Omnistealer: How Malware Exploits Blockchain for Undeletable Command-and-Control A newly identified info-stealer, Omnistealer, is leveraging public blockchains like TRON, Aptos, and Binance Smart Chain to host its malicious infrastructure making it nearly impossible to remove. Unlike traditional malware that relies on platforms like GitHub or Google Drive (which can be taken down), Omnistealer embeds encrypted commands, malware fragments, and staging code within blockchain transactions. Since blockchains are append-only and immutable, these malicious snippets remain permanently accessible, creating a censorship-resistant command-and-control (C2) network that evades takedown efforts. Once deployed, Omnistealer acts as a comprehensive data harvester, targeting: - Over 10 password managers, including LastPass and cloud-synced tools. - Major browsers (Chrome, Firefox) to extract saved logins and session data. - Cloud storage credentials, such as Google Drive. - More than 60 crypto wallets, including MetaMask and Coinbase Wallet. The attack chain typically begins with social engineering: victims receive fake job offers via LinkedIn or Upwork, luring them into downloading and executing code from a seemingly legitimate GitHub repository. This code then fetches the final payload by reading encrypted data from blockchain transactions. Researchers estimate that 300,000 credentials have already been compromised, affecting sectors ranging from financial compliance and defense suppliers to U.S. government entities. The malware’s persistence rooted in blockchain’s decentralized nature poses a significant challenge for defenders, as traditional remediation methods (e.g., domain takedowns) are ineffective against immutable ledger entries.

ShinyHunters Exploits Salesforce Experience Cloud Misconfigurations in Large-Scale Data Theft The hacking group ShinyHunters has claimed responsibility for stealing data from approximately 100 major companies by exploiting misconfigurations in Salesforce’s Experience Cloud platform. According to reports, the group accessed information from around 400 websites and organizations, including high-profile targets like Snowflake, Okta, LastPass, Sony, AMD, and Salesforce itself. Salesforce confirmed that a "known threat actor group" is actively scanning public-facing Experience Cloud sites portals used for customer, partner, and employee interactions due to overly permissive guest user configurations. The company clarified that the issue stems from customer-defined guest user profiles, not a vulnerability in Salesforce’s core platform. ### How the Attack Works Experience Cloud sites can be configured to allow guest users (unauthenticated visitors) to view public pages and submit forms. However, if these guest profiles are granted excessive permissions, attackers can query and extract CRM data that was never intended to be public. ShinyHunters reportedly used a modified version of AuraInspector, an open-source tool originally designed by Mandiant to detect misconfigurations in Salesforce’s Aura endpoints. The altered tool enables mass scanning of public-facing sites, extracting data when guest permissions are too broad. ### ShinyHunters’ Track Record Active since 2019, ShinyHunters has been linked to numerous high-profile breaches, often employing "pay or leak" tactics demanding ransoms to prevent data exposure. Recent incidents include the 2024 Snowflake breach, as well as attacks on universities and consumer platforms, leveraging phishing, social engineering, and SaaS misconfigurations. ### The Broader Risk of Misconfiguration This incident highlights a persistent cybersecurity challenge: misconfiguration remains a leading attack vector. While SaaS platforms like Salesforce offer robust security controls, human error in permission settings can expose sensitive data. Experience Cloud’s flexibility designed for public-facing portals becomes a liability when guest user profiles are improperly configured, allowing unauthorized access to CRM records. ### Salesforce’s Response & Mitigation Steps Salesforce has urged customers to: - Audit guest user permissions across all Experience Cloud sites. - Set default external access to "private" to block unauthenticated queries. - Disable guest access to public APIs and remove API-enabled permissions from guest profiles. - Monitor logs for unusual activity, such as large-scale scanning attempts. The incident underscores the need for ongoing security reviews rather than one-time configurations, as cloud environments evolve and threat actors refine their tactics. With regulatory scrutiny and reputational risks escalating, enterprises must treat access control and governance as continuous priorities.

Critical Phishing Campaign Targets LastPass Users in Sophisticated Attack A high-severity phishing campaign targeting LastPass users began on January 19, 2026, with attackers impersonating the company’s support team to steal master passwords. The fraudulent emails falsely claim an urgent need for vault backups within 24 hours, leveraging social engineering to exploit user trust. LastPass has confirmed that it never requests master passwords or demands immediate vault backups via email, emphasizing that legitimate communications avoid unsolicited urgent actions. The campaign was strategically launched over a U.S. holiday weekend, a tactic designed to capitalize on reduced security staffing and slower incident response times commonly exploited by threat actors to evade detection. The phishing infrastructure relies on two key components: an initial redirect hosted on compromised AWS S3 buckets and a spoofed domain mimicking LastPass’s legitimate services. LastPass is actively working with third-party partners to dismantle the malicious infrastructure and urges users to delete any suspicious emails and report them to [email protected] for further analysis. Organizations are advised to bolster email security controls to block messages from identified sender addresses and reinforce phishing awareness, particularly regarding urgent language and credential requests. The incident underscores the persistent risk of credential harvesting campaigns targeting password manager users.

Critical Vulnerabilities Exposed in Major Cloud Password Managers Researchers from ETH Zurich’s Applied Cryptography Group have uncovered 25 severe security flaws in popular cloud-based password managers, including Bitwarden, LastPass, and Dashlane, which collectively serve around 60 million users worldwide. The findings challenge the long-held assumption of "zero-knowledge encryption" a security model where data remains encrypted even if servers are compromised. Led by Professor Kenneth Paterson, the team simulated a malicious server threat model, testing how browser extensions responded when servers were compromised. The results revealed client-side vulnerabilities that could allow attackers with server access to view, modify, or delete stored passwords, logins, and sensitive data. Bitwarden was found to have 12 vulnerabilities, LastPass 7, and Dashlane 6, with some flaws enabling full organization vault compromises or unauthorized access via sync manipulation. Key issues stem from outdated cryptographic practices and user-friendly features like password recovery and sharing, which introduce complexity and expand the attack surface. Doctoral student Matteo Scarlata noted that many vendors rely on 1990s-era encryption to avoid disrupting users or causing downtime, undermining the security guarantees of zero-knowledge architectures. The vulnerabilities, assigned CVE IDs with CVSS scores ranging from 7.5 to 8.5, include: - Bitwarden: Unauthorized vault access, integrity violations in shared credentials, and full organization vault compromise. - LastPass: Password recovery bypass and credential modification attacks. - Dashlane: Legacy crypto decryption leaks. The researchers followed responsible disclosure, giving vendors 90 days to address the flaws. While patches are now being rolled out, the findings highlight a critical weakness: even encrypted data can be manipulated if servers are compromised. The incident underscores the need for regular external audits, transparent security practices, and migration to modern cryptographic standards rather than relying on incremental fixes.

LastPass Settles Lawsuit for Up to $24 Million Following Data Breach LastPass, a widely used password manager, has agreed to a settlement of up to $24 million after a lawsuit stemming from a 2022 data breach. The agreement includes $8.2 million for data-protection claims and up to $16.25 million to reimburse users for cryptocurrency losses linked to the incident. ### The Breach and Its Impact In the attack, hackers accessed sensitive user data, though stored passwords remained encrypted. However, some customers reported unauthorized access to crypto wallets connected to their LastPass accounts, leading to financial losses. The breach raised concerns about the security of password managers, which users rely on to protect digital assets and personal information. The lawsuit alleged that LastPass failed to adequately safeguard user data, exposing customers to privacy risks and financial harm. ### Settlement Details Eligible users will be notified about how to submit claims. Payouts will vary based on verified losses: - $8.2 million allocated for data-protection claims. - Up to $16.25 million for crypto loss reimbursements. ### Broader Implications The settlement underscores the real-world consequences of data breaches, even for trusted security tools. While password managers enhance convenience, this incident highlights their vulnerabilities and the need for robust security measures. For LastPass, the case has prompted security improvements, including stronger encryption, enhanced safeguards, and more transparent user updates. The company has pledged to prevent future breaches, though the incident serves as a reminder that no service is immune to cyber threats.

UK ICO Imposes £15 Million in GDPR Fines on Capita and LastPass for Cybersecurity Failures In late 2025, the UK Information Commissioner’s Office (ICO) levied a combined £15 million in GDPR fines against Capita plc and Capita Pension Solutions Limited (fined £14 million on 15 October 2025) and LastPass UK Limited (fined £1.2 million on 20 November 2025) for data breaches resulting from cyberattacks. The ICO’s decisions highlight critical enforcement trends, including its strict expectations for proactive cybersecurity measures. In Capita’s case, the regulator determined that inadequate penetration testing, understaffed security operations, and weak administrator access controls created avoidable vulnerabilities exploited by attackers. Despite acknowledging the costs of robust security, the ICO rejected resource constraints as justification for lapses, particularly for organizations handling high-risk data. The rulings also emphasize the NCSC’s cybersecurity guidance as a benchmark for "appropriate" GDPR compliance. Internal documents such as Capita’s penetration test reports were cited as evidence of security weaknesses, underscoring the legal risks of unprotected internal assessments. Companies are advised to consider privilege protections for sensitive security findings to limit exposure. The ICO set a high bar for mitigating factors. LastPass’s cooperation, though deemed "good," was not considered exceptional, while Capita’s 14-hour GDPR notification (well ahead of the 72-hour deadline) failed to reduce its penalty. The regulator expects continuous, engaged responses rather than one-time compliance efforts. Notably, LastPass’s fine was calculated based on its holding company’s global revenue, not just its own turnover, aligning with EU precedent. This approach could significantly impact private equity and investment firms, as fines may extend to broader corporate groups. The cases signal the ICO’s uncompromising stance on data protection, with enforcement actions targeting both technical oversights and structural accountability.

An ongoing phishing campaign targeted LastPass users via fake emails claiming the company was hacked, urging them to download a malicious desktop version of the password manager. The attack exploited social engineering tactics, impersonating LastPass with urgency-driven messages from domains like ‘hello@lastpasspulse[.]blog’. The downloaded binary installed Syncro, a legitimate remote monitoring tool repurposed to deploy ScreenConnect, granting attackers persistent remote access. While LastPass confirmed no breach occurred, the campaign aimed to steal vault credentials by tricking users into installing malware disguised as a security update. The threat actors leveraged reduced holiday staffing (Columbus Day weekend) to delay detection. Cloudflare later blocked the phishing landing pages, but the attack demonstrated sophisticated use of legitimate tools (Syncro/ScreenConnect) to bypass defenses, disable security agents (Emsisoft, Webroot, Bitdefender), and exfiltrate sensitive data from compromised endpoints.

The ransomware group ShinyHunters (Scattered Lapsus$ Hunters) breached Salesforce by exploiting stolen OAuth tokens from Salesloft Drift’s AI chatbot integration, compromising 1.5 billion records across 760 companies (including Cisco, Disney, and Marriott). The leaked data includes PII (names, DOBs, passports, employment histories), shipping details, chat transcripts, flight records, and car ownership data—validated by cybersecurity researchers. Attackers first infiltrated Salesloft’s GitHub repository, extracting private source code and OAuth tokens, then laterally moved to Google Workspace, Microsoft 365, and Okta platforms of victims. The group demanded separate ransoms from Salesforce and listed 39 high-profile victims on a darkweb leak site, pressuring them to pay under threat of full data exposure. The attack leveraged social engineering (vishing, phishing, IT impersonation) to trick employees into granting access, highlighting vulnerabilities in third-party supply-chain integrations and weak 2FA/OAuth security controls.

An unauthorized party gained the access to a cloud-based password security site, LastPass suffered a data security breach that resulted in the theft of certain source codes and technical information. They targeted its development environment. No customer data or encrypted passwords were accessed. Amidst investigated the incident and they engaged the services of a leading cybersecurity and forensics firm and they implemented additional countermeasures.

LastPass is warning customers about an ongoing phishing campaign by the financially motivated threat group CryptoChameleon (UNC5356), targeting its users since mid-October. The attack involves fraudulent emails impersonating LastPass’s legacy inheritance process, claiming a family member requested access to the victim’s password vault via a fake death certificate. Users are tricked into clicking a malicious link redirecting them to a spoofed login page (lastpassrecovery[.]com), where they are prompted to enter their master password. In some cases, attackers also posed as LastPass support staff via phone calls to manipulate victims further.The campaign has evolved to include passkey-focused phishing domains (e.g., mypasskey[.]info), indicating attempts to steal modern authentication credentials. This follows LastPass’s 2022 breach, where encrypted vault backups were stolen, leading to subsequent cryptocurrency thefts totaling $4.4 million. The latest attack exploits psychological manipulation and technical deception to compromise user accounts, potentially granting attackers access to sensitive credentials stored in LastPass vaults.

LastPass Reaches $24.5 Million Settlement Over 2022 Data Breach LastPass, a leading password-security provider, has received preliminary approval from a U.S. federal court to settle a proposed class-action lawsuit stemming from a 2022 data breach. The breach exposed the personal information of millions of users and led to the theft of cryptocurrency from affected accounts. Under the terms of the settlement, LastPass will establish an $8.2 million fund to compensate class members for losses incurred due to the breach. An additional $16.3 million will be allocated for further victim compensation, bringing the total settlement to nearly $24.5 million. The agreement was filed in the U.S. District Court for the District of Massachusetts. The breach, which occurred in 2022, compromised sensitive user data, including encrypted password vaults, and was linked to subsequent financial fraud targeting cryptocurrency holdings. The settlement aims to resolve claims from impacted individuals while avoiding prolonged litigation. The case underscores the growing financial and reputational risks companies face following major cybersecurity incidents, particularly those involving sensitive financial or personal data.

LastPass again suffered from a data security breach after an unauthorized party gained the access to a cloud-based password security site. Although the third-party cloud provider wasn't identified, Amazon Web Services mentioned the company's migration of a billion customer records to its cloud in a blog post from 2020. No customer data or encrypted passwords were accessed.

A cloud-based password security site, LastPass suffered a data security breach that compromised the account email addresses, password reminders, server per user salts, and authentication hashes. LastPass recommended its users to update their weak master passwords as a preventive step. LastPass servers were even over-loaded and many people were displayed the message: "Oops! Our servers are a bit overloaded right now. Please try your password change again shortly, we will catch up soon."