Top news stories this week
- Hack-desk. Meta’s AI-powered support system exploited to hijack Instagram accounts.
- Check please. Uncapped Claude AI usage leaves firm with USD 500 million bill.
- Vaulted but vulnerable. Dashlane password manager accounts compromised in attack.
- Fix this, install that. Hackers hijack thousands of websites for ClickFix and FakeUpdate malware campaign.
- Voice over. US broadband firm confirms breach after extortion threat.
- Delayed. Organisations reveal data breaches that occurred months or years ago.
1. Meta’s AI-powered support system exploited to hijack Instagram accounts
Attackers recently hijacked multiple Instagram accounts by exploiting Meta’s AI-powered support system. Using AI-generated facial verification, the attackers bypassed safeguards including multi-factor authentication (MFA) to convince the automated system they were the rightful account owners. Without any human escalation path, victims found themselves stuck in chatbot loops with no way to reclaim their accounts.
So what?
This event highlights serious weaknesses in AI-driven account recovery and identity verification systems. Organisations should ensure that any AI-powered help desk system contains appropriate guardrails and human intervention where needed.
[Researcher: Milda Petraityte]
2. Uncapped Claude AI usage leaves firm with USD 500 million bill
An unidentified enterprise customer reportedly incurred USD 500 million in costs on Anthropic’s Claude AI in a single month as it emerged that employees were inadvertently given unrestricted access – without spending caps, token limits, or usage restrictions.
So what?
In addition to developing AI policy around usage, companies should ensure that basic controls such as spending limits are anticipated and included – particularly around token-metered pricing.
[Researcher: Lester Lim]
3. Dashlane password manager accounts compromised
Hackers have bypassed Dashlane’s MFA protections and stolen account vaults belonging to approximately 20 customers. While the attackers still need each victim's master password to access the vaults, they can crack weak or commonly used passwords with significantly less effort.
So what?
While password managers offer strong security advantages, they also represent a single point of failure. Enable MFA not only on the password manager itself but on every platform where credentials are stored. Organisations should also include password manager compromise scenarios in their incident response playbooks.
[Researcher: Jack Woods]
4. Hackers hijack thousands of websites for ClickFix and FakeUpdate malware campaign
A large-scale hacking campaign has compromised thousands of legitimate websites, silently redirecting visitors to malicious pages. Victims encounter fake ClickFix prompts that trick them into running malicious commands, or fake browser update pages that deliver malware disguised as routine updates.
SO WHAT?
Organisations should reinforce user awareness around unexpected update prompts and on screen instructions. Ensure web filtering tools can also detect and block known malicious redirects.
[Researcher: Jenny Eysert]
5. US broadband firm confirms data breach after extortion threat
US broadband firm, Charter Communications, has confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen customer data. The breach reportedly stemmed from a voice phishing attack that compromised an employee account, giving the threat actor to access the organisation’s Salesforce environment.
So What?
Organisations should enforce strict identity verification controls, including callback procedures for sensitive requests, and ensure SaaS environments such as Salesforce have role-based access limits and activity monitoring in place.
[Researcher: Steve Ross]
6. Carnival Cruises and Bedfordshire Hospital delay incident communication
Carnival Corporation faces criticism for its delayed response to an attack in April that exposed the personal data of nearly six million customers. Separately, Bedfordshire Hospitals NHS Foundation Trust has revealed that data belonging to almost 33,000 patients - linked to lab or diagnostic records between 2011 to 2020 - had been stolen and shared online years ago.
SO WHAT?
Cyber incidents move fast. Poorly timed or delayed communication amplifies the damage and erodes stakeholder trust. Organisations should establish pre-approved notification templates and clear communication timelines within their incident response playbooks.
[Researcher: Lena Krummeich]
