CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Security Risks in Passwordless Account Recovery Highlighted at Black Hat USA 2025

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

At Black Hat USA 2025, researchers Sid Rao and Gabriela Sonkeria presented findings on the security risks associated with account recovery in passwordless authentication systems. They highlighted that while passwordless authentication methods like biometrics, passkeys, and tokens are gaining traction, account recovery processes often rely on insecure communication channels such as email and SMS. This gap poses significant risks, including account takeovers and permanent lockouts. The researchers tested 22 of the most visited websites and found widespread vulnerabilities in account recovery methods. The study revealed that many websites lack robust verification processes, allowing attackers to manipulate recovery mechanisms. Recommendations include implementing two-factor recovery options, strong session management, and stringent verification processes to mitigate these risks.

Timeline

  1. 11.08.2025 20:53 1 articles · 1mo ago

    Security Risks in Passwordless Account Recovery Highlighted at Black Hat USA 2025

    At Black Hat USA 2025, researchers Sid Rao and Gabriela Sonkeria presented findings on the security risks associated with account recovery in passwordless authentication systems. They tested 22 of the most visited websites and found widespread vulnerabilities in account recovery methods. The study revealed that many websites lack robust verification processes, allowing attackers to manipulate recovery mechanisms. Recommendations include implementing two-factor recovery options and strong session management to mitigate these risks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data

The threat actor, tracked as UNC6395 by Google and GRUB1 by Cloudflare, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and steal data from Salesforce customer instances. The campaign, active from August 8 to at least August 18, 2025, targeted over 700 organizations, including Workiva and Stellantis, and impacted all integrations connected to the Drift platform, not just Salesforce. The attackers exported large volumes of data, including credentials for AWS, passwords, and Snowflake access tokens. Zscaler, Palo Alto Networks, Cloudflare, and Workiva reported data breaches after threat actors accessed their Salesforce instances via compromised Salesloft Drift credentials, exposing customer information. The breach began with the compromise of Salesloft's GitHub account, accessed by UNC6395 from March to June 2025. The threat actor accessed multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred in the Salesloft and Drift application environments between March and June 2025. The attackers accessed Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened it with improved segmentation controls. Salesloft recommends that all third-party applications integrated with Drift via API key revoke the existing key. Salesforce restored the integration with the Salesloft platform on September 7, 2025, except for the Drift app, which remains disabled. Salesloft and Salesforce have taken steps to mitigate the breach, including revoking tokens and removing the Drift application from AppExchange. The breach highlights the risks associated with third-party integrations and the potential for supply chain attacks. UNC6395 demonstrated operational discipline, querying and exporting data methodically, and attempting to cover their tracks by deleting query jobs. The targeted organizations included security and technology companies, suggesting a broader strategy to infiltrate vendors and service providers. The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service. There is no evidence that the breaches directly impacted Google Cloud customers, though any of them that use Salesloft Drift should review their Salesforce objects for any Google Cloud Platform service account keys. The threat group ShinyHunters and Scattered Spider claimed responsibility for many of those attacks, and vishing attacks have been cited as the means of compromise. Google disclosed that UNC6040 breached one of its Salesforce instances using these tactics. The UNC6395 Salesloft Drift activity is separate from the vishing attacks attributed to UNC6040. Okta successfully defended against a potential breach by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric. Palo Alto Networks' Unit 42 advised organizations to conduct immediate log reviews for signs of compromise and rotate exposed credentials. Okta suggests reducing the blast radius of a single entity breach by constraining token use by IP and client and ensuring granular permissions for M2M integrations. The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims. UNC6040 is a threat actor that specializes in voice phishing or vishing and recently was observed using social engineering to pose as IT support staff to get into Salesforce environments. UNC6395 is best known for using stolen OAuth tokens from Salesloft's Drift application, which has a Salesforce integration, to steal sensitive data from hundreds of Salesforce environments earlier this year. The FBI's latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040's activity, which began last fall. The advisory also includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.

Open in new tab