Search results for No Tokens | Breaking Cybersecurity News | The Hacker News

Token theft is a leading cause of SaaS breaches. Discover why OAuth and API tokens are often overlooked and how security teams can strengthen token hygiene to prevent attacks. Most companies in 2025 rely on a whole range of software-as-a-service (SaaS) applications to run their operations. However, the security of these applications depends on small pieces of data called tokens. Tokens, like OAuth access tokens, API keys, and session tokens, work like keys to these applications. If a cybercriminal gets hold of one, they can access relevant systems without much trouble. Recent security breaches have shown that just one stolen token can bypass multi-factor authentication (MFA) and other security measures. Instead of exploiting vulnerabilities directly, attackers are leveraging token theft. It’s a security concern that ties into the broader issue of SaaS sprawl and the difficulty of monitoring countless third-party integrations. Recent Breaches Involving Token Theft A lot of real-wo...

When Facebook last weekend disclosed a massive data breach—that compromised access tokens for more than 50 million accounts —many feared that the stolen tokens could have been used to access other third-party services, including Instagram and Tinder, through Facebook login. Good news is that Facebook found no evidence "so far" that proves such claims. In a blog post published Tuesday, Facebook security VP Guy Rosen revealed that investigators "found no evidence" of hackers accessing third-party apps with its "Login with Facebook" feature. "We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login," Rosen says. This does not mean that the stolen access tokens that had already been revoked by Facebook do not pose any threat to thousands of third-party services using Face...

Google has revealed that the recent wave of attacks targeting Salesforce instances via Salesloft Drift is much broader in scope than previously thought, stating it impacts all integrations. "We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised," Google Threat Intelligence Group (GTIG) and Mandiant said in an updated advisory. The tech giant said the attackers also used stolen OAuth tokens to access email from a small number of Google Workspace email accounts on August 9, 2025, after compromising the OAuth tokens for the "Drift Email" integration. It's worth noting that this is not a compromise of Google Workspace or Alphabet itself. "The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft; the actor would not have been able to access any other accounts on a customer's Worksp...

2023 has seen its fair share of cyber attacks, however there’s one attack vector that proves to be more prominent than others - non-human access. With  11 high-profile attacks in 13 months  and an ever-growing ungoverned attack surface, non-human identities are the new perimeter, and 2023 is only the beginning.  Why non-human access is a cybercriminal’s paradise  People always look for the easiest way to get what they want, and this goes for cybercrime as well. Threat actors look for the path of least resistance, and it seems that in 2023 this path was non-user access credentials (API keys, tokens, service accounts and secrets).  “ 50% of the active access tokens connecting Salesforce and third-party apps are unused. In GitHub and GCP the numbers reach 33%.” These non-user access credentials are used to connect apps and resources to other cloud services. What makes them a true hacker’s dream is that they have no security measures like user credentials do (M...

From overprivileged admin roles to long-forgotten vendor tokens, these attackers are slipping through the cracks of trust and access. Here’s how five retail breaches unfolded, and what they reveal about... In recent months, major retailers like Adidas, The North Face, Dior, Victoria's Secret, Cartier, Marks & Spencer, and Co‑op have all been breached. These attacks weren’t sophisticated malware or zero-day exploits. They were identity-driven, exploiting overprivileged access and unmonitored service accounts, and used the human layer through tactics like social engineering. Attackers didn’t need to break in. They logged in. They moved through SaaS apps unnoticed, often using real credentials and legitimate sessions. And while most retailers didn’t share all the technical details, the patterns are clear and recurring.  Here’s a breakdown of the five recent high-profile breaches in retail: 1. Adidas: Exploiting third-party trust Adidas confirmed a data breach caused by an ...

Would you expect an end user to log on to a cybercriminal’s computer, open their browser, and type in their usernames and passwords? Hopefully not! But that’s essentially what happens if they fall victim to a Browser-in-the-Middle (BitM) attack. Like Man-in-the-Middle (MitM) attacks, BiTM sees criminals look to control the data flow between the victim’s computer and the target service , as University of Salento researchers Franco Tommasi, Christian Catalano, and Ivan Taurino have outlined in a paper for the International Journal of Information Security. However, there are several key differences. Man-in-the-Middle vs Browser-in-the-Middle A MiTM attack utilizes a proxy server that places itself between the victim’s browser and the legitimate target service at the application layer. It needs some kind of malware to be placed and run on the victim’s computer.  But a BiTM attack is different. Instead, the victim thinks they’re using their own browser – conducting their normal on...

And the hacks just keep on coming. Timehop social media app has been hit by a major data breach on July 4th that compromised the personal data of its more than 21 million users. Timehop is a simple social media app that collects your old photos and posts from your iPhone, Facebook, Instagram, Twitter and Foursquare and acts as a digital time machine to help you find—what you were doing on this very day exactly a year ago. The company revealed on Sunday that unknown attacker(s) managed to break into its Cloud Computing Environment and access the data of entire 21 million users, including their names, email addresses, and approximately 4.7 million phone numbers attached to their accounts. "We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. Some data was breached," the company wrote in a security advisory posted on its website. Social Media OAuth2 Tokens Also Compromised Moreover, the attackers also got th...

In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries.  The targets of the platform received a message asking them to enter a short code at microsoft.com/devicelogin and complete their normal MFA challenge, then walked away believing they had verified a routine sign-in. They had actually handed the operator a valid refresh token scoped to their mailbox, drive, calendar, and contacts, with the lifespan of a tenant policy rather than a session. The operator never needed a password, never tripped an MFA prompt, and never produced a sign-in event that looked like an intrusion. The attack succeeded because the OAuth consent screen has become an instinctive click, and the controls built to stop credential phishing do not look at the consent layer. Security researchers call the resulting condition consent phishing or OAuth grant abuse. The phishin...

Again some bad news for cryptocurrency users. KICKICO, a blockchain-based initial coin offering (ICO) support platform, has fallen victim to a suspected cyber attack and lost more than 70 million KICK tokens (or KickCoins) worth an estimated $7.7 million. In a statement released on its Medium post on July 26, the company acknowledged the security breach, informing its customers that an unknown attacker managed to gain access to the account of the KICK smart contracts and the tokens of the KICKICO platform on last Thursday at around 9:04 (UTC). KICKICO admitted that the company had no clue about the security breach until and unless several of its customers fell victim and complained about losing KickCoin tokens worth $800,000 from their wallets overnight. However, after investigating, the company found that the total amount of stolen funds was 70,000,000 KickCoin, which, at the current exchange rate, is equivalent to $ 7.7 million. KICKICO reported that suspected attackers...

In December 2025, in response to the Sha1-Hulud incident, npm completed a major authentication overhaul intended to reduce supply-chain attacks. While the overhaul is a solid step forward, the changes don’t make npm projects immune from supply-chain attacks. npm is still susceptible to malware attacks – here’s what you need to know for a safer Node community. Let’s start with the original problem Historically, npm relied on classic tokens: long-lived, broadly scoped credentials that could persist indefinitely. If stolen, attackers could directly publish malicious versions to the author’s packages (no publicly verifiable source code needed). This made npm a prime vector for supply-chain attacks. Over time, numerous real-world incidents demonstrated this point. Shai-Hulud, Sha1-Hulud, and chalk/debug are examples of recent, notable attacks. npm’s solution To address this, npm made the following changes: npm revoked all classic tokens and defaulted to session-based tokens instead...

Cybersecurity researchers have flagged a fresh software supply chain attack campaign that has targeted multiple PHP packages belonging to Laravel-Lang to deliver a comprehensive credential-stealing framework. The affected packages include - laravel-lang/lang laravel-lang/http-statuses laravel-lang/attributes laravel-lang/actions "The timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization's release process, rather than a single malicious package version," Socket said . "The tags were published in rapid succession on May 22 and May 23, 2026, with many versions appearing only seconds apart." More than 700 versions associated with these packages have been identified, indicating automated mass tagging or republishing. It's suspected that the attacker may have managed to obtain access to organization-level credentials, repository automation, or release infrastructure. What makes the att...

While phishing and ransomware dominate headlines, another critical risk quietly persists across most enterprises: exposed Git repositories leaking sensitive data. A risk that silently creates shadow access into core systems Git is the backbone of modern software development, hosting millions of repositories and serving thousands of organizations worldwide. Yet, amid the daily hustle of shipping code, developers may inadvertently leave behind API keys, tokens, or passwords in configuration files and code files, effectively handing attackers the keys to the kingdom. This isn’t just about poor hygiene; it’s a systemic and growing supply chain risk. As cyber threats become more sophisticated, so do compliance requirements. Security frameworks like NIS2, SOC2, and ISO 27001 now demand proof that software delivery pipelines are hardened and third-party risk is controlled. The message is clear: securing your Git repositories is no longer optional, it’s essential. Below, we look at the ris...

The average cost of a data breach, according to the latest research by IBM, now stands at  USD 4.24 million , the highest reported. The leading cause? Compromised credentials, often caused by human error. Although these findings continue to show an upward trend in the wrong direction, the challenge itself is not new. What is new is the unprecedented and accelerated complexity of securing the workplace. CISOs/CIOs are dealing with legacy systems, cloud hosting, on-prem, remote workers, office based, traditional software, and SaaS. How businesses adapted was laudable, but now that employees spread across locations, offices and homes – with  more than half  threatening not to return to offices unless hybrid working is implemented – the challenge morphs into securing a nonuniform perimeter.  We know passwords aren’t sufficient. Knowledge-based access is usually fortified with other forms of multi-factor authentication (MFA), such as auth apps or FIDO tokens, and in hi...

Stealer malware no longer just steals passwords. In 2025, it steals live sessions—and attackers are moving faster and more efficiently than ever. While many associate account takeovers with personal services, the real threat is unfolding in the enterprise. Flare’s latest research, The Account and Session Takeover Economy , analyzed over 20 million stealer logs and tracked attacker activity across Telegram channels and dark web marketplaces. The findings expose how cybercriminals weaponize infected employee endpoints to hijack enterprise sessions—often in less than 24 hours. Here’s the real timeline of a modern session hijacking attack. Infection and Data Theft in Under an Hour Once a victim runs a malicious payload—typically disguised as cracked software, fake updates, or phishing attachments—commodity stealers like Redline (44% of logs), Raccoon (25%), and LummaC2 (18%) take over. These malware kits: Extract browser cookies, saved credentials, session tokens, and crypto walle...

Every AI tool, workflow automation, and productivity app your employees connected to Google or Microsoft this year left something behind: a persistent OAuth token with no expiration date, no automatic cleanup, and in most organizations, no one watching it. Your perimeter controls don't see it. Your MFA doesn't stop it. And when an attacker gets hold of one, they don't need a password. OAuth grants don't expire when employees leave. They don't reset when passwords change. And in most organizations, nobody is watching them. The model made sense when a handful of IT-approved apps needed calendar access. It doesn't hold up when every employee is independently wiring AI tools, workflow automations, and productivity apps directly into their Google or Microsoft environment — each one receiving a persistent, scoped token with no automatic expiration and no centralized visibility. That's not a misconfiguration. It's how OAuth is designed to work. The gap is t...