Get LastPass Free

Create and store secure passwords for yourself, your team or business.

Why LastPass?

Remember fewer passwords and log in faster with our browser extension.

How LastPass works

LastPass zero-knowledge security model keeps your data private even from us.

Security Architecture

Compare LastPass competitors, plans, and features in one place

Compare LastPass

Overview

Password management

Save and autofill

Password generator

Password sharing

Dark web monitoring

Security dashboard

SaaS Monitoring

Key Features

Free LastPass Premium trial, no credit card required.

Free LastPass Business trial, no credit card required.

Let our experts help you find the right plan and successfully deploy LastPass.

Sync passwords across all devices, monitor password health, data breaches and much more.

Personal

Premium password management for family or group of 6 people.

Families

Personal Plans

30-day free LastPass Premium trial, no credit card required.

30-day free LastPass Families trial, no credit card required.

Limited to 1 device type and basic password management features

Designed for businesses of all sizes, from small startups to enterprises.

Business

Gain complete visibility into your organization’s entire SaaS footprint.

Business Max

For single teams just getting started with password management.

Teams

Designed to keep your clients' credentials protected and private

Business Plans

User management

Business sharing

Multifactor authentication

Integrations

Single sign-on

Identity management

For admins

Case Studies

Webinars

Product demos

Solutions by roles

Blog

Trust Center

Compliance Center

LastPass University

Resources & Solutions

Pricing

Join the LastPass Partner Program to provide even more value to your customers.

Partner program overview

Managed Service Providers

Resellers

Cloud marketplaces

Technology Alliance Partners

LastPass Partner Program

Grow new revenue streams by meeting customer's security needs.

Looking for help or interested in becoming a LastPass partner? Get in touch with our partner team.

Connect with trusted LastPass Partners to support your security needs.

Partners

Self-service library of resources and guides for all LastPass products.

Support Center

Community forum

System status

Help

Personal support for all LastPass’ subscribed customers.

Support

Get LastPass free

Chat with sales

Call sales

Email sales

Request a demo

Find a partner

Contact sales

Log in

Weak credentials recently gave researchers access to years&rsquo; worth of McDonald&rsquo;s applicants&rsquo; data. While McDonald&rsquo;s McHire AI chatbox lightened the administrative load for the multinational corporation&rsquo;s HR department, it also presented an opening for hackers to access job applicants&rsquo; information going back years. This incident demonstrates how the &ldquo;intelligence&rdquo; in AI isn&rsquo;t a given when it comes to basic cybersecurity measures, like passwords. This breach raises questions about data privacy and transparency for job applicants and the security of AI-enabled tools. We&rsquo;ll take a closer look at how this simple brute force attack happened and what you can do to protect yourself to avoid falling victim to a similar hack.
What happened?
Researchers discovered a <a href="https://www.wired.com/story/mcdonalds-ai-hiring-chat-bot-paradoxai/">vulnerability in McHire</a>, McDonald&rsquo;s chatbot job application platform built by AI software firm Paradox.ai. The AI chatbot screens applicants, collects their contact information and resumes, and engages in basic interactions that an HR department would typically handle. The breach was enabled by weak credentials of a Paradox.ai administrative account that used an appallingly weak username and password (&ldquo;123456&rdquo;).&nbsp;This is one of the most common passwords out there that makes it practically effortless for threat actors to crack. Once the researchers gained access to the admin account, they were able to access every application to McDonald&rsquo;s over the past few years. The researchers were also able to complete and manipulate a test application on the backend and access other applicants' chat logs and contact information by changing the applicant ID number for their application. This was due to an insecure direct object reference (IDOR) on an internal API. Luckily, the account was not accessed by any third party other than the researchers. 
If someone had the opportunity to exploit the data, it could have made years&rsquo; worth of McDonalds applicants the targets of phishing attacks and scams. For instance, attackers could hypothetically have used this list of individuals to conduct a type of payroll scam or use applicants&rsquo; sensitive information to conduct other attacks.&nbsp; 
Root causes: How did it happen? 
The root cause of this breach was poor identity access management of a third-party vendor's administrator account. Enforcing strong password guidelines and MFA could have protected the admin account from the start.&nbsp;Good password hygiene is typically the first line of defense against attackers. People who use weak or reused passwords increase their risk of data breaches, extortion, and more. In fact, over half of all reported data breaches resulted from weak passwords. Hackers can easily get access to exposed credentials from previous breaches and infostealer logs sold on the dark web. Using weak passwords can make you an easy target for hackers looking for a way into your accounts, either to target you directly or gain access to other sensitive systems you may have access to. 
Additionally, the breached admin account appeared to be inactive, with its last login reportedly in 2019. Inactive accounts are prime targets for cyberattacks because they can provide attackers with a foothold in the network to move laterally and access critical systems.&nbsp;Admin accounts are especially enticing for hackers since oftentimes they have elevated access permissions, allowing attackers to infiltrate deeper into systems with less effort. 
A warning: Don&rsquo;t be blinded by AI 
As AI-powered bots get implemented to help streamline the hiring process or for other purposes, this new technology also introduces vulnerabilities&mdash;in this case, web-based vulnerabilities involving a simple administrator account's username and password (&ldquo;123456&rdquo;) that served as the keys to a data breach.&nbsp; While AI can help boost productivity and security defenses, unwavering excitement can simultaneously blind people to potential risks. This breach carries a warning for folks: don&rsquo;t let your AI-enthusiasm distract you from basic cybersecurity best practices.&nbsp; Sometimes the promise of AI isn&rsquo;t all it&rsquo;s cracked up to be when these tools open businesses up to new vulnerabilities.
As AI usage has picked up, there have been several reports of AI data leaks due to misconfigurations, training data exposure, model extraction, in-memory leaks, adversarial attacks, and more. That should be a reminder for companies to closely evaluate their tool suite.&nbsp;Just like any new technology, security professionals should rigorously evaluate third-party AI apps and tools.&nbsp; 
What can you do? 
<ul style="margin-top: 0in; list-style-type: disc;">
 <li>Use strong, unique passwords. Think of this as a single bolt lock to secure your door. See more password hygiene tips in our blog post <a href="http://blog.lastpass.com/posts/elevate-password-hygiene">&ldquo;How to Elevate Your Password Hygiene: Tips and Tricks for Protecting Your Credentials.&rdquo;</a> </li>
 <li>Another simple but crucial step to securing your online accounts is implementing multi-factor authentication (MFA). This is like adding a padlock on top of your locked door (with strong passwords). There are many forms of MFA available, including SMS text, hardware tokens, push notifications, and biometrics. Two-factor authentication (2FA) is a common form of MFA that combines your password with either a generated code or biometric verification. Learn more about the <a href="https://blog.lastpass.com/posts/sms-is-insecure">pros and cons of common 2FA methods</a>. </li>
 <li>Password managers can help protect accounts by generating strong, unique passwords for each account and storing them securely in an encrypted vault. This helps prevent the use of weak, easily guessed passwords.&nbsp;</li>
 <li>As far as third-party vendors are concerned, your security is only as strong as the sum of your parts. Businesses should evaluate their third party's security standards, including their password hygiene.&nbsp;</li>
</ul>

McHack’d: How Weak AI Credentials Served Up a Data Breach

Weak credentials recently gave researchers access to years’ worth of McDonald’s applicants’ data. We’ll take a closer look at how this simple brute force attack happened and what you can do to protect yourself to avoid falling victim to a similar hack.

The May 21 announcement of a law enforcement operation in conjunction with Microsoft targeting LummaC2 that resulted in the seizure of over 2,300 malicious domains was rightly celebrated as a major victory against the ongoing scourge of infostealers, a family of malware that has risen to prominence over the last few years for both its ubiquity and its central role in numerous major breaches. This disruption of the infostealer ecosystem led to the rise of a new infostealer,&nbsp;Acreed.1&nbsp;While the rumors of LummaC2&rsquo;s demise turned out to be a bit exaggerated (as highlighted in&nbsp;<a class="Hyperlink SCXW193238760 BCX0" href="https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html" target="_blank" rel="noopener noreferrer" style="color: inherit; margin: 0px; padding: 0px;">this recent excellent report from TrendMicro),</a>Acreed&nbsp;has&nbsp;maintained&nbsp;a foothold within the infostealer market while&nbsp;remainingrelatively elusive&nbsp;for defenders.&nbsp;Let&rsquo;s&nbsp;take a closer look at what we know about&nbsp;Acreed.&nbsp;
Acreed&nbsp;began offering credentials for sale in the dark web marketplace, Russian Market, in mid-February of this year. Since its introduction, only one account on Russian Market has offered stolen credentials associated with&nbsp;Acreed&nbsp;for sale. The account, which is anonymized to some degree as all accounts are on Russian Market,&nbsp;leverages&nbsp;the username &ldquo;Nu####ez.&rdquo; This threat actor has been posting logs on Russian Market since at least early 2024 and had previously been associated&nbsp;largely with&nbsp;the sale logs associated with LummaC2. However, earlier this year, Nu####ez began offering logs stolen via the new&nbsp;Acreed&nbsp;stealer. While postings were initially erratic, Nu####ez began posting more&nbsp;Acreed&nbsp;logs regularly beginning in early May. A few weeks later, law enforcement conducted the LummaC2 takedown operation, leading to a sharp increase in&nbsp;Acreed&rsquo;s&nbsp;percentage share in logs posted on Russian Market. Some of this reflected the quick drop in available logs due to the LummaC2 disruption, but there was&nbsp;a commensurate&nbsp;increase in available&nbsp;Acreed&nbsp;logs as well.&nbsp;
Interestingly,&nbsp;Acreed&nbsp;does not seem to be available for sale like LummaC2 or other infostealers-as-a-service, nor were we, in conjunction with our friends at Flashpoint, able to find any samples in the wild. As such,&nbsp;it appears the malware&nbsp;is used in a limited fashion, though indications from the log files provide enough data to support the hypothesis that&nbsp;Acreed&nbsp;is indeed its own infostealer and not a simple renaming of logs stolen with another malware. As Flashpoint found,&nbsp;Acreed&nbsp;uses a unique directory and file naming convention that could be used to potentially&nbsp;identify&nbsp;samples in the wild or during runtime (see below).&nbsp;
<img src="https://www.lastpass.com/-/media/6ab586f36c38433499f239eff3823d8e.png?h=211&amp;w=621" >
Acreed stealer log files (Source: Flashpoint)
<p class="Paragraph SCXW12872475 BCX0" paraid="609014671" paraeid="{50f73fad-9d5e-4573-89ae-0e37c35b3dcb}{153}" style="color: windowtext; background-color: transparent; margin-right: 0px; margin-bottom: 10.6667px; margin-left: 24px; padding: 0px;">Its relatively limited usage is further evidenced by the total available logs on Russian Market, which total over 19,000 infections in 2025 as of late July, compared to over 175,000 infections for LummaC2, according to Flashpoint analysis.&nbsp;
<p class="Paragraph SCXW12872475 BCX0" paraid="844947943" paraeid="{50f73fad-9d5e-4573-89ae-0e37c35b3dcb}{165}" style="color: windowtext; background-color: transparent; margin-right: 0px; margin-bottom: 10.6667px; margin-left: 24px; padding: 0px;">While samples are not available to analyze, Flashpoint was able to develop a YARA rule that could help detect if the malware is compiling logs on victim systems based on the available data. LastPass will continue to monitor activity associated with both Acreed and LummaC2 and post updates as new information becomes available and take all practicable actions to help protect our customers and disrupt these infostealer operations.&nbsp;
&nbsp;

Lumma persists and Acreed Rises

While the rumors of LummaC2’s demise turned out to be a bit exaggerated, Acreed has maintained a foothold within the infostealer market while remaining relatively elusive for defenders. Let's learn more about Acreed malware.

Lumma Persists and Acreed Rises Following Law Enforcement Actions

The LastPass TIME Team is thrilled to announce the launch of our new podcast The Phish Bowl! Join us every month as my longtime colleague and co-host Mike Kosak and I (Stephanie Schneider) dive into the global cyber threat landscape. Every episode, we&rsquo;ll unpack what&rsquo;s really going on beneath the surface, exploring the globe region by region. We&rsquo;re also publishing a <a href="https://info.lastpass.com/threat-reports">new report</a> for each region on a quarterly basis that will serve as the foundation for the podcast.&nbsp;&nbsp;
When we&rsquo;re looking at what&rsquo;s shaping regional cyber activity, it&rsquo;s helpful to understand the geopolitical environment and factors influencing various actors&rsquo; motivations.&nbsp; Integrating these geopolitical insights with a strategic high-level view of potential threats informs organizations&rsquo; proactive cybersecurity decision-making. It helps security teams better anticipate, identify and respond to threats, and it helps businesses proactively address potential outcomes and contextualize threats specific to their industry, region, or business operations.&nbsp;&nbsp;
For our first episode, we kicked things off with a deep dive into the Asia-Pacific (APAC) region. APAC is one of the most active, complex cyber environments given its dynamic geopolitical environment, economic factors, and flourishing cybercrime scene. We were lucky to be joined by Nate Blumenthal, former senior intelligence advisor to CISA, as our inaugural episode&rsquo;s special guest. Nate shared sharp insights on Iran&rsquo;s cyber posture and its shift towards hybrid warfare in the context of the ongoing conflict in the Middle East. Nate also offered some practical suggestions to improve your own cybersecurity that everyone can implement right now.&nbsp;&nbsp;
<h2 class="p3" style="color: rgba(0, 0, 0, 0.85); margin: 0px 0px 10.7px;">Why APAC matters right now&nbsp;</h2>
APAC cyberattacks trended high last year due to a high number of financially motivated cybercrime and state-backed attacks. This trend has continued this year. APAC experienced the largest share of incidents globally (34%) in 2024, which marks a 13% increase, <a href="https://www.ibm.com/thought-leadership/institute-business-value/report/2025-threat-intelligence-index">according to IBM</a>. From ransomware to credential theft, the region is experiencing a broad range of threats. Industries like manufacturing, finance, and transportation are especially targeted.&nbsp;&nbsp;
Ransomware remains one of the most pervasive threats to the region. Last year, Asia accounted for approximately 11% of global ransomware activity mainly targeting manufacturing and engineering, with India and Japan seeing significant activity. Australia emerged as a top regional ransomware target, and it is among the top 10 of countries impacted based on ransomware gang reporting of alleged victims. There were several victims in Taiwan, Singapore, and Japan. Thailand also saw an unusual increase in victims.&nbsp;
<h2 class="p3" style="color: rgba(0, 0, 0, 0.85); margin: 0px 0px 10.7px;">Nation-state threats: China, North Korea, and Iran&nbsp;</h2>
Beijing-backed hackers have been particularly aggressive and appear to have targeted intellectual property theft, telecom intrusions, and semiconductors. What&rsquo;s interesting is how closely their cyber activity aligns with Beijing&rsquo;s strategic Five-Year Plans that outline goals, objectives, and policy directions. It&rsquo;s like they're handing us a roadmap that aligns with their long-term ambitions.&nbsp;
Then there&rsquo;s North Korea. They&rsquo;ve continued to go after crypto and are infiltrating the workforce in the US and, more recently, expanded to targeting European private entities for malicious purposes, including data exfiltration and extortion and the enablement of cryptocurrency thefts. The scheme involves thousands of DPRK IT workers who use false or stolen identities from people in the US and other countries to obscure their true nationality and get hired at private companies across almost every sector. These North Korean IT workers may seek direct employment with targeted companies or attempt to gain access via third-party vendors and/or contractors. This is all part of an effort to bypass sanctions to raise funds for Pyongyang&rsquo;s regime and weapons programs. The US Department of Justice recently <a href="https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote">announced several actions</a> to combat this scheme.&nbsp;
Nate brought some fantastic perspective on Iran, especially in the context of the recent Israel-Iran conflict. A big takeaway from our conversation is that cyber operations are no longer just a side tactic&mdash;they&rsquo;re central to modern conflict. And the private sector is squarely caught in the crosshairs.&nbsp;
<h2 class="p3" style="color: rgba(0, 0, 0, 0.85); margin: 0px 0px 10.7px;">Cybercrime in Australia&nbsp;</h2>
The rise of cybercrime in APAC has been particularly pervasive in Australia, which has recently emerged as a popular target, especially when it comes to ransomware. For example, Australian airline Qantas was recently breached by Scattered Spider using social engineering tactics in early July 2025, exposing customer data belonging to up to 6 million customers. &nbsp;
The latest in a string of significant attacks targeting Australia-based entities, we explore a recent attack targeting a campaign targeting the country&rsquo;s Association of Superannuation Funds in depth. In March, a credential stuffing campaign targeted multiple large Australian superannuation funds, compromising over 20,000 member accounts. This type of attack takes advantage of individuals who reuse the same password across accounts. Additionally, the attack highlighted a vulnerability within some superannuation funds where MFA was either not offered or not automatically enabled on some accounts. The attackers aimed to commit fraud, attempting fund transfers, with mixed results. &nbsp;
For more on cyber threat environment facing the public and private sectors in Australia, we highly recommend reading the Australian Signals Directorate&rsquo;s Australian Cyber Security Center&rsquo;s (ACSC) latest <a href="https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2023-2024">Annual Cyber Threat Report</a>.&nbsp;The data includes trends and information on threat actor tactics and techniques as well as recommended actionable steps organizations and individuals can take to help mitigate these threats. Our LastPass Labs blog article summarizes the <a href="https://blog.lastpass.com/posts/acsc-2024-report-implications">key takeaways</a>.&nbsp;
<h2 class="p3" style="color: rgba(0, 0, 0, 0.85); margin: 0px 0px 10.7px;">Critical basics to get correct&nbsp;</h2>
Nate also shared four things every organization should be doing right now:&nbsp;
<ol>
 <li class="li6" style="color: rgba(0, 0, 0, 0.85); margin: 0px;">Patch and update systems immediately.&nbsp;&nbsp;</li>
 <li class="li6" style="color: rgba(0, 0, 0, 0.85); margin: 0px;">Use strong, unique passwords.&nbsp;&nbsp;</li>
 <li class="li6" style="color: rgba(0, 0, 0, 0.85); margin: 0px;">Implement multi-factor authentication (MFA).&nbsp;&nbsp;</li>
 <li class="li6" style="color: rgba(0, 0, 0, 0.85); margin: 0px;">Train employees on AI-driven phishing and social engineering.&nbsp;</li>
</ol>
As Nate said, &ldquo;The threat is only going to increase&mdash;and AI will make it worse. Awareness and training are key.&rdquo; Getting the basics right will lower your risk exposure, putting you and your organization in a better position to focus on the important stuff knowing you&rsquo;re several steps ahead of the bad guys. &nbsp;
Interested in reading more about improving your cybersecurity posture? We recently shared guidance on&nbsp;<a href="https://blog.lastpass.com/posts/elevate-password-hygiene">password hygiene</a> and how to stay compliant with <a href="https://blog.lastpass.com/posts/stay-compliant-with-new-password-regulations">password regulations</a>. As the recent Entra account takeover campaign demonstrated, <a href="https://blog.lastpass.com/posts/entra-account-takeover-campaign">password hygiene is still the first step</a> to keep your accounts secure. We also explore various <a href="https://blog.lastpass.com/posts/sms-is-insecure">2-factor authentication (2FA) methods</a> and weigh the pros and cons of each.&nbsp;
<h2 class="p3" style="color: rgba(0, 0, 0, 0.85); margin: 0px 0px 10.7px;">Listen to the full episode&nbsp;&nbsp;</h2>
If you&rsquo;ve made it this far, by now you&rsquo;ll have realized that no, we&rsquo;re not a podcast about the 90s jam band Phish&mdash;but we do go deep. If you haven&rsquo;t tuned in yet, we hope you&rsquo;ll give our inaugural episode a listen. We had a blast recording it, and we&rsquo;re just getting started. If you like what you&rsquo;ve heard so far, stay connected with us.&nbsp;&nbsp;
<ul>
 <li class="li6" style="color: rgba(0, 0, 0, 0.85); margin: 0px;">Listen to Episode 1 of The Phish Bowl wherever you get your podcasts: &nbsp;<a href="https://www.youtube.com/@LastPass/podcasts"></a></li>
</ul>
<a href="https://www.youtube.com/@LastPass/podcasts">		YouTube</a>
<a href="https://open.spotify.com/show/1TQiFDk9acmkfp1sTFN1yX">		Spotify</a>
<a href="https://podcasts.apple.com/podcast/id1828511920">		Apple</a>
<ul>
 <li class="li6" style="color: rgba(0, 0, 0, 0.85); margin: 0px;">Subscribe for monthly threat intel deep dives.&nbsp;</li>
 <li class="li6" style="color: rgba(0, 0, 0, 0.85); margin: 0px;">Access LastPass' <a href="https://info.lastpass.com/threat-reports">Regional Report</a> for detailed analysis of recent APAC trends and activity.&nbsp;</li>
 <li class="li6" style="color: rgba(0, 0, 0, 0.85); margin: 0px;">Check out the <a href="https://blog.lastpass.com/categories/lastpass-labs">LastPass Labs blog</a> for more insights.&nbsp;</li>
</ul>
Thanks to all our inaugural listeners for taking the plunge with us on the first episode of The Phish Bowl. We'll be back with more threat environment updates in next month&rsquo;s episode talking about North America, along with a corresponding regional report!

Cyber Threats in APAC

What We Covered in the First Episode of The Phish Bowl

Cyber Threats in APAC: What We Covered in the First Episode of The Phish Bowl

Attackers are using the TeamFiltration pentesting framework to conduct brute-force attacks against Microsoft Entra ID accounts in an ongoing campaign, according to Proofpoint. TeamFiltration is designed to simulate account takeover (ATO) attacks in Microsoft cloud environments, specifically targeting Entra ID (formerly Azure Active Directory). Entra ID is a core component of Microsoft&rsquo;s cloud identity and access management services and is widely used, especially among small and medium sized businesses. This campaign strategy combines trusted platforms, global infrastructure, and evasive techniques to maximize impact while minimizing detection. This campaign is an efficient way to breach cloud environments by essentially taking advantage of weak passwords. Passwords were the primary target and attack vector in this campaign which demonstrates that even in a cloud-first world, password hygiene is still a frontline defense.
Campaign details
TeamFiltration has historically been a popularly exploited legitimate tool since it was released in 2021 because the tool provides both white and black hat hackers with a solid framework to take over Office 365 Entra ID accounts, data exfiltration, and persistent access. Proofpoint attributed the recent surge in login attempts to UNK_SneakyStrike. Starting in December 2024 and peaking in January 2025, this <a href="https://www.proofpoint.com/us/blog/threat-insight/attackers-unleash-teamfiltration-account-takeover-campaign">campaign</a> has targeted over 80,000 user accounts across approximately 100 cloud tenants or organizations and have resulted in multiple successful account takeovers. How passwords factored into the attack: 
<ol>
 <li>Enumeration first: The attackers used the Microsoft Teams API to identify valid usernames within organizations and ensure they weren&rsquo;t wasting time on nonexistent accounts. </li>
 <li>Password spraying: Once UNK_SneakyStrike had a list of valid usernames, they launched waves of login attempts using common passwords like &ldquo;Password123.&rdquo; These attempts were spread across Amazon Web Services (AWS) servers in different regions to avoid detection. </li>
 <li>Account takeover: If a password matched, the attacker gained access to the account. From there, they could exfiltrate data, move laterally, or maintain persistence using tools like OneDrive backdoors. </li>
</ol>

&nbsp;<img src="https://www.lastpass.com/-/media/7cdd7236d94142ca9e3f1e8877726332.png" >
UNK_SneakyStrike velocity by volume of unauthorized access attempts using TeamFiltration over time (July 2024 &ndash; March 2025). (Source: Proofpoint)
&nbsp;
Notable campaign takeaways: 
<ol>
 <li>The attackers used a low sophistication technique called password spraying, which relies on trying to find common or previously breached passwords across many users accounts rather than brute-forcing a single account to gain initial access. The success of this attack hinged on users reusing weak passwords and organizations not enforcing strong authentication policies. </li>
 <li>The campaign follows a trend where threat actors weaponize legitimate tools and platforms like TeamFiltration and Microsoft Teams API instead of using less effective, traditional intrusion methods. This makes detecting malicious vs. legitimate traffic much more difficult. In this campaign, researchers were able to weed out real-world malicious activity from legitimate penetration tests. They determined UNK_SneakyStrike demonstrated broader, indiscriminate targeting patterns, whereas legitimate red team penetration testing occurred over a smaller window. And since Microsoft Teams is a widely used collaboration tool, its API is often trusted and is less likely to trigger security alerts. This makes Teams an attractive tool for threat actors trying to blend in with legitimate traffic. </li>
 <li>Attackers also relied on AWS infrastructure, which is required by the TeamFiltration tool for intrusion simulations because its password spraying function supports rotation across different AWS regions. Using AWS servers in multiple regions helps attackers bypass geo-based security controls and distribute attacks to avoid detection. As entities have migrated to the cloud, threat actors have followed suit. </li>
</ol>
Defensive recommendations 
Defending against attacks that exploit the Microsoft Teams API and AWS infrastructure for user enumeration and password spraying requires a layered, cloud-aware security strategy. Some key defenses include: 
<ol>
 <li>Conditional access policies: Implement conditional access controls in Microsoft Entra ID. For example, block or challenge logins from unfamiliar geographic locations and require MFA for suspicious sign-ins or new devices.</li>
 <li>Rate limiting and geo-fencing: Apply rate limits to authentication attempts via APIs, restrict access to Teams APIs from known or expected IP ranges, and use geo-fencing to block or alert on traffic from regions where your users don&rsquo;t operate. </li>
 <li>Monitoring and detection: Enable audit logging and monitor for unusual patterns like repeated failed logins from multiple IDs, or high-volume API calls from cloud providers like AWS. Use SIEM tools to correlate events across services and detect distributed attacks. </li>
 <li>Hardened authentication: Enforce MFA for all users and especially administrators. This adds an extra layer of defense. Even if an attacker got access to a password, MFA is an added blockade to stop them from simply logging in and gaining account access. When you can, use passwordless authentication methods like FIDO2 keys or authenticator apps. </li>
 <li>Use a password manager. A password manager can&rsquo;t stop attackers from launching password spraying campaigns, but it can help make you a terrible target. The bad guys are going to do what they&rsquo;re going to do, or at least try, and they&rsquo;re more likely to go after low-hanging fruit. Password managers like LastPass can help protect against password spraying by promoting strong, unique passwords and generating passwords to avoid weak or recycled passwords, which attackers exploit in spraying. They can also integrate with MFA, adding an extra layer of protection. Additionally, LastPass&rsquo; dark web monitoring proactively checks customers' email addresses for breached credentials, so folks could be alerted before malicious activity is attempted.</li>
 <li>User awareness and hygiene: People are the double-edged sword in cybersecurity &ndash; they&rsquo;re often the weakest link but also the first line of defense. Educate users about phishing and credential stuffing so they can be on the lookout for suspicious activity and be informed about why good cyber hygiene, like using unique passwords, matters. </li>
</ol>

Entra account takeover campaign shows why password hygiene is still king

Attackers are using the TeamFiltration pentesting framework to conduct brute-force attacks against Microsoft Entra ID accounts in an ongoing campaign. Passwords were the primary target and attack vector in this campaign which demonstrates that even in a cloud-first world, password hygiene is still a frontline defense.

Entra Account Takeover Campaign Shows Why Password Hygiene is Still King

16 billion login credentials. That should be a number that makes you sit up and pay attention, right? But before you start panicking, it&rsquo;s important to understand what&rsquo;s included in this massive data leak recently reported by <a href="https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/">Cybernews</a>, how you might be impacted, and actions you should take to protect yourself. 
Last week, reports emerged of a massive new collection of over 16 billion stolen and/or leaked credentials that were exposed to the open internet.&nbsp;While the reporting is drawing a lot of clicks, it&rsquo;s important to put it in perspective: this isn&rsquo;t a new data breach. It reflects credentials either stolen by infostealers, a threat which has been well-documented and warned about for years now, or existing credential compilations sourced from data breaches or other sources.&nbsp;&nbsp;
<div class="pretty-tone-box">


FAQ &ndash; Get up to speed quickly:
Q: Is this a new data breach?
A: No. It&rsquo;s a compilation of old and new leaks, mostly from infostealer malware.
Q: What are infostealers?
A: Malware that collects credentials, tokens, and system data from infected devices.
Q: How can I check if I&rsquo;ve been affected?&nbsp;
A: Use tools like HaveIBeenPwned or your password manager&rsquo;s breach monitoring.
Q: What&rsquo;s the best protection against these types of data breaches?
A: Use unique passwords, enable MFA, and switch to passkeys where possible.
</div>
What data is included in the breach?
Since the beginning of the year, Cybernews&rsquo; researchers have discovered 30 exposed datasets containing tens of millions to over 3.5 billion records each. Some of the impacted companies include Apple, Facebook, Google, GitHub, Telegram, and some government platforms. It&rsquo;s unclear how many unique accounts were exposed since the leak comes from multiple datasets, but there are certain to be duplicates and also likely manipulated entries, which is similar to the <a href="https://www.infostealers.com/article/alien-txtbase-data-leak-a-deep-analysis-of-the-breach/">ALIEN TXTBASE leak</a> where credentials were tweaked for brute-forcing purposes. The data set isn&rsquo;t all new data and comes from a mix of infostealer malware, credential stuffing, and repackaged old leaks. The inclusion of old creds and database leaks reduces the overall impact of this leak if organizations and individuals already addressed these exposures through password resets, making these creds null and void. 
Infostealers are the real threat
While some of the attention around this breach is overhyped, it highlights the persistent threat from infostealers to individuals and organizations alike. This poses an elevated threat to organizations without MFA or good password hygiene practices. This data leak includes old and recent infostealer logs, often with tokens, cookies, and metadata. Stealers commonly grab more information than just credentials&mdash;they also go after other data that can be monetized on the dark web or used to conduct follow-up attacks. For instance, infostealers often check the specific OS version and security systems on an infected machine. This allows attackers to determine the best way to operate and find sensitive information. Stealers have also increasingly targeted session tokens to be used in pass-the-cookie attacks, which we expect to see more of as passkey adoption gets picked up. 
Stolen information from stealers can serve as initial access for other more damaging attacks like ransomware. Huntress&rsquo;s 2025 Cyber Threat Report found that <a href="https://www.infostealers.com/article/private-stealing-the-future-infostealers-power-cybercrime-in-2025/">infostealers drove nearly a quarter</a> (24%) of all cyber incidents in 2024.&nbsp;Their analysis showed a <a href="https://www.infostealers.com/article/private-stealing-the-future-infostealers-power-cybercrime-in-2025/">104% year-over-year increase</a> in infostealer detections, with small and medium-sized businesses (SMBs) hit hardest due to limited resources. Recent incidents, like the Nobitex crypto exchange breach where Redline stealer compromised two employees&rsquo; credentials and led to an <a href="https://www.infostealers.com/article/nobitex-breach-infostealers-expose-critical-employee-credentials-in-latest-crypto-exchange-hack/">$81.7 million loss</a>, underscore their impact. 
While law enforcement action has disrupted some activity&mdash;like the recent <a href="https://blog.lastpass.com/posts/dark-side-of-the-lumma">Lumma takedown operation</a>&mdash;this threat is not going anywhere anytime soon. Stealers will continue to adapt to defensive security measures to remain effective.
What to do if your information is included in this dataset? 
Anyone with an account at the reported impacted sites or reuses passwords associated with them should take immediate action. The reporting highlights the importance of taking the proper precautions to protect yourself against this and any other similar breaches, including:&nbsp;
<ul>
 <li>Using complex and unique passwords for every account (to make your password harder to guess and to limit potential exposure in the event your password to that account is stolen or leaked) and managing these passwords in a password manager.</li>
 <li>Monitoring for exposed credentials on the dark web and taking prompt action to change your password when you have been notified you are at risk.</li>
 <li>Using multi-factor authentication (MFA) for EVERY account where it is available. Ideally, use FIDO2-compliant MFA options such as biometrics, PINs, mobile devices, or security keys. </li>
 <li>As more organizations are offering passkeys for authentication, make the switch as soon as you are able. LastPass offers passkey storage, and passkeys are phishing resistant and easy to use.&nbsp;&nbsp;</li>
</ul>
What are the broader implications? 
Data breaches have been on the rise for years, and this trend is expected to continue. Massive leaks can fuel a wide range of malicious activity, as the exposed information provides opportunities for attackers to launch attacks from phishing scams and account takeovers to ransomware attacks and business email compromise. The leaked data, particularly credentials, can be used for credential stuffing attacks where attackers try combinations of stolen usernames and passwords on different online platforms. This takes advantage of the fact that many users reuse passwords. Stolen credentials could lead directly to account takeovers, providing hackers access to sensitive data and systems. Accounts without an additional layer of security like MFA or passkeys are especially at risk. Threat actors can also use leaked personal data to craft more convincing phishing and social engineering attacks, which could make it easier to trick users to provide sensitive details or downloading malware. 
With this bulk dataset widely available in a centralized location and the increasing adoption of automation and LLM tools, this could enable threat actors to launch automated attacks more easily, particularly through credential stuffing and session hijacking. The sheer volume of leaked data makes manual exploitation impractical, but attackers can rapidly increase the scale and speed of attacks with automated scripts and tools. The use of LLMs to incorporate information from the leak and enhanced with open-source searches of targeted individuals increases the threat of highly targeted and convincing social engineering attacks.

The Real Threat Behind the 16 Billion Credential Leak: Infostealers, Not Just Passwords

Reports recently emerged of a massive new collection of over 16 billion stolen and/or leaked credentials that were exposed to the open internet. While the reporting is drawing a lot of clicks, it’s important to put it in perspective: this isn’t a new data breach. It reflects credentials either stolen by infostealers, a threat which has been well-documented and warned about for years now, or existing credential compilations sourced from data breaches or other sources. 

One chapter in the saga of infostealer malware has ended&mdash;at least for now&mdash;after a global law enforcement takedown of Lumma Stealer in mid-May. US, European, and Japanese authorities, with the help of tech companies including Microsoft and Cloudflare, took down, suspended, and blocked approximately 2,300 malicious domains that made up part of the infostealer&rsquo;s backbone. The FBI also seized domains that served as login panels allowing other criminals to access and use the infostealer. Although, this seizure is intended to effectively prevent criminals from being able to access Lumma to compromise computers and steal data, the overall stealer threat will remain prevalent for the foreseeable future. 
(Interested in learning more about the infostealer threat outlook? Read the LastPass TIME team&rsquo;s threat predictions and analysis on <a href="https://blog.lastpass.com/posts/2025-cybersecurity-trends">what direction infostealers and other threats are heading</a>.) 
<h2>What is Lumma?</h2>
 
Lumma Stealer, also known as LummaC2, dominated the expanding stealer market with significant campaigns since it emerged as early as late 2022. Since its initial release, Lumma&rsquo;s developers have released multiple upgraded versions of the software. Before the malware-as-a-service (MaaS) platform was dismantled, the FBI linked Lumma to around <a href="https://www.malwarebytes.com/blog/news/2025/05/lumma-information-stealer-infrastructure-disrupted">10 million infections</a> globally. Lumma&rsquo;s follow-on attacks involving stealing credentials, cryptocurrency data, and credit card information have resulted in an estimated <a href="https://cyberscoop.com/lumma-infostealer-widespread-victims/">$36.5 million USD</a> in credit card theft in 2023. The malware hit individuals and a wide range of industries, including Fortune 500 companies, airlines, universities, banks, and hospitals. 
What makes this stealer particularly effective is that it continues to evolve to bypass security layers even as defenders are responding to the threat. On top of grabbing browser-stored passwords and cookies, it&rsquo;s also capable of extracting autofill data, email credentials, File Transfer Protocol (FTP) data, and two-factor authentication tokens and backup codes. Using its MaaS platform, its creators sold access to the malware on multiple underground markets and platforms like Telegram. 
<h2>What comes next?</h2>
 
This takedown is a major win for law enforcement and will help disrupt the initial access broker ecosystem in the near term. However, this is an ecosystem that has demonstrated its resilience again and again. The number of existing infostealer families, the open access to numerous source codes of previous infostealers, and the constant demand create a lucrative environment with very low barriers to entry. Given the resiliency of this market, other infostealer will likely quickly step in and fill in the gaps left after the Lumma takedown. 
A similar pattern previously played out with other similar takedowns. On October 28, 2024, Operation Magnus disrupted the RedLine and META infostealers. RedLine was a significant stealer last year up until the takedown, after which Lumma grew in popularity and took over a portion of the market share previously held by RedLine. Redline infected 9.9 million hosts, or 43% of all infostealer infections observed by Flashpoint in 2024. The next four most-prolific infostealers in 2024, including RisePro, SteaC, Lumma Stealer, and Meta Stealer, infected a <a href="https://cyberscoop.com/infostealers-cybercrime-surged-2024-flashpoint/">combined 7 million hosts</a>. 
We expect to see something similar following the Lumma Stealer takedown operation. The disruption effect following takedown is real, but there are still some new infections and logs for sale that were likely stolen before the infrastructure was taken down. Additionally, just because Lumma&rsquo;s infrastructure was dismantled, a lot of the data it stole likely continues to live on the dark web&mdash;thanks to the cybercriminal ecosystem that resells this information. Additionally, <a href="https://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/">CheckPoint</a> reported Lumma&rsquo;s developers are already trying to rebuild and restart their operations, which may or may not be successful.&nbsp;As SpyCloud&rsquo;s <a href="https://www.linkedin.com/posts/thilligoss_lummatakedown-lummareallynowork-stealc-activity-7332888157480198146-u94p">Trevor Hilligoss shared</a>, daily new Lumma infections have trended downward following the takedown but not as much as expected. Continued monitoring will be necessary to determine the takedown&rsquo;s impact. 
Long-standing groups such as Vidar and Stealc are good examples of this, but other newer families, such as Acreed, will also be well positioned to increase their market share. <a href="https://www.bleepingcomputer.com/news/security/russian-market-emerges-as-a-go-to-shop-for-stolen-credentials/">ReliaQuests</a> already reported Acreed is rapidly gaining traction following the Lumma takedown. <a href="https://webz.io/dwp/acreed-infostealer-everything-we-know-so-far/">Over 4,000 logs</a> stolen by Acreed were reportedly uploaded to the Russian Market within its first week of operations.&nbsp;Nexus has also gained some traction over the last week in Lumma&rsquo;s absence. Further, former affiliates and/or administrators associated with Lumma itself may split off to create their own offerings.

<img src="https://www.lastpass.com/-/media/ffef2d4ef9d544babc2169a6d0274059.jpg?h=310&amp;w=624" >&nbsp;
Daily new LummaC2 infections (Source: Trevor Hilligoss)
<h2>How to protect yourself against infostealers</h2>
The threat from infostealers will remain very real for the foreseeable future and continue to adapt. Oftentimes, stealers are used in indiscriminate campaigns. Additionally, the sheer volume of data that has been dumped on the internet is immense. That means anyone is fair game and should take action to protect themselves following that assumption that they could be targeted. 
<ul>
 <li>Use strong, unique passwords for every account. This will prevent credential stuffing attacks, which is a common tactic where threat actors insert stolen usernames and passwords. That way, if one password is exposed, it won&rsquo;t give access to all your other accounts where you reuse the same password. Also, consider using a password manager to securely and conveniently store them.</li>
 <li>Enable MFA on your accounts. While this measure isn&rsquo;t failproof on its own, it adds an additional layer of defense and makes you a harder target.</li>
 <li>Be on guard for phishing attempts. Infostealers often spread through phishing emails and malicious downloads. </li>
 <li>Check HaveIBeenPwned to monitor potential exposure if you&rsquo;re worried you may have been infected by an infostealer. </li>
</ul>

What the Lumma stealer takedown means for the infostealer market and your personal data

Lumma Stealer, also known as LummaC2, dominated the expanding stealer market with significant campaigns since it emerged as early as late 2022

Dark Side of the Lumma: What the Lumma stealer takedown means for the infostealer market and your personal data

As we approach the midpoint of the year, the cybersecurity landscape continues to evolve at a rapid pace. Emerging threats, fueled by advancements in AI, increased geopolitical tensions, and the growing complexity of digital infrastructure, have already shaped the first half of the year. From sophisticated ransomware campaigns to supply chain attacks and the rise of deepfake-enabled social engineering, the cyber threat landscape is becoming more complex and fast paced, posing new challenges to defend against these threats. Identity-based attacks have also become a huge focus, playing a central role in a lot of recent cyber activities. This unprecedented threat environment makes having a security-first focused mindset more critical than ever.
Here at LastPass, one of our key priorities is to stay ahead of evolving threats and tactics used by malicious actors to keep our customers and organization secure. We wanted to share some insights from our look back at the year so far and our predictions for the rest of the year ahead and beyond.
<h2 style="color: #000000; margin: 0in 0in 8pt;">The use of AI and adjacent technologies will continue to evolve, with LLMs and deepfakes combining in order to power fraud and ATO attacks.</h2>
While AI generated a lot of buzz last year alongside fears it would revolutionize cybersecurity as we know it, this technology has instead played more of an evolutionary role to date. Much of its use by threat actors has focused on enabling operations to be more effective, rather than developing novel capabilities.
Regarding nation-state threats, Russia, China, North Korea and Iran-backed hackers are reportedly <a href="https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/" style="color: #467886;">leveraging generative AI to support campaigns</a> rather than using these tools to develop novel attack or abuse techniques. Google reported government-backed actors attempted to misuse Gemini for various malicious activities including researching vulnerabilities, developing malware (including ransomware and DDoS tools), crafting phishing campaigns, and conducting reconnaissance on target organizations.&nbsp;
Commenting on cybercrime threats, Alex Cox, LastPass' director of information security, pointed out to <a href="https://www.zdnet.com/article/how-ai-will-transform-cybersecurity-in-2025-and-supercharge-cybercrime/" style="color: #467886;">ZDNet</a> that, "the cybercrime adversary community is opportunistic and entrepreneurial, and they have been quick to adopt and deploy new technologies.&rdquo; The widespread availability of AI tools will lower the bar to enable less sophisticated actors&rsquo; attacks and others to increase their effectiveness. This technology boon has already allowed hackers to operate at scale with fewer resources, realizing productivity gains over novel techniques. Criminals exploit generative AI to commit fraud on a larger scale which increases the believability of their schemes. &nbsp;In December, the <a href="https://www.ic3.gov/PSA/2024/PSA241203" style="color: #467886;">FBI warned</a> that generative AI reduces the time and effort criminals must expend to deceive their targets.
We expect to see cyberattacks integrating AI with large language models (LLMs) and deepfakes, which will increase their potential severity, scale, and impact. I recently told <a href="https://www.techopedia.com/top-cybersecurity-threats-how-to-protect-your-data" style="color: #467886;">Techopedia</a> that &ldquo;AI, including [LLMs] and deepfake technologies, will become central in enabling more convincing social engineering, fraudulent schemes, and account takeover attacks, intensifying the need for advanced identity verification and fraud detection.&rdquo; Previously, cybercriminals have used AI-generated deepfake audio and video to trick employees into transferring funds or providing sensitive information. For instance, phishers targeted digital creators with a <a href="https://www.darkreading.com/remote-workforce/deepfake-videos-youtube-phish-creators" style="color: #467886;">deepfake video of YouTube CEO Neal Mohan</a> to try to install malware and steal credentials. We could plausibly see a scenario over the next several months that goes a step further, combining these elements together to conduct a more sophisticated attack. Take voice verification for instance, which is commonly used in the financial sector to verify customer identities. A threat actor could theoretically take voice samples of an individual&mdash;which are easily accessible thanks to social media&mdash;to create a deepfake, then phone into a call center and use an audio deepfake to operate in real time, powered by an LLM trained on stolen credentials and biographical/personal information to respond to challenge questions based on that stolen data in real time. Lag times in responses is still the biggest challenge to conduct these attacks, but that&rsquo;s getting shorter and shorter.
<h2 style="color: #000000; margin: 0in 0in 8pt;">Infostealers are continuing to rise in prominence and constantly evolving to counteract defenses.</h2>
In large part fueled by infostealers, leaked credentials are increasingly prevalent and represent entry points for attackers, enabling them to exfiltrate data, move laterally to sensitive systems, and much more. Over the last few years, infostealers have grown significantly with a <a href="https://www.infosecurity-magazine.com/news/browser-cyberthreats-surge-email/" style="color: #467886;">31% year-on-year increase</a> in infostealer incidents last year. Threat actors are particularly focused on infostealers because the stolen data can enable a wide range of other malicious activities. Take credentials, for instance. Credentials, particularly usernames and passwords, are among the most sought-after assets because they serve as the gateway to a person&rsquo;s or organization&rsquo;s sensitive data. Valid credential abuse has seen a <a href="https://www.infosecurity-magazine.com/news/browser-cyberthreats-surge-email/" style="color: #467886;">significant uptick</a>, with compromised credentials becoming the most common initial access vector last year ahead of phishing. To illustrate the scope of how prevalent and dangerous infostealers have become, 2.1 billion (75%) out of the 3.2 billion credentials stolen in 2024 <a href="https://www.forbes.com/sites/daveywinder/2025/03/18/password-warning-as-21-billion-credentials-hit-by-infostealer-attacks/" style="color: #467886;">were compromised by infostealer attacks</a>. Attackers leveraging AI, automation, and developing sophisticated tools will likely further scale these attacks.
Infostealers have been a key factor in some of the largest breaches recently. For instance, the attack targeting multi-cloud data warehousing platform Snowflake in May 2024 using exposed Snowflake credentials led to the exposure of data and impacted roughly 165 companies (though the <a href="https://cyberscoop.com/snowflake-hacker-judische-labscon-2024/" style="color: #467886;">number of companies extorted is far fewer</a>). Affected companies are continuing to come out several months after the initial attack. Starting in March this year, Hellcat ransomware gang breached multiple organizations using Jira credentials stolen from infostealer logs, leaking sensitive data. These incidents show that the risk of unmonitored credentials has never been greater.
While phishing remains the primary delivery mechanism for infostealers often disguised as legitimate attachments, we&rsquo;re also seeing a general shift to more browser-based cyberthreats, including infostealer malware. Hellcat-affiliated hackers introduced a stealthier alternative to server-side stealers, which eliminates massive exfiltration locally. This tactic is likely to catch on with other hackers to incorporate that into their wheelhouse. Doing so enables hackers to bypass traditional email filters and security controls and deliver malware directly on browsers.
Infostealers are quick to counteract defenses and adapt to remain effective. According to Spycloud&rsquo;s <a href="https://spycloud.com/resource/2024-malware-ransomware-defense-report/?utm_medium=pr%5B%E2%80%A6%5Dre-report-press-release-2024&amp;mkto_most_recent_source=Marketing" style="color: #467886;">2024 Malware and Ransomware Defense Report</a>, at least 54% of devices infected with infostealer malware had an antivirus or endpoint detection and response (EDR) solution installed&nbsp;at the time of infection. Many are frequently updated with new obfuscation capabilities to evade detection, and some hackers incorporate social engineering tactics to get around traditional security measures. Notably, the use of infostealers like AgentTesla, FormBook, and Strela Stealer has not only increased in frequency but also in the sophistication of the delivery methods. We expect this trend will continue as hackers hone their tactics to become more efficient and effective.
<h2 style="color: #000000; margin: 0in 0in 8pt;">Compromised identities in hybrid on-premises (on-prem) and cloud environments will pose significant threats.</h2>
Identity-based attacks are among the most effective ways hackers can gain initial access. Hybrid environments combine on-prem and cloud resources, creating a larger attack surface. In hybrid environments, a compromised identity on either the on-prem or cloud side can lead to significant security risks. Attackers can leverage compromised credentials to escalate their privileges, perform lateral movement, and potentially compromise the entire infrastructure. As companies continue to shift to hybrid IT environments, threat actors will follow the trend and take advantage of their security shortcomings.
Credential mismanagement was the top initial access vector for cloud environment attacks during the first half of 2024, a <a href="https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025/" style="color: #467886;">Google Cloud report</a> found. Compromising valid accounts has become the most common method for initial access to cloud environments, accounting for 35% of cloud incidents in the first half of 2024. A key access vector involves the use of infostealers. In 2024, threat actors updated Stealc and Vidar malware to <a href="IABs%20offload%20the%20difficult%20work%20of%20finding%20targets%20and%20gaining%20access," style="color: #467886;">specifically target</a> cloud account credentials. Accidental credential leakage remains another common method to gain unauthorized access to cloud environments. One scenario involves finding leaked cloud authentication tokens from publicly exposed code repositories like GitHub when hardcoded credentials are included in application code, then using automated tools to scan and get unauthorized access to cloud systems.
Two of the most prolific cybercriminal groups, BlackBasta and Scattered Spider, have targeted hybrid environments. Leaked internal chats from the BlackBasta ransomware group in February <a href="https://www.invictus-ir.com/news/cloud-heavy-hybrid-ready-lessons-from-blackbasta-and-scattered-spider" style="color: #467886;">revealed</a> the group operates as a Ransomware-as-a-Service (RaaS) with general, repeatable techniques for primarily targeting hybrid environments. Black Basta exploits hybrid access vectors and pivots laterally between cloud and on-prem using compromised credentials. Scattered Spider, on the other hand, primarily targets cloud environments but has also demonstrated an ability to pivot into hybrid infrastructure.
<h2 style="color: #000000; margin: 0in 0in 8pt;">Ransomware will continue the shift to prioritization of data exfiltration over data encryption.</h2>
Ransomware and extortionware aren&rsquo;t going anywhere anytime soon and will remain one of the most disruptive forms of cybercrime. New research found ransomware now plays a role in nearly <a href="https://therecord.media/ransomware-in-half-of-all-data-breaches-verizon" style="color: #467886;">half (44%) of all breaches</a>. Ransomware attacks continued to escalate so far this year, with a <a href="https://blog.checkpoint.com/research/q1-2025-global-cyber-attack-report-from-check-point-software-an-almost-50-surge-in-cyber-threats-worldwide-with-a-rise-of-126-in-ransomware-attacks/" style="color: #467886;">126% increase</a> in Q1 2025 compared to Q1 2024, totaling 2,289 reported incidents. North America accounted for most ransomware attacks (62%), followed by Europe (21%). This activity has been partially driven by infostealers, which steal data like session cookies and credentials, which hackers use to then launch attacks. Hackers also focus on theft of credentials and information that would be useful for performing further reconnaissance on compromised networks in many of these attacks. To stay protected, organizations need to focus on securing identities. That means knowing what information has already been stolen, quickly changing any compromised passwords, and ending any active sessions that may have been hijacked.
Additionally, the continued shift from data encryption to data exfiltration&mdash;allowing threat actors to smash and grab data, then hold it for ransom or sell it to other criminals without having to deploy malware to encrypt systems&mdash;remains highly effective. This has allowed hackers to increase the speed of attacks once they get their foot in the door. Attacks have become less about locking out access and more about paying to protect data from being publicly released.
Exploited vulnerabilities remained the most common root cause of ransomware attacks. According to <a href="https://www.scworld.com/resource/unpatched-vulnerabilities-the-powder-keg-fueling-ransomware-attacks" style="color: #467886;">Sophos</a>, nearly one-third of ransomware attacks start with unpatched vulnerabilities. Ransomware attacks caused by unpatched vulnerabilities also had <a href="https://www.msspalert.com/native/cyber-threat-trends-in-2024-the-landscape-according-to-top-industry-reports" style="color: #467886;">more severe consequences</a>, including higher ransom demands and longer recovery times. Additionally, social engineering, third-party access, and stolen cookies that enabled session hijacking ranked as some of the most common entry points for ransomware attacks.
The RansomHub attack on American Standard, a major manufacturer, shows that ransomware-as-a-service (RaaS) continues to be a trend in 2025 and makes it easy for cybercriminals to launch attacks. We may start to see more of a shift away from RaaS, which requires cybercriminals trust another criminal, to more AI-focused services to conduct target research, pull off more convincing social engineering, bypass security measures, write/modify code, and more. AI-powered ransomware using machine learning algorithms to automate and improve each stage of these attacks will pose a graver threat to organizations and individuals.&nbsp;
Ransomware and extortionware will remain pervasive threats throughout 2025 and beyond.
<h2 style="color: #000000; margin: 0in 0in 8pt;">Continued growth and privatization of zero-day market and increased speed of exploitation.</h2>
Adversaries are exploiting vulnerabilities to gain initial access to systems, trying to get in as quietly and efficiently as possible, while initial access brokers and automation makes hackers more efficient at doing so. Last year saw a 34% increase in attackers <a href="https://www.verizon.com/business/resources/reports/dbir/" style="color: #467886;">exploiting vulnerabilities</a> to gain initial access and cause security breaches. This trend is largely attributed to the widespread impact of zero-day vulnerabilities like the file transfer service MOVEit. Even though the MoveIT vulnerability was discovered in mid-2023, the fallout continued to play out last year when in November, <a href="https://www.infostealers.com/article/massive-moveit-vulnerability-breach-hacker-leaks-employee-data-from-amazon-mcdonalds-hsbc-hp-and-potentially-1000-other-companies/" style="color: #467886;">Nam3L3ss leaked 25 datasets</a> of companies, including Amazon, HSBC, Fidelity, US bank, McDonalds, and more. Notably, other file transfer services continue to be exploited for mass exfiltration, like Cleo and CrushFTP. According to <a href="https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025/" style="color: #467886;">Mandiant</a>, the most frequently exploited vulnerabilities affected security devices, which are typically located at the edge of the network. Palo Alto&rsquo;s PAN-OS GlobalProtect (CVE-2024-3400), Ivanti&rsquo;s Connect Secure VPN (CVE-2023-46805) &amp; Policy Secure (CVE-2024-21887), and Fortinet&rsquo;s FortiClient EMS (CVE-2023-48788) were the leading exploits for initial access. Three of the four were first exploited as zero-days. Threat actors will continue to search for high impact vulnerabilities that could have widespread impacts.&nbsp;
Hackers are also quick to exploit zero-days once disclosed. Threat actors are targeting vulnerabilities quickly, as soon as they are publicly disclosed and oftentimes even before. In 2024, <a href="https://vulncheck.com/blog/2024-exploitation-trends" style="color: #467886;">23.6% of known exploited vulnerabilities</a> were exploited on or before the day their CVEs were publicly disclosed. According to Cloudflare, a newly disclosed vulnerability has come under attack <a href="https://www.scworld.com/news/vulnerabilities-exploited-faster-than-ever-says-cloudflare" style="color: #467886;">as fast as 22 minutes</a> after a proof of concept (POC) was disclosed. Scanning activity has largely contributed to this increase in attempts to automate exploits. Recently, the SAP NetWeaver zero-day (CVE-2025-31324) was widely exploited in April after a <a href="https://cyberscoop.com/sap-netweaver-zero-day-exploit-cve-2025-31324/" style="color: #467886;">suspected&nbsp;initial access broker</a> (IAB) likely deployed backdoors that were sold to ransomware groups.&nbsp;

2025 Cybersecurity Trends

We share cybersecurity insights and trends from the year so far and our predictions for the rest of the year ahead and beyond. 

2025 Cybersecurity Trends: Insights from the TIME Team

How to Elevate Your Password Hygiene: Tips and Tricks for Protecting Your Credentials

Credentials, particularly usernames and passwords, are among the most sought-after digital assets because they can serve as the gateway to a person’s or organization’s sensitive data. Good cybersecurity starts with practicing good password habits. 

ACSC 2024 Report Implications

Last November, the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) published its Annual Cyber Threat Report for 2023-2024. The report summarizes the cyber threat environment facing the public and private sectors, as well as private households. The data includes trends and information on threat actor tactics and techniques as well as recommended actionable steps organizations and individuals can take to help mitigate these threats. The report provides a concise and easily understandable overview of the regional threat environment, and we in the LastPass Labs team highly recommend it, whether you and/or your organization is based in the region or not.

New federal guidelines seek to strengthen security at the root cause of several recent security incidents: identity and access management, and specifically passwords. The National Institute of Standards and Technology (NIST) updated its drafted <a href="https://pages.nist.gov/800-63-4/sp800-63b.html">password security guidelines</a> last year to make them more user-friendly while enhancing their effectiveness. A final version of the guidelines is expected later this year. The new guidelines discourage frequent password changes and overly complex requirements, which have been shown to lead to predictable and insecure user behavior. Things like reusing similar passwords with slight variations (changing &ldquo;Fido123&rdquo; to &ldquo;Fido123!&rdquo;), writing down passwords on Post-it notes next to computers that are visible to prying eyes, or storing them in clear text which infostealers can easily grab. 
Instead, NIST recommends accepting a wider range of characters, including emojis, and emphasize password length over complexity. For example, passwords should ideally be 15 characters or longer to maximize security. In addition, NIST strongly encourages the use of modern tools like password managers and passkeys, which leverage biometric data for authentication and help protect against phishing attacks. 
The guidelines also aim to eliminate outdated practices, such as periodic password changes and password hints, which research has shown to be counterproductive. Instead, organizations are encouraged to implement block lists to prevent the use of commonly compromised or weak passwords. Passkeys, a relatively new alternative, are also highlighted for their enhanced security. Passkeys are more secure and user-friendly than passwords because they never leave the user&rsquo;s device, reducing vulnerability to theft or phishing. With so many exposed credentials out there on the internet&mdash;like the 10 billion passwords leaked in the <a href="https://www.darkreading.com/cyberattacks-data-breaches/10b-passwords-pop-up-on-dark-web-rockyou2024-release">RockYou2024 compilation</a>&mdash;this identity access management solution reduces the risk from password breaches because they&rsquo;re unique and can&rsquo;t be reused. While adoption of passkeys is growing, these systems still require careful implementation to mitigate risks, such as securing devices against unauthorized access.
NIST&rsquo;s approach reflects decades of research showing that longer, randomly generated passwords are much harder to crack than short, complex ones. For users, tools like password managers&mdash;whether built into browsers or standalone&mdash;offer practical solutions for managing long, unique passwords across multiple accounts. That makes it much easier to access accounts across the 160 or so personal passwords the <a href="https://www.rd.com/article/old-online-accounts-security-risk/">average person</a> has, and that&rsquo;s not even including work-related passwords. 
Contractors and other organizations that do business with the federal government are required to follow NIST guidelines. Many firms also voluntarily comply with this widely recognized set of cybersecurity best practices that are applicable to businesses of all sizes. The easiest way for small and mid-sized businesses (SMBs) to align with these guidelines is to use a password manager like LastPass to set it and forget it for your password policies that would align with these new recommendations. That way, it's easy to be compliant.
As these updated standards are adopted, they are expected to significantly improve digital security practices in both the public and private sectors, though challenges like password reuse and device security remain ongoing concerns.

How to Stay Compliant with New Proposed Password Regulations

The National Institute of Standards and Technology (NIST) updated its drafted password security guidelines last year to make them more user-friendly while enhancing their effectiveness. A final version of the guidelines is expected later this year. This article discusses tips for companies to stay compliant with the new NIST guidelines.

It&rsquo;s International Data Privacy Week, so let&rsquo;s talk privacy! With increased focus on data privacy (there are now data protection and privacy laws in effect in 144 countries and eight additional US state privacy laws going into effect in this year), we wanted to highlight the intersectionality between data privacy and our normal focus area, cybersecurity. Data privacy is becoming a more important component in everyone&rsquo;s daily lives &ndash; according to a <a href="https://kpmg.com/us/en/articles/2023/bridging-the-trust-chasm.html">KPMG survey</a>, 86% of consumer respondents indicated that data privacy is a growing concern for them. Additionally, <a href="https://public.tableau.com/app/profile/ratnesh2928/viz/Stayingcyber-securewhileworkingfromhome/Stayingcyber-securewhileworkingfromhome">48% of consumers reportedly</a> stopped using a service over privacy concerns. It is evidence that consumers want to feel safe and know that their data is secure.
With the increasing digitization of everything that we do, regulators have been trying to catch up and set forth regulations to protect individuals&rsquo; privacy. These Data privacy regulations were primarily born of needs to provide individuals with more control over their personal data and, critically, establish requirements to protect that data. Frequently, companies can make improvements that achieve both privacy and security goals. 
We are going to highlight a few topics on which improvement contributes to both greater control over security and compliance with the privacy regulatory landscape.
<h3>1. Take control of your data.&nbsp;</h3>
As we mentioned in our <a href="https://blog.lastpass.com/posts/threat-from-shadow-it"></a><a href="https://blog.lastpass.com/posts/threat-from-shadow-it">Shadow IT</a> article, it is difficult to protect what you don't know is within your network. This concept is also relevant to help meet data privacy obligations. If you don't know what personal data you collect, use, and store, you won't be able to protect the personal data from an intentional or unintentional data breach or determine what obligations apply to that data. For example, organizations that use tracking pixels have suffered legal consequences and lost truth with consumers because they did not understand the breadth of personal data collected using tracking pixels--especially relating to the collection of sensitive health data. Since they failed to understand the data collected, these organizations did not put in place controls that were commiserate with the sensitivity of data that was collected (e.g., obtaining consumer's consent or limiting the sharing of that sensitive data).&nbsp;
Furthermore, understanding the personal data your organization collects is fundamental to maintain compliance with privacy obligations. In many jurisdictions, organizations are required to maintain a formal record of data collected and complete privacy assessments that weigh the personal data collected and use of that data with the privacy rights of an individual.&nbsp;
<h3>2. Share data responsibly, particularly when evaluating vendors and services.&nbsp;</h3>
By utilizing new software, applications, or services to process your data, you expand your attack surface and introduce new ways a threat actor can steal your data. Therefore, you should be confident the vendor is committed to protect your data before utilizing their software or services. From a security and privacy perspective, you should &ndash; at the very least &ndash; evaluate (1) the technical and organizational measures the vendor and their systems have in place to protect personal data and (2) the limitations and commitments they make in using your data.
With the prevalence and potential uses of AI tools and services, it has increasingly become more important to assess how those tools (and vendors) are using data and respecting consumers&rsquo; privacy. It is important to understand if personal data &ndash; especially sensitive personal data &ndash; will be used for training any AI system. There have been concerns that AI tools can be influenced through prompts by a bad actor to leak personal data, and before implementing an AI tool or service, you may want to better understand what controls are in place to prevent inadvertent data leakage. The answers to these questions would be illuminating to understand if the AI system and vendors are going to protect and respect the data that you share with them. 
<h3>3.&nbsp;Implement privacy and security by design.</h3>
Instead of reacting to privacy and security issues, organizations can adopt a more prospective approach to protecting personal data through a concept called &ldquo;privacy by design&rdquo;. A well-known concept in the privacy space, organizations can take the following approach into consideration when reviewing their security program as well:
<ul>
 <li>Take a proactive, preventative approach to anticipate privacy risks and address them;</li>
 <li>Implement privacy as a default setting within your services and processes &ndash; limit collection and storage unless a consumer opts-in to sharing more;</li>
 <li>Embed privacy as an essential aspect of technologies and business operations &ndash; start the design process considering data privacy;</li>
 <li>Ensure full functionality of services and processes &ndash; no need to make trade-offs to achieve privacy and security goals;</li>
 <li>Secure data when processed by your organization or its vendors through the entire lifecycle;</li>
 <li>Be transparent with clear and accurate information regarding data collection; and</li>
 <li>Respect the interests of the individual by keeping the services and processes consumer-centric.</li>
</ul>
<h3>4. Respect consumers.&nbsp;</h3>
Privacy is synonymous with trust, as it shows customers that you know the importance of appropriately handling and safeguarding their data and that you are committed to respecting their rights. Consumers expect a seamless, customized experience when using a service, purchasing a product, or interacting with a website. All-the-while businesses are collecting troves of data to provide their services and develop new and innovative products. Each business must harmonize their interest in developing and delivering their services with the rights and interests of the consumer. 
Challenge the decisions you make by asking if there is a way to achieve the goal without impacting to the consumer. Take stock in how you collect, use, and store personal data and be transparent to consumers about your practices. Evaluate if any of your practices would undermine the trust and loyalty of your consumers. Lastly, treat privacy and security as an enabler not a hinderance. Use it as a way to demonstrate to consumers that you value their business and as people.
&nbsp;

Empowering Privacy: How to Manage, Share, and Secure Your Data

For Privacy Awareness Week, we are highlighting the intersectionality between data privacy and cybersecurity. We'll cover a few areas that contribute to both greater control over security and compliance with the privacy regulatory landscape.

It has recently come to our attention that recent posts from our customers on the LastPass X social media account are eliciting a large influx of suspected bot replies. In one observed instance, several suspected bots replied in rapid succession to a user posting a comment on our X profile. Generally, the suspected bots claimed they received no response from the support center and directed the legitimate user to reach out to a third-party individual to resolve their issue. Typically, the purpose of this activity is to get customers to engage with specific, non-affiliated accounts, which puts customers at potential risk of potentially sharing sensitive information with a third-party. We are raising awareness of this inauthentic behavior to notify our customers who currently use X. 
If you need customer support, please go directly to our website, https://www.lastpass.com. As always, please take the appropriate precautions, and if you have any questions if a social media account, email, or phone number is legitimate, please submit it to abuse@lastpass.com.

&nbsp;<img src="https://www.lastpass.com/-/media/7dbbab93de8947b0b7ad11f1d1e6a36a.png" >
Example of bot messages replying to a user over X.

Bot activity targeting users engaging with LastPass on X platform

Recent posts from our customers on the LastPass X social media account are eliciting a large influx of suspected bot replies. Flagging for general awareness.

Blog

Blog

Recent

Industry News

Cybersecurity

LastPass For Admins

LastPass Labs

Product Updates

Tips And Tricks

Subscribe & Save 20% off select plans

McHack’d: How Weak AI Credentials Served Up a Data Breach

Lumma Persists and Acreed Rises Following Law Enforcement Actions

Cyber Threats in APAC: What We Covered in the First Episode of The Phish Bowl

Entra Account Takeover Campaign Shows Why Password Hygiene is Still King

The Real Threat Behind the 16 Billion Credential Leak: Infostealers, Not Just Passwords

Dark Side of the Lumma: What the Lumma stealer takedown means for the infostealer market and your personal data

2025 Cybersecurity Trends: Insights from the TIME Team

How to Elevate Your Password Hygiene: Tips and Tricks for Protecting Your Credentials

ACSC 2024 Report Implications

How to Stay Compliant with New Proposed Password Regulations

Empowering Privacy: How to Manage, Share, and Secure Your Data

Bot activity targeting users engaging with LastPass on X platform