrastructure should treat this as an active incident requiring immediate credential rotation — not a scheduled maintenance task.

Source: SecurityWeek — 19 Jun 2026

24 billion stolen credentials exposed in colossal Elasticsearch leak

Cybernews researchers discovered a publicly accessible Elasticsearch cluster containing 24 billion stolen credential records across 8.3 terabytes of data, drawn from 36 distinct sources including infostealer malware logs, Telegram cybercrime channels, and breach compilations. More than 1.7 billion records originated from Telegram channels.

Critically, the cluster also contained approximately 9,500 CVE records linked to active GitHub repositories — evidence the operator was building an attack-prioritization pipeline to cross-reference exploitable vulnerabilities with available stolen credentials. The database has been taken offline, but the credentials remain in active circulation.

Why it matters: The CVE-enriched attack pipeline changes the risk calculation: rotating credentials after a breach may be too late if an attacker already knows which unpatched services they unlock. Fresh infostealer logs also contain active session cookies that bypass MFA entirely. Unique credentials per service remain the primary structural defense.

Source: Cybernews — 17 Jun 2026

124 million unique infostealer passwords added to Have I Been Pwned

On 15 June 2026, Have I Been Pwned (HIBP) ingested 56.3 million unique email addresses and 124 million unique passwords sourced from infostealer malware logs. Unlike traditional breach data, these credentials were stolen directly from victims' devices at the time of use — meaning they are current and unrotated. The dataset is now searchable via the Pwned Passwords API, which is integrated into numerous enterprise password managers and identity platforms.

Why it matters: Organizations using password managers with HIBP integration will now surface alerts for a substantially larger pool of at-risk credentials. The danger here is freshness: employees who have not changed passwords since their device was infected remain fully exposed. This is a direct prompt to run a compromised credential audit across your organization.

Source: Have I Been Pwned — 15 Jun 2026

Klue SaaS supply chain attack: OAuth tokens stolen, CRM data exfiltrated from multiple security vendors

A new extortion group called Icarus (active since April 2026) gained initial access to market intelligence platform Klue via a compromised legacy credential associated with an abandoned integration service account. Attackers then stole OAuth tokens used by Klue's customers to connect to Salesforce and Gong, and ran automated scripts against the Salesforce REST API for up to 24 hours of bulk CRM data extraction.

Confirmed victims include Huntress, Recorded Future, Tanium, Gong, Sprout Social, Jamf, and Insurity. Salesforce disabled the Klue integration.

Why it matters: A forgotten legacy service account credential was the initial access vector. Once inside, the attacker needed no passwords and no MFA codes — the stolen OAuth token was the identity from Salesforce's perspective. The attack ran undetected for 24 hours. Service account credentials and third-party OAuth integrations warrant the same monitoring discipline as employee accounts.

Source: The Hacker News — 19 Jun 2026

1,230+ hardcoded API keys and JWT tokens found in AI agent instruction files across 7,000+ public repos

Mitiga Labs scanned 50,000+ AI instruction files (Cursor rules, CLAUDE.md, MCP configs, agent brain files) across 7,000+ public GitHub repositories and found over 1,230 hardcoded API keys and JWT tokens across services including Anthropic Claude, OpenAI GPT-5, Google Gemini, Databricks, Supabase, Vercel, and Google Cloud Storage.

Separately, GitGuardian reported that 28.65 million secrets were leaked on public GitHub in 2025 (a 34% year-on-year increase) with AI service leaks up 81%.

Why it matters: AI agent configuration files are becoming a primary vector for hardcoded credential exposure. These files are frequently created by non-security-aware users — product managers, researchers, founders — who do not apply standard secrets hygiene. Most organizations' secrets scanning policies do not yet cover instruction files, MCP configs, and agent context files. They should.

Source: Mitiga Labs — 15 Jun 2026

Poisoned coding test causes AI agent to steal AWS credentials in under 2 minutes

Mitiga documented a real-world attack in which a fake take-home coding assessment repository contained hidden instructions in .cursor/rules, README.md, and CLAUDE.md files. When a developer opened the repository in Cursor with auto-run enabled, the AI coding agent autonomously executed cat ~/.aws/credentials, aws sts get-caller-identity, cat ~/.kube/config, terraform state list, and a grep for secrets — then exfiltrated all collected data to an attacker-controlled endpoint via a poisoned MCP tool call. The entire chain completed in 1 minute 51 seconds. No malware was dropped; no endpoint alerts were generated.

Why it matters: Long-lived cloud credentials stored on developer workstations are now a primary target for AI-agent-mediated attacks. Every action was performed by a legitimate tool using legitimate commands — no endpoint controls triggered. The primary mitigation is replacing long-lived credentials with short-lived OIDC tokens and federated authentication.

Source: Mitiga Labs — 19 Jun 2026

ShinyHunters claims Council of Europe breach: 297 GB of HR, payroll, and medical records exposed

The hacker collective ShinyHunters claimed responsibility for a breach of the Council of Europe, alleging theft of 297 GB of data comprising over 429,000 files — including 409,000 payslips covering 10,000+ staff over 15 years, 14,000 CVs, 3,700 personnel files, and sensitive records including home addresses, salaries, bank details, tax information, and medical records. As of 21 June 2026, ShinyHunters published the data permanently after the Council of Europe did not respond to ransom demands.

Why it matters: The exposed records create effective spear-phishing vectors against a sensitive institution. ShinyHunters has now claimed the European Commission (March 2026), the Council of Europe (June 2026), and Dutch telecom Odido (February 2026) within a single year. European security teams should treat this as a sustained targeting campaign, not isolated incidents.

Source: Cybernews — 15 Jun 2026

France's Tchap government messaging platform breached: 73,467 officials' accounts compromised

France's sovereign government messaging platform Tchap (used by over 825,000 government employees) was breached on 7 June 2026 by a threat actor calling itself "misere." DINUM confirmed 73,467 government accounts were affected, with exposed data including names, email addresses, and affiliated government entities.

The threat actor additionally claims to have stolen 13.5 GB of files including over 643,000 messages. The attack vector is believed to involve account hijacking, possibly via infostealer-sourced credentials.

Why it matters: The breach illustrates how credential compromise (potentially via stealer logs) can be weaponized against sovereign government communication infrastructure at scale. Security experts noted the attack may not have required zero-days: API-based data extraction using legitimate credentials is sufficient for this scale of exfiltration. Under NIS2, government digital services are classified as essential entities, triggering mandatory incident reporting to ANSSI.

Source: SecurityWeek — 15 Jun 2026

Velvet Ant (China-Nexus) backdoors Linux PAM modules and OpenSSH for decade-long credential theft

Sygnia's incident response team uncovered Operation Highland, a near-decade-long espionage campaign by the China-linked Velvet Ant threat actor. Active since at least 2016–2017, the group modified Linux Pluggable Authentication Modules (PAM) — specifically pam_unix.so — to accept a hardcoded backdoor password, harvest credentials from legitimate authentication attempts, and suppress all logging of attacker activity. Nine instances of the backdoored PAM module were found across compromised hosts. The group also backdoored OpenSSH binaries to maintain persistent access.

Why it matters: This attack did not steal passwords — it subverted the authentication layer itself. By modifying PAM modules, Velvet Ant could authenticate as any user and harvest every password entered on compromised hosts. Strong passwords offer no protection when the authentication stack is compromised. Critical infrastructure operators in energy, manufacturing, and defense face directly analogous risks.

Source: CyberSecurityNews / Sygnia — 15 Jun 2026

Italian Garante fines consulting firm €85,000 for storing passwords in cleartext after 61,000-user breach

Italy's data protection authority, the Garante, imposed an €85,000 fine on a consulting firm following a data breach exposing personal data of more than 61,000 users. The Garante found that certain passwords were stored in cleartext or protected with outdated cryptographic algorithms, and that credentials for unused systems had been retained beyond their necessary period. Affected individuals were notified approximately two months after discovery — and only after a corrective order was issued.

Why it matters: The Garante explicitly cited cleartext password storage and obsolete cryptography as the primary GDPR infringements. This establishes a clear enforcement precedent: Article 32 requires modern password hashing, and retaining credentials for decommissioned systems violates the storage limitation principle. EU organizations should audit their password storage implementations against this decision.

Source: Gibson Dunn Europe Data Protection — 15 Jun 2026

EDPB adopts harmonized EU-wide data breach notification template under GDPR

The European Data Protection Board (EDPB) has adopted a standardized template for personal data breach notifications under GDPR Article 33, open for public consultation until 5 August 2026. The template provides organizations across the EU with a single structured form for reporting personal data breaches to supervisory authorities, replacing the currently fragmented national formats.

Why it matters: The harmonized template directly affects how organizations report credential exposure incidents under GDPR Article 33, requiring structured disclosure of compromised data types, affected individuals, and likely consequences. Compliance and legal teams should review the draft before the 5 August consultation deadline.

Source: LexisNexis UK/EU Risk & Compliance — 18 Jun 2026

ANSSI will stop certifying security products without quantum-resistant encryption from 2027

France's national cybersecurity agency ANSSI announced it will cease certifying security products (including password managers, VPNs, and authentication solutions) that do not incorporate quantum-resistant (post-quantum) cryptography starting from 2027.

The announcement accompanies France's broader national cyber strategy, which includes a €200 million government investment in cybersecurity infrastructure and post-quantum cryptography tooling.

Why it matters: Password managers and credential vaults rely on cryptographic primitives theoretically vulnerable to quantum computing attacks. ANSSI's certification requirement mandates post-quantum algorithms for French government approval, making France the first EU member state to set a hard deadline. ANSSI's framework is widely referenced across Europe and is expected to influence ENISA's European Cybersecurity Certification Scheme.

Source: Reuters — 16 Jun 2026

Gartner identifies three shifts in secrets management security teams cannot ignore

Gartner identifies three strategic shifts in secrets management:

1. Workload Access Management — moving from static secrets to dynamic, just-in-time credential issuance for workloads.
2. Secretless Architecture — eliminating long-lived secrets entirely in favor of identity-based access using SPIFFE/SPIRE.
3. Multi-Vault Governance — managing secrets consistently across multiple vault platforms as organizations accumulate disparate secrets stores across HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and others.

Why it matters: These three shifts map directly to the failure modes exposed this week. FortiBleed demonstrates the risk of static credentials never rotated (Shift 1). The Klue OAuth breach demonstrates the risk of long-lived legacy credentials (Shift 2). Credential drift across multi-cloud environments is the problem Shift 3 addresses. This framework gives security and IT leadership a structured way to assess their current secrets management maturity against the week's incidents.

Source: Akeyless Blog (citing Gartner research) — 17 Jun 2026

This week's recap

The pattern across this week's incidents is consistent enough to name: static credentials, forgotten service accounts, and long-lived tokens are the entry points attackers are actively exploiting.

Regulatory enforcement is catching up. The Italian Garante's €85,000 fine for cleartext password storage, the U.S. federal PQC deadlines, and ANSSI's 2027 certification cutoff add a forward-looking dimension: the cryptographic foundations of credential storage are themselves under a hard timeline.

Three actions follow directly from this week's events:

• First, audit service accounts and third-party OAuth integrations — the Klue attack started with a forgotten one.
• Second, run a compromised credential check against the HIBP dataset now expanded by 124 million infostealer-sourced passwords.
• Third, review how secrets live on developer workstations. Long-lived cloud credentials are now an explicit AI-agent target.

Credentials outside any managed system are the common root — hardcoded API keys, unrotated VPN credentials, cleartext passwords in decommissioned services. Passwork gives IT and security teams centralized visibility over corporate passwords and technical secrets, with access logs, rotation tracking, and compromised credential alerts built in. Start with what you can control

Secrets rotation lifecycle: From creation to revocation

Secret rotation fails when it’s treated as a scheduled task rather than a lifecycle. This guide covers all seven stages — from creation and ownership to safe rotation, emergency revocation, and audit evidence.

Passwork BlogAlex Muntyan

10 Remote Work Security Fails (And How to Fix Them)

10 remote work security fails — and the one principle behind all of them: security breaks where the secure path has more friction than the insecure one. Real cases, realistic fixes, a 5-layer baseline your team can audit against.

Passwork BlogAlex Muntyan

NIS2 access controls for supply chain security

48% of breaches now involve third parties. NIS2 Article 21 makes supplier access governance a legal obligation. Here’s how to map vendor access, enforce MFA and least privilege, and keep the audit evidence that proves your controls work.

Passwork BlogAlex Muntyan

Three things happened in April 2026 that don't look connected — until you see the pattern.

APT28 hijacked 18,000 routers across 120 countries and redirected authentication traffic through an adversary-in-the-middle proxy. No malware. Just a TLS certificate warning that most users dismissed. Microsoft 365 credentials and OAuth tokens collected at the midpoint, MFA bypassed entirely.

A developer at an AI productivity startup got infected by a commodity infostealer. The malware cost roughly $200 on a darknet forum. It extracted a browser-stored OAuth token, handed it to attackers, and within hours they were inside Vercel's production environment — enumerating API keys, database credentials, and signing keys.

ShinyHunters pulled authentication tokens from a third-party analytics provider called Anodot and spent the day monetizing access to dozens of downstream platforms. Vimeo. Zara. Snowflake customers. None of the primary platforms were compromised directly. The attack ran entirely through the integration layer.

The common thread: the breach never started where the damage ended. Every attacker entered through a peripheral — a vendor, an integration, a forgotten device — and pivoted to the real target from there.

This digest covers the credential and authentication incidents that defined April 2026, the statistics that give them context, and what they collectively mean for how organizations manage access.

Key takeaways

• APT28 hijacked 18,000 routers across 120 countries to steal Microsoft 365 OAuth tokens. The FrostArmada campaign required no malware and left almost no visible trace — DNS settings were silently overwritten to redirect authentication traffic through an adversary-in-the-middle proxy. MFA was bypassed entirely. The FBI dismantled the infrastructure in April 2026.
• Storm-2372 bypassed MFA at scale without stealing a single password. The campaign abused the OAuth Device Code flow, using AI-generated role-specific lures to trick victims into authorizing attacker-controlled sessions. The toolkit (EvilTokens) automated the entire operation end-to-end.
• The Anodot breach exposed stored tokens for dozens of downstream platforms. ShinyHunters extracted authentication tokens from a third-party analytics provider and used them to access customer data at Vimeo (119,000 users) and Zara/Inditex (197,000 records). Snowflake was not compromised — the attack ran entirely through the integration layer.
• A commodity infostealer on one developer's device was sufficient to breach Vercel's production environment. Lumma Stealer compromised Context.ai, a peripheral AI vendor. Inherited OAuth access gave attackers direct entry into Vercel systems — no zero-day, no phishing of Vercel staff required.
• A malicious Bitwarden CLI package circulated via npm for 94 minutes. Attackers hijacked a GitHub Action in the CI/CD pipeline and injected a payload targeting developer secrets, cloud credentials, and AI coding tool configurations — with built-in self-propagation across reachable repositories.
• AI-assisted development drove secret leaks to a record 28.6 million in 2025 — up 34% year-over-year. AI-service credential leaks grew 81%. Commits co-authored by AI tools leak secrets at roughly twice the baseline rate. 64% of secrets exposed in 2022 remained active and exploitable in 2026.
• Every major incident this month followed the same pattern. The primary target was never the ultimate victim — attackers moved through a peripheral vendor, a stored token, or a compromised dependency to reach the real objective. MFA did not stop any of the credential theft campaigns. The attack surface is the integration layer, the CI/CD pipeline, and the OAuth grant.

APT28: DNS hijacking campaign FrostArmada disrupted by international authorities

An international law enforcement operation involving the FBI, the U.S. Department of Justice, and the Polish government, with technical support from Microsoft and Black Lotus Labs, dismantled FrostArmada: an APT28 campaign that hijacked router DNS settings to steal Microsoft 365 credentials and OAuth tokens. Active since May 2025, the campaign infected 18,000 devices across 120 countries at its peak in December 2025.

What happened

APT28 (also tracked as Fancy Bear, Forest Blizzard, Strontium, and Storm-2754) — attributed by the NCSC and the U.S. DoJ to Russia's GRU military unit 26165 — compromised internet-exposed SOHO routers by exploiting known public vulnerabilities. The primary target was the TP-Link WR841N via CVE-2023-50224, which allowed unauthenticated attackers to extract router credentials via a crafted HTTP GET request, then overwrite DHCP/DNS settings with a second request.

The attack chain worked as follows:

1. Router is compromised via a known vulnerability; DNS settings are overwritten to point to attacker-controlled VPS nodes
2. New DNS configuration is automatically pushed to all internal devices via DHCP — laptops, phones, everything on the network
3. When a user queries an authentication-related domain, the malicious DNS server returns the attacker's IP instead of the real one
4. User is redirected to an adversary-in-the-middle (AitM) proxy
5. The proxy passes requests through to the legitimate service — while silently collecting passwords and OAuth tokens at the midpoint
6. The only visible warning to the victim: a TLS certificate error, easily dismissed

The approach required minimal end-user interaction and left almost no visible trace. Black Lotus Labs described it as "all thriller, no malware filler."

How the campaign evolved

The earliest activity was limited and began in May 2025. The inflection point came on August 5, 2025, when the NCSC published its Authentic Antics report describing a Forest Blizzard toolset for stealing Microsoft Office credentials. Lumen detected widespread router exploitation and DNS redirection starting the very next day (August 6) confirming rapid tradecraft adaptation after public exposure.

This pattern is consistent with Forest Blizzard's broader history. The group has continuously evolved its credential theft methods since at least 2021: from brute-force password spraying against Microsoft services, to NTLM hash harvesting via compromised routers, to full AitM infrastructure. The group is also known to deploy the LLM-based tool "LAMEHUG" alongside more traditional techniques.

How the infrastructure was organized

Black Lotus Labs identified two distinct operational clusters:

• Expansion team — focused on compromising new SOHO routers and growing the botnet at scale, targeting a large pool of networking equipment via exposed web interfaces
• AitM cluster — handled credential and token collection; also conducted interactive operations against specific MikroTik routers

The DNS hijacking was opportunistic by design: cast a wide net, then filter intercepted traffic to triage victims of likely intelligence value at each stage of the chain.

Targets and scope

The campaign primarily targeted government agencies, ministries of foreign affairs, law enforcement bodies, IT and hosting providers, and organizations running on-premise email servers. Microsoft confirmed AitM attacks against Microsoft 365 subdomains, including Outlook on the web. Black Lotus Labs and the NCSC also observed targeting of government organizations in North Africa, Central America, and Southeast Asia including "a national identity platform in one European country."

The takedown

The FBI carried out a court-authorized technical operation, remotely resetting DNS configurations on compromised routers to point back to legitimate resolvers. The operation was tested extensively on affected TP-Link firmware to ensure it did not impact normal router functionality or collect user data.

Lumen blocked traffic to the affected infrastructure and added indicators of compromise into Lumen Defender. Routers can be fully cleaned by restoring factory default settings. TP-Link confirmed the scope in an official statement:

"TP-Link has conducted an internal review and identified that multiple legacy TP-Link products may be affected by this vulnerability. Except for TL-WR940N v6 (EOS since 2024), all affected products have reached End-of-Life (EOL) status and no longer within TP-Link's standard maintenance lifecycle."

In practice, this means no patches are coming — replacement is the only remediation path for affected hardware.

What to do

Priority actions for network and security teams:

• Replace any routers that no longer receive firmware updates — end-of-life hardware was the primary entry point
• Verify DNS resolver settings in your router configuration and check against known-good values from your ISP
• Implement certificate pinning on corporate devices managed via MDM — this generates an error when an AitM proxy attempts traffic inspection
• Review firewall rules to prevent unwanted exposure of remote management interfaces
• Monitor Microsoft Entra sign-in logs for anomalous OAuth token usage patterns

Storm-2372 AI phishing: Massive MFA bypass via Device Code

Microsoft documented a large-scale phishing campaign by Storm-2372 that bypassed MFA without stealing a single password. The attack abused the OAuth Device Code authentication flow — a legitimate mechanism designed for devices that cannot support interactive logins — to trick users into authorizing attacker-controlled sessions. The campaign was powered by EvilTokens, a phishing-as-a-service toolkit that automated the entire operation end-to-end.

How it worked

The attack unfolded in three phases:

• Reconnaissance: 10–15 days before phishing, the group verified target account validity via Microsoft's GetCredentialType endpoint.
• Delivery: generative AI produced hyper-personalized lure emails tailored to each target's role — RFPs for procurement staff, invoices for finance teams, manufacturing workflow notifications for operations. Redirect chains ran through Vercel, Cloudflare Workers, and AWS Lambda to blend with legitimate enterprise traffic.
• Token capture: when a victim clicked the link, a background script generated a live Device Code in real time — bypassing the standard 15-minute expiration window. The victim completed MFA on Microsoft's real login page, unknowingly authorizing the attacker's session.

Post-compromise activity focused on high-value targets: email exfiltration, malicious inbox rules for persistence, and Microsoft Graph reconnaissance to map organizational structure and permissions.

Targets and scope

The campaign targeted organizations across government, finance, manufacturing, and IT sectors. Post-compromise activity was not indiscriminate: threat actors used automated enrichment — cross-referencing public profiles and corporate directories — to triage compromised accounts and prioritize individuals in financial or executive roles for deeper exploitation.

Post-compromise activity

Once tokens were obtained, attackers focused on maintaining access and extracting data. This included email exfiltration, creation of malicious inbox rules to redirect or conceal communications, and Microsoft Graph reconnaissance to map organizational structure and permissions — enabling lateral movement for as long as the stolen tokens remained valid.

What to do

• Disable Device Code flow for users and applications that don't require it via Conditional Access policies
• Monitor for anomalous GetCredentialType endpoint queries and unusual token issuance patterns
• Implement token lifetime policies and continuous access evaluation to limit stolen token validity windows
• Treat role-specific AI-personalized lures as a documented threat vector — generic awareness training is insufficient

Anodot token leak: Vimeo, Zara and dozens more hit in ShinyHunters campaign

Over a dozen companies suffered data theft after authentication tokens were stolen from Anodot, an AI-based analytics provider acquired by Glassbox in November 2025. The majority of attacks targeted Snowflake customer environments. Among the confirmed victims: Vimeo (119,000 users affected) and Zara's parent company Inditex (197,000 records exposed). The Snowflake platform itself was not breached — the attack ran entirely through the third-party integration layer.

What happened

Anodot provides real-time anomaly detection for business and operational data, integrating directly with Snowflake, S3, Amazon Kinesis, and other platforms. To function, it stores authentication tokens on behalf of its customers. When Anodot's environment was breached, those stored tokens gave attackers direct access to downstream customer data — no vulnerability in Snowflake itself was required.

The ShinyHunters extortion group claimed responsibility, telling BleepingComputer they stole data from dozens of companies on a single Friday using tokens harvested from Anodot. The group also hinted they may have had access to Anodot for some time before acting. ShinyHunters subsequently attempted to use the same stolen tokens against Salesforce customer accounts — but was detected and blocked by AI-based detection before succeeding.

Snowflake responded by locking down potentially impacted customer accounts and notifying affected organizations. Anodot's status page showed all connectors down across all geographic regions from the weekend of the incident. Neither Anodot nor its parent company Glassbox responded to press inquiries at time of publication.

Confirmed victims

Vimeo confirmed that the Anodot breach exposed user and customer data — primarily technical data, video titles, metadata, and in some cases email addresses. In its official disclosure, Vimeo stated:

"The data accessed does not include Vimeo video content, valid user login credentials, or payment card information. Vimeo user and customer login credentials are secure. Upon learning of the incident, we promptly disabled all Anodot credentials, removed the Anodot integration with Vimeo systems, and engaged third-party security experts to assist with the investigation."

According to Have I Been Pwned, 119,200 unique email addresses were exposed, sometimes accompanied by names. ShinyHunters published hundreds of gigabytes of Vimeo data after listing the company on their "pay or leak" extortion portal.

Zara (Inditex) was also listed by ShinyHunters as part of the same campaign. The group published what they claimed was a terabyte of data, allegedly including 95 million support ticket records. Have I Been Pwned recorded 197,400 unique email addresses in the breach, alongside product SKUs, order IDs, and geographic market data. Inditex confirmed the incident but stated it did not affect passwords or payment information.

Why it matters

This incident is a structural risk, not a one-off event. SaaS-to-SaaS integrations routinely involve credential delegation: one service authenticates on behalf of another, storing long-lived tokens with broad permissions. That authorization is granted once and rarely reviewed. When the delegated service is compromised, every downstream connection it holds becomes an attack vector — and the primary platform has no visibility into or control over the breach.

The ShinyHunters playbook is consistent: identify a peripheral integration service, compromise it, extract stored tokens, and monetize access through extortion before victims can respond.

What to do

• Maintain a current inventory of all third-party SaaS integrations and the credentials they hold on your behalf
• Apply least-privilege scoping to all OAuth grants and API tokens issued to external services
• Set token expiration policies — avoid indefinite long-lived tokens for third-party integrations
• Conduct periodic access reviews and revoke authorizations for services no longer in active use
• Treat integration provider security posture as part of your vendor risk assessment process

Unreviewed third-party integrations and long-lived tokens are a structural risk, not an edge case. Passwork gives security teams a centralized inventory of credentials with role-based access and a full audit trail — so nothing persists unnoticed. See how it works

Vercel: Supply chain attack via OAuth and Lumma Stealer

A Vercel employee used Context.ai — a third-party AI productivity tool — connected to their corporate Google Workspace account via OAuth. When Context.ai was compromised, attackers inherited that OAuth access, took over the employee's Vercel account, and pivoted into production systems.

Non-sensitive environment variables — API keys, tokens, database credentials, signing keys — were enumerated and decrypted. Vercel engaged Google Mandiant for forensic investigation and described the attackers as "highly sophisticated based on their operational velocity and in-depth understanding of Vercel's product API surface."

What happened

Trend Micro identified Lumma Stealer as the infostealer used in the initial compromise of Context.ai. Lumma is a commodity malware-as-a-service tool that extracts browser-stored credentials, session cookies, and authentication tokens from infected machines. One infected developer device at a small AI vendor became the entry point for a $2 million data breach at a major cloud platform.

Vercel confirmed that secret environment variables — those explicitly marked as sensitive — were stored encrypted and were not compromised. Non-secret variables were exposed. The company described the attackers as "highly organized" and engaged Mandiant for forensic investigation.

"We’ve identified a security incident that involved unauthorized access to certain internal Vercel systems. We are actively investigating, and we have engaged incident response experts to help investigate and remediate." — Vercel official statement

Why it matters

OAuth grants are easy to create and rarely reviewed. When an employee connects a third-party tool to a corporate account, they typically grant broad permissions in a single click — and that authorization persists indefinitely unless explicitly revoked. Each connected application is a potential pivot point if that application is ever compromised.

The attack chain here required no zero-day, no phishing of a Vercel employee directly, and no vulnerability in Vercel's own code. A commodity infostealer on a developer's machine at a peripheral vendor was sufficient.

What to do

• Audit all OAuth applications connected to corporate Google Workspace and Microsoft 365 accounts
• Enforce policies restricting which third-party applications employees can authorize
• Mark all sensitive environment variables explicitly — and treat non-marked variables as potentially exposed
• Deploy endpoint detection capable of identifying infostealer activity before credential exfiltration occurs
• Rotate all non-sensitive environment variables as a precaution if the Context.ai OAuth app was present in your environment

Bitwarden CLI compromised in Checkmarx supply chain attack

April 22, 2026. The Bitwarden CLI package @bitwarden/cli@2026.4.0 was distributed with malicious code for 94 minutes — between 5:57 PM and 7:30 PM ET — via a hijacked GitHub Action in Bitwarden's CI/CD pipeline. The compromise is part of the broader Checkmarx supply chain campaign, attributed to the threat actor TeamPCP. Bitwarden confirmed the incident and stated that no end-user vault data was accessed.

What the malicious code did

The injected code executed via a preinstall hook and targeted credentials across multiple surfaces: local environment files and shell history, GitHub Actions secrets, CI/CD pipeline credentials, configuration files for AI coding tools (Claude, Cursor, Codex CLI, Aider, Kiro), and npm tokens. Stolen data was encrypted with AES-256-GCM and exfiltrated to audit.checkmarx[.]cx — a domain impersonating Checkmarx — with a GitHub repository as fallback.

If GitHub tokens were found, the malware injected malicious Actions workflows into every reachable repository and used harvested npm credentials to push further malicious package versions downstream. Endor Labs described it as one of the "more capable npm supply chain payloads" published to date.

What to do

• Pin all CI/CD dependencies — GitHub Actions, npm packages, Docker images — to specific verified commit hashes
• Implement dependency integrity verification (checksums, Sigstore signatures) before installation
• Restrict CI/CD pipeline permissions to the minimum required scope
• If the package was installed during the affected window, rotate all secrets accessible from that environment immediately

GitGuardian: AI agents led to the leak of 29 million secrets

GitGuardian's State of Secrets Sprawl 2026 report found 28,649,024 new secrets exposed in public GitHub repositories in 2025 — a 34% year-over-year increase and the largest annual jump in the report's history. The primary driver: AI-assisted development.

Why AI makes this worse

AI assistants accelerate development to the point where code looks production-ready — and gets committed — before anyone has decided where credentials should live. Commits co-authored by Claude Code leak secrets at roughly twice the baseline rate across public GitHub. A separate risk surface emerged with MCP configuration files: GitGuardian found 24,008 unique secrets exposed in Model Context Protocol configs in 2025.

Key figures

Once a secret is committed to a public repository, it is effectively public — regardless of whether it is later deleted. Automated scanners harvest newly committed secrets within minutes of publication.

What to do

• Implement pre-commit hooks and CI/CD secret scanning to catch credentials before they reach repositories
• Enforce dedicated secrets management tooling (HashiCorp Vault, AWS Secrets Manager) as the only permitted credential storage mechanism
• Rotate any credential that has ever appeared in a public repository, regardless of how briefly
• Establish credential governance policies specifically for AI agent integrations — treat agent identities as first-class access management objects

What April's incidents have in common

Three patterns repeat across every incident this month:

• The primary target was rarely the ultimate victim — attackers moved through a peripheral vendor, a third-party OAuth app, or a compromised CI/CD dependency to reach the real objective.
• MFA provided less protection than assumed — both the Device Code campaign and the OAuth token theft chains bypassed it entirely without touching a password.
• AI accelerated attacker velocity on both sides — generative AI personalized phishing at scale while AI-assisted development created a record volume of exposed credentials.

April 2026 by the numbers: the month in cybersecurity

April 2026 continued the trajectory established earlier in the year — more incidents, broader impact, and attack chains that increasingly bypass traditional controls. Ransomware, credential theft, and supply chain compromise dominated the threat landscape across every sector.

Breach and attack volume

Credential and secrets exposure

Attack techniques in focus

Conclusion

April 2026 confirmed a shift that has been building for years: the authentication layer is the primary attack surface, and session tokens are the primary target.

APT28 hijacked 18,000 routers to intercept OAuth tokens without ever touching a password. Storm-2372 bypassed MFA at scale using a legitimate authentication flow. ShinyHunters extracted stored tokens from a third-party analytics provider and monetized access across dozens of downstream platforms — none of which were directly compromised. A commodity infostealer on a single developer's machine at a peripheral vendor was sufficient to reach Vercel's production environment.

The 28.6 million secrets exposed on GitHub, the token theft campaigns run by APT28 and Storm-2372, and the Anodot breach affecting dozens of downstream platforms all point to the same structural gap: access management built for a simpler environment is not keeping pace with how organizations actually operate today.

Protecting credentials now means governing the full lifecycle — issuance, rotation, delegation, and revocation — across human users, service accounts, API keys, and AI agent identities. Shadow IT, unreviewed OAuth grants, and hardcoded secrets in CI/CD pipelines are the attack surface. The perimeter is not.

The incidents in this digest share one structural gap: credentials and tokens that existed outside of governance — unreviewed, unrotated, unrevoked. Passwork provides a self-hosted vault with role-based access control, structured permissions, and a complete audit log. Try Passwork in your infrastructure

Frequently asked questions

What was the most significant cybersecurity threat in April 2026?

The APT28 FrostArmada campaign was the most operationally significant incident of the month. By hijacking DNS settings on over 18,000 unpatched SOHO routers across 120 countries, the Russian GRU-linked group silently intercepted Microsoft 365 credentials and OAuth tokens from government agencies, law enforcement bodies, and IT providers — bypassing MFA without deploying malware or phishing individual users directly.

How does OAuth token theft bypass MFA?

OAuth tokens are issued after a user has already completed authentication — including any MFA step. Stealing the token means inheriting a fully authenticated session. MFA protects the login process; it does not protect the token that results from it. Attackers who intercept or steal tokens skip the login process entirely, rendering MFA irrelevant at that stage.

What is the Device Code phishing technique used by Storm-2372?

Device Code phishing abuses a legitimate OAuth flow designed for input-limited devices. Attackers initiate the flow, then deliver the resulting code to victims via AI-personalized phishing emails. When the victim enters the code at Microsoft's real authentication page, they unknowingly authorize the attacker's session — issuing a valid access token without exposing their password or triggering any MFA challenge. The token is legitimate because the user completed authentication themselves.

Why was the Bitwarden CLI supply chain attack significant?

It demonstrated that security tooling carries the same supply chain risk as any other software dependency. A malicious version of the Bitwarden CLI was distributed via npm for 94 minutes after attackers hijacked a GitHub Action in the CI/CD pipeline. The injected code targeted developer secrets, cloud credentials, and pipeline tokens — and was built to self-propagate to every repository the victim's GitHub token could reach.

What is credential sprawl and why is it accelerating?

Credential sprawl refers to the uncontrolled proliferation of secrets — API keys, tokens, passwords, certificates — across repositories, configuration files, collaboration tools, and CI/CD pipelines. GitGuardian's State of Secrets Sprawl 2026 report found 28.6 million new secrets exposed in public GitHub repositories in 2025, a 34% year-over-year increase driven largely by AI-assisted development. Code reaches production faster than credential governance policies can keep pace — and 64% of secrets exposed in 2022 remained active and exploitable in 2026.

Inside real supply chain attacks: Bitwarden CLI, Axios, and Vercel

Why breach your network when attackers can compromise a trusted dependency with millions of downloads and slip silently into thousands of organizations at once? Three 2026 campaigns prove supply chain attacks are no longer isolated incidents.

Passwork BlogAlex Muntyan

Brute force attacks in 2026: Types, examples & how to prevent them

GPU clusters, AI-assisted wordlists, botnets of 2.8M devices. Brute force has scaled. This guide covers six attack variants, real-world cases from 2025, and a layered defense strategy your team can implement today.

Passwork BlogAlex Muntyan

Password chaos: Why it’s a business problem and how to fix it

A forgotten password costs $70. A breach costs $4.44 million. Both start the same way — credentials shared over Slack, stored in spreadsheets, never rotated. Here’s what password chaos actually costs and how to eliminate it.

Passwork BlogAlex Muntyan

Introduction

On March 24, 2026, attackers accessed the European Commission's AWS cloud accounts and exfiltrated over 350GB of data before being blocked.

The ShinyHunters extortion group claimed responsibility. The Commission confirmed the breach on March 30, making it the most significant EU institutional compromise of the year and a precise illustration of the threat environment in which four major EU cybersecurity regulations are now being enforced simultaneously.

Spring 2026 marks a convergence: the January 20 NIS2 amendments and CSA2 proposal, active DORA enforcement by national regulators, and the September 11 CRA reporting deadline approaching fast.

The EU also imposed its first cyber sanctions of the year on March 16, targeting Chinese and Iranian threat actors. These are not background events — they are the enforcement context every IT leader and compliance officer needs to understand now.

Key takeaways

• European Commission data breach confirmed: On March 30, 2026, ShinyHunters stole over 350GB from its AWS cloud accounts, including databases, contracts, and mail server dumps.
• First EU cyber sanctions of 2026: On March 16, the EU Council imposed restrictive measures against three entities — Integrity Technology Group, Anxun Information Technology (China), and Emennet Pasargad (Iran) — and two individuals.
• NIS2 and CSA2 amendments proposed: On January 20, 2026, the European Commission introduced changes clarifying jurisdiction, scope, and certification obligations across both frameworks.
• CRA reporting deadline approaching: Mandatory vulnerability and incident reporting obligations under the Cyber Resilience Act begin September 11, 2026.
• DORA enforcement is active: Fully applicable since January 17, 2025, with BaFin and other national regulators conducting audits throughout 2026.

The threat context that made these changes necessary

The Spring 2026 EU regulatory acceleration is a direct response to a documented surge in attacks on European institutions and critical infrastructure. The European Commission breach, the EU's first cyber sanctions of 2026, and the statistical picture from ENISA and independent incident responders all point in the same direction: the threat is real, targeted, and ongoing.

The European Commission breach (March 2026)

The March 24 attack on the Commission's AWS-hosted Europa.eu platform is the clearest recent example of cloud supply chain risk. ShinyHunters — the same extortion group behind multiple high-profile data theft campaigns — claimed to have taken over 350GB of data: mail server dumps, databases, confidential documents, and contracts.

A 90GB archive appeared on their dark web leak site. The Commission's internal systems were not affected, but the incident exposed a structural vulnerability: public-facing cloud infrastructure operated without the access controls and credential hygiene that NIS2 and DORA are designed to mandate.

"Early findings of our ongoing investigation suggest that data have been taken from those websites. The Commission's internal systems were not affected by the cyber-attack." — European Commission Press Release, March 27, 2026

This was the Commission's second breach in 2026. A February incident had already compromised the mobile device management platform used to manage staff devices. Two significant breaches in two months at a single institution is not a coincidence — it reflects a sustained targeting campaign.

EU cyber sanctions — March 16, 2026

On March 16, 2026, the EU Council imposed restrictive measures against three entities and two individuals under the EU's cyber diplomacy toolbox — the first EU cyber sanctions of the year.

The sanctioned parties:

• Integrity Technology Group (China): Provided products used to compromise over 65,000 devices across six EU member states between 2022 and 2023.
• Anxun Information Technology (China): Provided hacking services targeting EU critical infrastructure. Two co-founders were individually sanctioned.
• Emennet Pasargad (Iran): Breached a French subscriber database, compromised advertising billboards during the 2024 Paris Olympics to spread disinformation, and compromised a Swedish SMS service.

All listed entities face asset freezes. The two individuals also face travel bans. The EU cyber sanctions regime now covers 19 individuals and 7 entities.

The statistical backdrop

According to the ENISA Threat Landscape 2025 report, DDoS attacks accounted for 77% of all recorded EU cyber incidents, driven primarily by hacktivist groups. Ransomware remains the most operationally damaging threat: 81.1% of cybercrime incidents targeting EU organizations involved ransomware.

Public administration was the most targeted sector, representing 38% of all incidents. State-aligned groups intensified long-term espionage campaigns against telecommunications, logistics, and manufacturing.

The picture from incident responders on the ground is equally direct. Eye Security's 2026 incident report — based on 630 investigations across Benelux and Germany — found that 70% of all cases were Business Email Compromise (BEC). More telling: 62% of classified cases since January 2025 involved MFA bypass. Attackers are not breaking encryption — they are stealing or bypassing credentials. That is the vector NIS2, DORA, and GDPR enforcement are all designed to close.

The European Commission breach followed a well-documented pattern: compromised cloud credentials, no audit trail, no access boundaries. Passwork gives IT teams a structured vault with role-based access, granular permissions, and a full activity log — the controls NIS2 and DORA explicitly require. Try Passwork free

NIS2 amendments: What changed on January 20, 2026

On January 20, 2026, the European Commission proposed amendments to NIS2 focused on legal certainty, streamlined compliance, and clarified jurisdictional rules. The proposal also introduced a revised Cybersecurity Act (CSA2) that expands ENISA's mandate and moves toward mandatory cybersecurity certification for products and services used in critical sectors.

The three practical changes in NIS2

The amendments address three pain points that emerged during the first year of implementation across member states:

1. Jurisdictional clarity. The amendments specify which member state holds supervisory authority over cross-border entities — a major source of compliance uncertainty for multinational organizations operating in multiple EU jurisdictions simultaneously.
2. Ransomware data collection. The proposal standardizes the collection of ransomware-related incident data across member states, enabling more consistent threat intelligence sharing at the EU level.
3. Scope refinement. A new "small mid-cap" category adjusts the thresholds determining whether organizations fall under NIS2's essential or important entity classification.

CSA2: The more significant structural shift

The CSA2 revision expands both the material and subjective scope of the EU cybersecurity framework. The critical change: certification for ICT products and services used in critical sectors moves from voluntary to mandatory. Organizations that have relied on the current voluntary ENISA certification schemes will need to reassess their product portfolios and supplier contracts once CSA2 is adopted — expected late 2026 or 2027.

Germany: NIS2 implementation is already in force

Germany's NIS2 implementation law (NIS2UmsuCG) entered into force on December 6, 2025. The BSI registration deadline was March 6, 2026. Approximately 30,000 companies in Germany fall under NIS2. A survey by nis2-check.de found that 80% of affected companies were unaware of their obligations (ADVISORI, February 2026). The law introduces personal liability for management under §38 NIS2UmsuCG — a first in German cybersecurity law.

NIS2 incident reporting requirements

DORA: Enforcement begins in 2026

DORA (Regulation EU 2022/2554) has been directly applicable since January 17, 2025. There is no national implementation law required and no postponement possible. In 2026, national regulators including Germany's BaFin are conducting active audits of financial institutions and their ICT third-party providers.

Who DORA covers

DORA applies to the entire financial sector: credit institutions, insurance companies, investment firms, payment service providers, crypto-asset service providers, and — critically — the ICT third-party providers supplying critical services to these entities.

A cloud provider hosting core banking systems falls under DORA as an ICT third-party provider, as does the bank itself. The regulation's reach extends well beyond traditional financial services.

The five compliance pillars

DORA organizes its requirements around five areas: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing.

The most demanding requirement is Threat-Led Penetration Testing (TLPT) — mandatory for systemically important institutions. TLPT requires specialized red teams to simulate real attack scenarios based on current threat intelligence, not generic penetration testing methodologies.

Compliance gaps remain significant

Despite DORA being in force for over a year, readiness across the sector is incomplete. A Veeam survey found that 96% of EMEA financial organizations believe they need to improve their resilience to meet DORA requirements.

A Computerwoche survey found that 44% of affected companies report significant implementation problems. Specific gaps: 24% have not identified a DORA implementation lead, and 23% have not conducted digital operational resilience testing.

These numbers mean BaFin auditors are walking into organizations that have not completed basic readiness steps — with enforcement consequences that include license revocation, not just fines.

Cyber Resilience Act: The September 2026 deadline

The Cyber Resilience Act entered into force on December 10, 2024. From September 11, 2026, manufacturers and importers of digital products must report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours. Full CRA requirements — including security-by-design obligations — apply from December 11, 2027.

What the September 2026 milestone covers

Two specific obligations activate on September 11:

• Vulnerability reporting: Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours of becoming aware of them.
• Incident reporting: Severe incidents with an impact on the security of digital products must also be reported to ENISA within 24 hours.

The full CRA requirements — security by design, software bill of materials (SBOM), ongoing vulnerability management, and CE marking for digital products — apply from December 2027. Organizations that have not started preparation by mid-2026 will struggle to meet that deadline. The maximum CRA fine is €15 million or 2.5% of global annual turnover, whichever is higher.

NIS2 vs. DORA vs. CRA vs. CSA2: Which regulation applies to you?

The lex specialis principle means that sector-specific regulations take precedence over general ones. Financial entities subject to DORA are exempt from certain NIS2 obligations where DORA provides equivalent or stricter requirements. All four regulations can overlap for large organizations operating across sectors — a cloud provider serving financial institutions while also manufacturing IoT hardware may face obligations under all four simultaneously.

Regulation comparison

Decision matrix: Does this regulation apply to you?

DORA requires documented access controls and audit trails for all privileged ICT accounts. Passwork's secure credential sharing and activity logging give compliance teams the evidence trail auditors ask for.

Practical compliance checklist for Spring/Summer 2026

With 62% of EU cyber incidents in 2025 involving MFA bypass and 70% classified as Business Email Compromise, the most immediate technical measures are identity-focused: enforce MFA everywhere, audit privileged access, and assess third-party credential exposure. Regulatory compliance and operational security point to the same controls.

Immediate actions (April – June 2026)

1. Complete BSI registration (Germany) if not yet done. Contact BSI immediately and document the attempt — even if the March 6 deadline has passed, the record of good-faith effort matters in enforcement proceedings.
2. Conduct a NIS2 impact analysis. Determine whether your organization and its subsidiaries, joint ventures, and critical suppliers fall under NIS2's essential or important entity classification.
3. Establish a 24/72-hour incident reporting process. Assign clear ownership, create notification templates, and test the escalation path end-to-end before an incident forces you to use it.
4. Enforce MFA across all remote access and privileged accounts. Given that 62% of classified EU incidents involved MFA bypass (Eye Security, 2026), this is the single highest-ROI control available.
5. Audit third-party ICT providers. DORA requires contractual security obligations for all critical ICT suppliers. NIS2 requires supply chain security assessments. Both regulations demand documented evidence of third-party oversight.
6. Implement a secure credential management policy. Centralize password management for privileged accounts to prevent the credential theft vector used in the ShinyHunters breach. Unmanaged shared credentials remain the most common entry point in BEC and cloud account compromise cases.

Mid-term actions (July – September 2026)

1. Prepare for CRA reporting obligations (effective September 11, 2026). Establish a vulnerability disclosure process, designate a contact point for ENISA reporting, and confirm that your product inventory accurately reflects which items qualify as "digital products with digital elements."
2. Conduct a DORA resilience test. At minimum, run a tabletop exercise. Systemically important institutions must plan for full TLPT with a qualified red team operating against current threat intelligence.
3. Begin CSA2 certification assessment. Identify which products or services will require mandatory EU cybersecurity certification under CSA2 and engage a notified body early — certification timelines are long.
4. Review GDPR compliance. The French Conseil d'État upheld a €40 million GDPR fine against Criteo on March 4, 2026. Total GDPR fines since 2018 now exceed €7.1 billion, with €1.2 billion issued in 2025 alone (Kiteworks, March 2026). Data protection enforcement is at peak intensity — treat it as a parallel track, not a separate program.

Conclusion

The threat and regulatory context are converging. The Spring 2026 EU cybersecurity environment is defined by simultaneous tightening of regulation and escalation of attacks. The European Commission breach and the EU's first cyber sanctions of the year are not isolated events — they are the enforcement context for NIS2, DORA, CRA, and CSA2.

Identity security is the immediate priority. Credential theft via cloud account compromise is precisely what NIS2's "appropriate technical measures" requirement is designed to prevent. With 62% of EU incidents in 2025 involving MFA bypass, enforcing MFA, auditing privileged access, and centralizing credential management are foundational controls — ones that simultaneously reduce breach risk and satisfy requirements across NIS2, DORA, and GDPR.

The deadlines are fixed. The September 11, 2026 CRA reporting deadline is six months away. DORA audits are underway. NIS2 registration in Germany closed on March 6. Organizations that treat compliance as a documentation exercise rather than a security improvement program face both regulatory penalties and operational exposure.

The common assumption across all four frameworks: organizations maintain documented, auditable control over who accesses what credentials, when, and why. That is the starting point for any serious compliance program — and the baseline regulators will test against.

Passwork is a self-hosted corporate password manager with role-based access control, detailed activity logs, and zero-knowledge encryption — deployed entirely within your own infrastructure. It addresses the credential management controls required under NIS2, DORA, and GDPR in a single, auditable system. Try Passwork free in your infrastructure

FAQ: EU cybersecurity regulations in Spring 2026

What changed in EU cybersecurity law in Spring 2026?

The European Commission proposed amendments to NIS2 and a new Cybersecurity Act (CSA2) on January 20, 2026. The CRA's reporting obligations begin September 11, 2026. DORA has been in active enforcement since January 2025. The EU also imposed its first cyber sanctions of 2026 on March 16, targeting Chinese and Iranian threat actors.

What is the difference between NIS2 and DORA?

NIS2 is a broad directive covering 18 sectors and focusing on cybersecurity risk management and incident reporting. DORA is a regulation specific to the financial sector, with deeper requirements for ICT risk management, resilience testing, and third-party oversight. The lex specialis principle means DORA takes precedence for financial entities where its requirements are stricter than NIS2's equivalent obligations.

What are the penalties for NIS2 non-compliance in 2026?

Essential entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face fines of up to €7 million or 1.4% of global revenue. Germany's NIS2 implementation law (§38 NIS2UmsuCG) also introduces personal liability for management — a first in German cybersecurity law.

When does the Cyber Resilience Act take effect?

The CRA entered into force on December 10, 2024. Mandatory vulnerability and incident reporting obligations begin September 11, 2026. Full security-by-design requirements and CE marking obligations apply from December 11, 2027. Organizations that delay preparation until late 2026 will face a compressed timeline for the 2027 deadline.

Who was sanctioned under EU cyber sanctions in March 2026?

On March 16, 2026, the EU Council sanctioned Integrity Technology Group and Anxun Information Technology (both China-based) and Emennet Pasargad (Iran-based), along with two Chinese individuals. Sanctions include asset freezes; the two individuals also face travel bans. The EU cyber sanctions regime now covers 19 individuals and 7 entities total.

What is the EU Cybersecurity Act 2 (CSA2)?

CSA2 is the proposed revision to the EU Cybersecurity Act, announced January 20, 2026. It expands ENISA's mandate and introduces mandatory cybersecurity certification for ICT products and services used in critical sectors — replacing the current voluntary certification framework for those categories. Expected adoption: late 2026 or 2027.

Does NIS2 or DORA apply to cloud providers?

A cloud provider supplying critical services to financial institutions falls under DORA as an ICT third-party provider. If the same provider also operates in one of NIS2's 18 sectors with the relevant size thresholds, NIS2 applies independently. The two regulations can — and frequently do — apply simultaneously to the same organization.

What happened in the European Commission data breach of 2026?

On March 24, 2026, attackers accessed the European Commission's AWS cloud accounts hosting the Europa.eu platform. The ShinyHunters extortion group claimed responsibility and alleged theft of over 350GB of data, including databases, contracts, and confidential documents. The Commission confirmed the breach on March 30, 2026.

NIS2 password requirements: What European companies must do in 2026

Credential gaps are the leading NIS2 audit failure point in 2026. This guide covers Article 21 password requirements, NIST SP 800-63B alignment, AD hardening steps, and the audit evidence regulators ask for first.

Passwork BlogAlex Muntyan

Password Manager Deployment Models: Cloud, Self-Hosted & Hybrid

Choosing where to run your password manager matters as much as choosing which one. This guide breaks down cloud, self-hosted, and hybrid deployment — with a compliance matrix for GDPR, HIPAA, and NIS2, and a clear look at the trade-offs each model carries.

Passwork BlogAlex Muntyan

What is a passkey? Guide to passwordless authentication

A passkey is a phishing-resistant credential stored on your device. Sign in with a biometric tap — no password to remember or steal. This guide covers the technical mechanics, platform setup, real-world performance data, and what the transition means for enterprise teams.

Passwork BlogAlex Muntyan