Overview

• The Google Threat Intelligence Group confirmed that Russian cyber actors have leveraged stolen app passwords to bypass multi-factor authentication on legacy phones and apps.
• Attackers pose as U.S. State Department officials to trick prominent academics and critics of Russia into revealing the 16-digit codes.
• App passwords bypass the second verification step and are more susceptible to phishing than SMS codes or authenticator apps.
• Security experts warn that similar social-engineering schemes will likely increase as threat actors refine their tactics.
• Malwarebytes’ six new rules advise limiting app-password use, switching to passkeys or hardware keys, recognising phishing attempts, keeping software updated, monitoring login activity, and using domain-blocking security tools.