Cybersecurity researchers have discovered two Android spyware campaigns dubbed ProSpy and ToSpy that impersonate apps like Signal and ToTok to target users in the United Arab Emirates (U.A.E.).
Slovak cybersecurity company ESET said the malicious apps are distributed via fake websites and social engineering to trick unsuspecting users into downloading them. Once installed, both the spyware

Cybersecurity researchers have discovered two Android spyware campaigns dubbed **ProSpy** and **ToSpy** that impersonate apps like Signal and ToTok to target users in the United Arab Emirates (U.A.E.).

Slovak cybersecurity company ESET said the malicious apps are distributed via fake websites and social engineering to trick unsuspecting users into downloading them. Once installed, both the spyware malware strains establish persistent access to compromised Android devices and exfiltrate data.

"Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services," ESET researcher Lukáš Štefanko said. Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app."

The ProSpy campaign, discovered in June 2025, is believed to have been ongoing since 2024, leveraging deceptive websites masquerading as Signal and ToTok to host booby-trapped APK files that claim to be upgrades to the respective apps, namely Signal Encryption Plugin and ToTok Pro.

The use of ToTok as a lure is no coincidence, as the app was removed from Google Play and Apple App Store in December 2019 due to concerns that it acted as a spying tool for the U.A.E. government, harvesting users' conversations, locations, and other data.

The developers of ToTok subsequently went on to claim the removal was an "attack perpetrated against our company by those who hold a dominant position in this market" and that the app does not spy on users.

The rogue ProSpy apps are designed to request permissions to access contacts, SMS messages, and files stored on the device. It's also capable of exfiltrating device information.

ESET said its telemetry also flagged another Android spyware family actively distributed in the wild and targeting users in the same region around the same time ProSpy was detected. The ToSpy campaign, which likely began on June 30, 2022, and is currently ongoing, has leveraged fake sites impersonating the ToTok app to deliver the malware.

The regionally focused campaigns center around stealing sensitive data files, media, contacts, and chat backups, with the ToTok Pro app propagated in the ProSpy cluster featuring a "CONTINUE" button that, when tapped, redirects the user to the official download page in the web browser and instructs them to download the actual app.

"This redirection is designed to reinforce the illusion of legitimacy," ESET said. "Any future launches of the malicious ToTok Pro app will instead open the real ToTok app, effectively masking the spyware's presence. However, the user will still see two apps installed on the device (ToTok and ToTok Pro), which could be suspicious."

The Signal Encryption Plugin, in a similar manner, includes an "ENABLE" button to deceive the users into downloading the legitimate encrypted messaging app by visiting the signal\[.\]org site. But unlike the case of ToTok Pro, the rogue Signal app icon is changed to impersonate Google Play Services once the victim grants it all the necessary permissions.

Regardless of the app installed, the spyware embedded within it stealthily exfiltrates the data before the user clicks CONTINUE or ENABLE. This includes device information, SMS messages, contact lists, files, and a list of installed applications.

"Similarly to ProSpy, ToSpy also includes steps designed to further deceive the victim into believing that the malware they just installed is a legitimate app," Štefanko said. "After the user launches the malicious ToTok app, there are two possible scenarios: either the official ToTok app is installed on the device or it's not."

"If the official ToTok app is not installed on the device, ToSpy attempts to redirect the user to the Huawei AppGallery, either through an already installed Huawei app or via the default browser, suggesting the user download the official ToTok app."

In the event the app is already installed on the device, it displays a fake screen to give the impression that it's checking for app updates before seamlessly launching the official ToTok app. However, in the background, it collects user contacts, files matching certain extensions, device information, and ToTok data backups (\*.ttkmbackup).

To achieve persistence, both the spyware families run a foreground service that displays a persistent notification, use Android's AlarmManager to repeatedly restart the foreground service if it gets terminated, and automatically launch the necessary background services upon a device reboot.

ESET said the campaigns are being tracked differently due to differences in delivery methods and infrastructure, despite several commonalities in the malware deployed. It's currently not known who is behind the activity.

"Users should remain vigilant when downloading apps from unofficial sources and avoid enabling installation from unknown origins, as well as when installing apps or add-ons outside of official app stores, especially those claiming to enhance trusted services," the company added.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Warning: Beware of Android Spyware Disguised as Signal Encryption Plugin and ToTok Pro

Researchers found several security problems in Life360's Tile trackers, most of which could be solved with encryption.

Researchers at the Georgia Institute of Technology scrutinized the security of the popular Tile tracker and came out disappointed.

Bluetooth trackers are a steadily growing market, and Life360 is one of the major players. In 2021, Amazon expanded its Sidewalk network to include Tile. That means Ring cameras and Echo devices can act as relays, picking up the location of Tile trackers and phones running the Tile app.

Reportedly, some 88 million Tile trackers are in use worldwide, but researchers reported that Tile trackers were not as safe as they hoped. The major problem the researchers found is that the trackers broadcast an unencrypted, static MAC address and unique ID. To allow users to find their wallet or lost items, other Bluetooth devices or radio-frequency antennas in a tracker’s vicinity can pick up these signals to follow the movements of the tracker.

That’s the whole point, you’d think. But let me clarify what’s wrong with this method.

Other trackers don’t broadcast their actual MAC address. Instead, they send out a temporary ID based on it, which makes long-term tracking harder. Tile does things differently: while it rotates the unique ID, it still transmits the same MAC address. Researchers also found the rotating ID generation was weak and could allow continuous tracking.

The receiver then sends the tracker’s location, MAC address, and unique ID to a server without encryption. The researchers believed the server stored this information in cleartext, which would mean Life360 could continuously monitor the location of trackers and their owners who have the app installed.

As one of the researchers put it while warning about the dangers:

> “An attacker only needs to record one message from the device … to fingerprint it for the rest of its lifetime.”

This could pose a major problem in case of a breach or if your tracker was caught in a mass scan. In other tracker systems, the information about the location of a tag is decrypted by using a key only available on the user’s phone, so only the owner can see this information.

Another issue is Tile’s anti-stalking feature. After concerns were raised about the ability to stalk persons with these trackers, most manufacturers added automatic alerts that warn the user if a tracker that is not theirs is following them around.

With Tile, the app doesn’t scan in the background—the user has to start the scan manually. Even then, it only works if the user keeps moving around for 10 minutes.

This behavior could be due to a feature that Tile offers and others don’t: anti-theft mode. Tile users have the ability to make their trackers invisible to others, so would-be thieves can’t scan an area to see if there are any items with a Tile in the vicinity.

But stalkers could abuse the same feature. They would still see the tag’s location, while the victim’s scan would not detect it, leaving them unaware of a rogue device.

To enable Anti-Theft Mode, Tile requires a government-issued ID, a live photo of the user, and agreement to a $1 million fine if convicted of stalking. While this could deter some abusers, researchers note it isn’t clear whether the penalty is enforceable.

The researchers concluded that many of the problems they found with Tile trackers could be solved by encrypting the signals it broadcasts, and they didn’t understand why the company apparently hadn’t followed the example of its competitors.

That sounds easier than it might be though. In February 2025, researchers found a way to track any Bluetooth device using nRootTag vulnerability in the “Find My” network. Apple has a partial fix out, but full protection may take years. This shows that a redesign from (almost) scratch could be a lengthy and costly process.

In a statement to The Verge, a spokesperson for Life360 said the company had “made a number of improvements” since researchers reported the issue last November, although didn’t provide any details about the fixes. From the statement:

> Using a Tile to track someone’s location without their knowledge is never okay and is against our terms of service.

To help you find the main differences between Tile and other trackers, we constructed this overview.

**Features**

**Tile**

**Others**

Static MAC address

Uses static MAC addresses, enabling persistent tracking by anyone nearby.

Uses rotating MAC addresses that change frequently to prevent tracking.

Data transmission

Broadcasts unique IDs and device data unencrypted via Bluetooth, which is easily intercepted.

Uses encrypted communication with nearby devices, protecting data in transit.

Data storage

Stores location and device data unencrypted on own servers, making it vulnerable to breaches.

Stores encrypted data on servers, reducing risk from breaches.

Detection of unwanted trackers

Requires users to manually scan with Tile app’s Scan and Secure feature, which is less intuitive.

Automatically alerts users of unknown trackers traveling with them and provides disabling them.

Anti-theft feature

Offers “anti-theft mode,” which hides trackers from detection scans, but which makes automatic stalking alerts ineffective.

No equivalent feature.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Tile trackers plagued by weak security, researchers warn 

Google can create and manage passkeys from your browser, but the process is more involved than it suggests.

All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Learn more.

Google wants you to start using passkeys. Its vision is to “progress toward a passwordless future," allowing you to store passkeys in the Google Password Manager service. For websites that support the login method, Google now allows you to generate, store, and sync passkeys. The problem is actually finding a consistent way to do it.

It’s easy to change your password, but it’s not so easy to add passkeys to an account you’ve already created, much less manage them solely in your browser. Still, you can use passkeys with the Google Password Manager on supported websites; you'll just need to jump through a few hoops first.

*   **How to Set Up a Passkey for Your Google Account**
*   **How to Use Passkeys With Google Password Manager**
*   **What to Do if You Lose Your Google Passkeys**
*   **Why Passkeys Are Easier With a Password Manager**

**How to Set Up a Passkey for Your Google Account**

You can learn more about passkeys here, but in short, they're a method to confirm you are who you say you are so that you don't have to remember a long password for every app and website you log in to. You can use a passkey for your Google account, but you can also store passkeys for other websites with the Google Password Manager, which is available on Chrome or directly through Android.

To use a passkey with your Google account, go to g.co/passkeys and follow the prompts. You’ll log in to your Google account and create a passkey, either bound to your device or stored in a third-party password manager. If you aren’t using a third-party password manager, your Google passkey will be bound to the device you’re using. Apple devices sync your passkeys across other Apple devices with iCloud Keychain, but otherwise you’ll need the device you created the passkey on to log in.

Creating a passkey for your Google account is simple. What’s important is that you’re doing it on a device that supports passkeys. Here’s what you need:

*   A computer with Windows 10, macOS Ventura, ChromeOS 109, or newer; or a phone with iOS 16 or Android 9, or newer;
*   A supported browser (Chrome 109, Safari 16, Edge 109, Firefox 122, or newer).

Once you’ve made a passkey, you can manage it at myaccount.google.com. There, select **Security,** and then choose **Passkeys and Security Keys** to see the passkeys you have. You can—and likely will, if you aren’t using a third-party password manager—have multiple passkeys for different devices, even if they’re used to log in to the same account.

How Safe Are Google Passkeys?

A passkey for your Google account is generally safer than using a password. Passkeys rely on asymmetric encryption with a public-private key pair, and only you have access to your private key. Even in the event of a breach or phishing scheme, an attacker can't access your account without your private key, which never leaves your device.

A password uses symmetric encryption, and it's what you'd call a “shared secret” in the world of cybersecurity. With a password, Google needs to store an encrypted copy on its servers, opening up the potential of a breach. Further, you need to remember your password, which opens the door for phishing and social engineering attacks.

Is It Safe to Store Passkeys in Google Password Manager?

The Google Password Manager available through Chrome stores your logins locally on your device. It can sync your logins across devices, but an encrypted copy is kept locally. A file containing your encryption key is also available locally, and combining the two files with a Python script and a little know-how can expose your passwords on Windows.

Someone would need access to your device for this kind of attack, which isn't likely on a desktop, but it's worth keeping the risk in mind. If you travel often or could have your device easily lost or stolen, it's a good idea to store passkeys elsewhere, such as in a password manager.

Should I Use a Password Manager for Passkeys?

You can create and manage passkeys on Windows through Windows Hello, on macOS and iOS through iCloud Keychain, and on Android or in your browser through Google Password Manager. However, using a third-party password manager like Proton Pass or 1Password makes things a lot easier.

An external password manager allows you to sync your passkeys across devices, and they're bound to the password manager itself, rather than your device. If you have a device that's authenticated with your password manager, you can access your passkeys, too.

**How to Use Passkeys With Google Password Manager**

Google would like you to believe that saving passkeys in the Google Password Manager happens almost magically. You sign in to or sign up for an account, Google steps in and asks if you want to save a passkey, and you’re done. Google even says it can upgrade accounts stored in Google Password Manager automatically with passkeys.

The process, unfortunately, is more involved. First, you need to enable passkeys for the Google Password Manager. They're enabled by default, but to double check, open Chrome, and follow these steps:

1.  Click the three dots in the upper right corner;
2.  Hover over **Passwords and Autofill** and choose **Google Password Manager** from the menu;
3.  In the tab that opens, choose **Settings**;
4.  Ensure the **Offer to Save Passwords and Passkeys** setting is turned on.

Google via Jacob Roach

Now, we need a website that supports passkeys. There are a handful of different directories online—Hanko’s directory is the easiest, but this community directory is more comprehensive. I’ll use Best Buy for this example, which supports passkeys.

To set up a passkey with Google Password Manager, you need your credentials for the service in question already stored. For Best Buy, go to the website and log in. When the Google Password Manager prompts you, choose to save your username and password in Google Password Manager.

With that done, follow these steps on the Best Buy website:

1.  Select the drop-down for your account name, and choose **Account Settings**;
2.  Under the **Account Security** box, choose **Passkey (Face or Fingerprint Sign-In)**;
3.  Select **Create a Passkey**.

Google via Jacob Roach

Once you create a passkey, a pop-up will appear asking you to verify your identity with another device logged in to your Google account. If this is the first passkey you’re creating with Google Password Manager, you’ll also need to set up a PIN.

Every service is a bit different, but you need to initiate the passkey creation from the service you want a passkey for, not from Google Password Manager. Once the passkey is stored, you’ll see it alongside your normal login credentials in Google Password Manager.

Google via Jacob Roach

**What to Do if You Lose Your Google Passkeys**

There’s an obvious issue with passkeys, and that’s account recovery. Passkeys are tied to a particular device, so if that device is lost or stolen, you won’t be able to sign in to your account. Google, thankfully, syncs your passkeys across devices with access to your Google account, but you may still need to do some clean-up. There are two steps you need to take if you no longer have access to a device that holds your passkey.

First, you need to remove the passkey from that device. For your Google account, that’s simple enough:

1.  Go to myaccount.google.com;
2.  Select the **Security** tab from the left menu;
3.  Choose **Passkeys and Security Keys** under the **How You Sign In To Google** section;
4.  Remove the passkey you created;
5.  If you have a device-bound key, such as on an Android device, signing out of that device will remove the passkey. The link next to these devices will take you to the right page, but you can navigate to **Your Devices** in the **Security** section, as well.

Other websites that support passkeys allow you to remove them, as well. In our Best Buy example, for instance, you’ll find a **Remove All Passkeys** button in the same place you created the passkey. After that’s done, you can regenerate a passkey following the steps above on a new device you have access to. In the event you can’t access a new device, Google and other services that support passkeys have fallback options, including a recovery code or your standard password.

**Why Passkeys Are Easier With a Password Manager**

The problem with using your Google for passkey storage is, well, Google.

Apple, Microsoft, and Google have all been quick to adopt passkeys as an alternative form of authentication, and they’ve been just as quick to place restrictions on where you can and can’t save or use passkeys. It’s a mess. For instance, when you log in to iCloud, Apple says you can use a passkey but only with a device running iOS. Google automatically generated a passkey for my account when I recently switched my phone to the OnePlus 13R, and yet it doesn’t work, no matter how many QR codes I scan on a device that, supposedly, holds my Google passkey. Then there’s Windows and Microsoft. Those keys don’t even work across devices.

To avoid the platform-locked squabble of multibillion-dollar corporations, I recommend using a third-party password manager. Most of the best password managers come with passkey support, and you’ll be able to save and sync your passkeys across devices.

I use Proton Pass, but 1Password, NordPass, and others also support passkeys. You can save passkeys in Chromium-based browsers with your password manager’s extension, and both Android and iOS now allow third-party apps to store and manage passkeys.

There’s no nonsense about which devices support which passkeys, and you don’t need to tap dance around your devices just to save one. Most importantly, storing your passkeys in a password manager gives you flexibility. If you want to switch from Android to iPhone, or from macOS to Windows, or try out some new, hot browser, you can. Some services, such as Proton Pass, even allow you to share and export passkeys.

How to Use Passkeys With Google Password Manager (2025)

Apple has patched a serious vulnerability (CVE-2025-43400) in how devices handle fonts.

Apple has released important security updates to address a critical vulnerability in _FontParser_—the part of MacOS/iOS/iPadOS that processes fonts.

Identified as CVE-2025-43400, the flaw was discovered internally by Apple and allows an attacker to craft a malicious font that can cause apps to crash or corrupt process memory, potentially leading to arbitrary code execution.

While Apple hasn’t said it’s being actively exploited, similar bugs have been used in jailbreaks and spyware attacks in the past, so it’s smart to patch it promptly.

**How to update your devices******How to update your iPhone or iPad****

For iOS and iPadOS users, you can check if you’re using the latest software version, go to **Settings > General > Software Update**. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

******How to update macOS on any version******

To update macOS on any supported Mac, use the Software Update feature, which Apple designed to work consistently across all recent versions. Here are the steps:

*   Click the Apple menu in the upper-left corner of your screen.
*   Choose **System Settings** (or **System Preferences** on older versions).
*   Select **General** in the sidebar, then click **Software Update** on the right. On older macOS, just look for **Software Update** directly.
*   Your Mac will check for updates automatically. If updates are available, click **Update Now** (or **Upgrade Now** for major new versions) and follow the on-screen instructions. Before you upgrade to macOS Tahoe 26, please read these instructions.
*   Enter your administrator password if prompted, then let your Mac finish the update (it might need to restart during this process).
*   Make sure your Mac stays plugged in and connected to the internet until the update is done.

****How to update Apple Watch****

*   Ensure your iPhone is paired with your Apple Watch and connected to Wi-Fi.
*   Keep your Apple Watch on its charger and close to your iPhone.
*   Open the Watch app on your iPhone.
*   Tap **General > Software Update**.
*   If an update appears, tap **Download and Install**.
*   Enter your iPhone passcode or Apple ID password if prompted.

Your Apple Watch will automatically restart during the update process. Make sure it remains near your iPhone and on charge until the update completes.

****How to update Apple TV****

*   Turn on your Apple TV and make sure it’s connected to the internet.
*   Open the Settings app on Apple TV.
*   Navigate **to System > Software Updates**.
*   Select **Update Software**.
*   If an update appears, select **Download and Install**.

The Apple TV will download the update and restart as needed. Keep your device connected to power and Wi-Fi until the process finishes.

**Updates for your particular device**

**Name and information link**

**Available for**

iOS 26.0.1 and iPadOS 26.0.1

iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

iOS 18.7.1 and iPadOS 18.7.1

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

macOS Tahoe 26.0.1

macOS Tahoe

macOS Sequoia 15.7.1

macOS Sequoia

macOS Sonoma 14.8.1

macOS Sonoma

visionOS 26.0.1

Apple Vision Pro

watchOS 26.0.2 no published CVE entries.

Apple Watch Series 6 and later

tvOS 26.0.1 no published CVE entries.

Apple TV HD and Apple TV 4K (all models)

**Technical details**

The vulnerability tracked as CVE-2025-43400 was described as an out-of-bounds write issue in FontParser that, when exploited, could cause the processing of a maliciously crafted font to lead to unexpected app termination or corrupt process memory.

An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

Typically, fonts are safe and standardized files used daily in countless apps and websites, but due to this vulnerability an attacker can create a specially crafted font file containing manipulated data that exploits vulnerabilities in the font processing engine of the operating system. When this malicious font is loaded by an app or system process, it can trigger memory corruption or crashes. In worst-case scenarios, this can enable attackers to execute harmful code remotely, gaining control over the device.

Given that fonts are widely used and often processed silently in the background, font vulnerabilities pose a significant risk vector for attackers aiming to compromise devices.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple fixes critical font processing bug. Update now! 

Your logins will live on after you pass on. Make sure they end up in the right hands.

It’s not fun to talk about, but there’s only one thing certain in life. You need to have a plan for your digital legacy, just like you make a plan for your physical assets; otherwise, your accounts, services, and logins will rot away in a data center before they’re inevitably erased by a data retention policy.

Some services recognize how important digital legacy is. Apple and Facebook have legacy contacts that can gain access to your accounts, and the American Bar Association is still grappling with the legalities of accessing online accounts when someone passes away. Most online services don't.

Recognition of digital legacy is still spotty, and without dedicated legacy contacts, accessing the deceased’s online accounts often involves court orders or legal documentation (and plenty of time). Digital legacy doesn’t need to have so many hurdles, though. Password managers have digital legacy features built in that can unlock your digital life in the event of an emergency.

*   **Defining a Digital Legacy**
*   **Password Managers With Digital Legacy Features**
*   **What You Should Store Beyond Passwords**
*   **Pass on Your Passwords When You Pass**

**Defining a Digital Legacy**

There’s a lot that goes into your digital legacy, from your online banking login to any digital assets you own, but even a seemingly straightforward online life can quickly snowball into a mess. Does the Netflix account just keep draining the checking account until you can break in and change the payment option? Are photos that have been uploaded to the cloud now lost in a data center, never to be recovered? Add some passkeys, maybe some social sign-on features, and you have a complex web of data that’s almost impossible to untangle.

So-called digital executors exist, operating in the same way as the executor of the will, just for digital assets. It’s a good idea to set up a digital executor to ensure your digital assets are handled properly, but that doesn’t help in the immediate aftermath of someone passing away. The probate process can take at least a few months, and sometimes several years.

Password managers like Bitwarden offer a shortcut. You can transfer access to a trusted relative, spouse, or even your closest friend, along with a rundown of what to do with your accounts.

The legality of this is a little murky, with the American Bar Association noting that accessing someone else’s account, even with their username and password, isn’t legal if it violates the platform’s terms of service. The law regarding digital assets varies from state to state, so it’s still a good idea to consult an attorney for long-term access.

Here's the advice NordPass gave: “For anyone thinking about digital legacy, the best step is to set up Emergency Access in advance, clearly communicate the use cases of the credentials with your trusted contacts, and follow the terms of service of respective platforms.”

Immediate access is still important, not only in the event of death but also in the event of incapacitation. If you, for whatever reason, can’t access your online accounts, you can transfer those accounts easily using an emergency contact feature available in a password manager.

**Password Managers With Digital Legacy Features**

There are some excellent password managers, and most of them have some way to unlock your account in the event of an emergency. They go about it in different ways, however. Here are the three I recommend for most people. (Read more in our Best Password Managers guide.)

Proton Pass

Proton recently added an emergency access feature, and it’s not just restricted to Proton Pass. Unlike most password managers, Proton Pass is just one app available in the Proton suite. Proton also makes our favorite VPN, and it offers an encrypted crypto wallet, cloud storage, and even a calendar.

Emergency access isn’t restricted to one app with Proton. Rather, it’s access to your entire account, so if you have multiple Proton apps, you can pass them along. It’s not hard to see where this could be useful, especially if you have a lot of data stored in Proton Drive or money in your crypto wallet.

Although Proton’s emergency access is bound to your overall Proton account, you need to set it up through Proton Pass or another Proton app. For Proton Pass, open the app in your browser at account.proton.me. Once you’re in, select the cog icon next to your name in the bottom left corner and choose **Account.**

Proton via Jacob Roach

This will open a new tab. In the new window, select **Recovery** from the menu on the left and scroll down to the **Emergency Access** section. Choose **Add Emergency Contact** and enter the email address you want to share access with. They’ll need a Proton account to accept the invitation. Emergency access is only available for paid Proton members, though you can share access with someone who has a free Proton account.

One of the upsides of Proton compared to 1Password and NordPass (my other two recommendations) is the wait-time setting. When you add an emergency contact, they can request access to your Proton account at any time. After the wait time has passed without a response, however, Proton will automatically give your emergency contacts access. The default time is seven days, but you can set it for as long as 30 days, as well as remove the wait time completely.

1Password

1Password via Jacob Roach

**1Password**

1Password doesn’t have a dedicated digital legacy feature, and if you understand how its security architecture is designed, it’s easy to see why. 1Password has a true zero-knowledge security architecture. Even if 1Password wanted to, and even in the event of a catastrophic emergency, it can’t decrypt someone’s vault. That’s great for security but bad for passing along your passwords.

Instead, 1Password offers an emergency kit, which you can generate and download from my.1password.com. On a device where you’re signed into 1Password, go to that address, select your name in the upper right corner, and choose **Manage Account.** On the next page, select **Save Emergency Kit.**

1Password via Jacob Roach

Your 1Password Emergency Kit is a PDF that includes instructions for logging in, along with your email address, secret key, and a space for you to write (or type) your master password. It also includes a QR code for easy setup, automatically copying your details over, short of your master password.

The Emergency Kit is useful for account recovery, but it’s also one of the more secure options for digital legacy. You can print off a physical copy of your Emergency Kit before wiping any trace of it digitally. I recommend including it as part of your will or trust and storing it somewhere secure, like a safe-deposit box.

Unfortunately, you need to jump through these hoops with 1Password due to how it works. And whoever ends up with your Emergency Kit will have full access to your account, while Proton Pass and NordPass (my next recommendation) provide read-only access. If you use 1Password’s Families plan, however, it’s easy to share vault access with the family members on your account—and you don’t even need to contemplate death to do it.

NordPass

Photograph: Nordpass

NordPass introduced its emergency access feature a few years ago, and it’s simple. You can send invites to one (or more) trusted contacts. They don’t get access to your vault immediately. Instead, they can request access at any time. In the event you don’t deny one of these requests within seven days, Nord automatically unlocks the account for the contact that requested access.

Setting it up is easy. Once you have the NordPass extension installed, open it and select the cog icon near the top left of the window. That will open your settings view in a new tab. All the way at the bottom of the page, you’ll find the **Emergency Access** setting under the **Other** category. Like with Proton Pass, your trusted contact will need a NordPass account to see and accept the invitation.

Nordpass via Jacob Roach

That’s it. Once they accept the invitation, your contact can request access at any time, which you can accept or deny within that seven-day window before your vault is unlocked. Regardless of the situation, if someone gets emergency access to your account, they can only view what’s inside. NordPass locks them out of editing, deleting, sharing, or doing anything else inside your vault.

The obvious downside with NordPass is that you can’t change the amount of time before access is handed over to your emergency contacts. If you, for whatever reason, can’t deny the request within seven days, NordPass unlocks your vault. You can dream up some scenarios where that could become a problem, but it shouldn’t, especially considering you can revoke access for your emergency contacts at any time.

**What You Should Store Beyond Passwords**

Proton Pass, 1Password, and NordPass are my personal favorite password managers, which is why I recommend them over options like Keeper, which also has a digital legacy feature. I also recommend them because they come with additional storage space. 1Password includes 1 GB, NordPass includes 3 GB, and Proton Pass comes with a whopping 10 GB—and that doesn’t include any storage through Proton Drive.

Storing your logins is important, but you can also store a lot of important documents in your password manager. That’s certainly more secure than throwing them in a shared Google Drive folder. If you want to do a digital inventory, here are a few things you should store in your password manager alongside your logins.

**Vehicle information.** You can wrap all of your vehicle information up into a single entry in your password manager. Scan your license and title, add insurance and vehicle information, and maybe loop in personal property tax receipts. NordPass, 1Password, and Proton Pass all allow you to add attachments to entries, as well as notes.

**Software licenses.** Most software today is sold with a software-as-a-service model, so accessing someone’s login is most important. If you have perpetual software licenses, though, you’ll probably want to add them to your vault as an encrypted note.

**Non-account secrets.** This is probably the most practical thing to store in your password manager in the event you need to transfer access. There are a ton of secrets you need to remember that aren’t tied to an online account. I’m talking about gate codes, PINs, and patterns for your devices, recovery codes, lock combinations; the list goes on. Store them in your vault as encrypted notes.

**2FA/MFA details.** A lot of password managers allow you to store 2FA codes, including Proton Pass and 1Password (though not NordPass). It’s not the best idea for security, but in the context of digital legacy, you should store some information about accounts that have 2FA enabled. Add a note to logins that have 2FA enabled, along with recovery information for those accounts.

**Pass on Your Passwords When You Pass**

Death isn’t fun to think about, no, but setting up your digital legacy is only becoming more important. Today, precious little exists only in the physical world; nearly everything is tied to an online account or service in some way. Dealing with who owns your digital assets is something you can define in a will or trust. But that doesn’t always account for the unexpected.

Emergency access is important if you pass away, but it’s also important if you can’t get access to your account for any reason, especially in the aftermath of an emergency.

How to Use a Password Manager to Share Your Logins After You Die (2025)

A team of researchers found that, by not encrypting the data broadcast by Tile tags, users could be vulnerable to having their location information exposed to malicious actors.

Tile trackers, used to locate everything from lost keys to stolen pets, are used by more than 88 million people worldwide, according to Tile’s parent company, Life360. But researchers who examined the tracking technology have found design flaws that would let stalkers—or potentially the manufacturer itself—track the location of Tile users and their devices, contrary to claims the company has made about the security and privacy of its devices.

The researchers—Akshaya Kumar, Anna Raymaker, and Michael Specter of Georgia Institute of Technology—found that each tag broadcasts an unencrypted MAC address and unique ID that can be picked up by other Bluetooth devices or radio-frequency antennas in a tag’s vicinity to track the movements of the tag and its owner. The location of a tag, its MAC address, and unique ID also get sent unencrypted to Tile’s servers, where the researchers believe this information is stored in cleartext, giving Tile the ability to track the location of tags and their owners, even though the company claims it does not have this capability.

The researchers say this would give Tile the ability to conduct “mass surveillance” on its users and potentially provide that information to law enforcement and others.

The researchers also found that Tile’s anti-stalking protection can be easily undermined if a stalker enables an anti-theft feature that Tile offers with its tags. Additionally, someone could falsely frame a Tile owner for stalking by recording the unencrypted broadcasts their Tile device makes and replaying these broadcasts in the vicinity of another Tile user, making it seem like the former is stalking the latter.

The researchers reported their findings to Tile’s parent company, Life360, last November, but they say the company stopped communicating with them in February. WIRED sent Life360 an email asking for a response to the issues raised by the researchers, but a spokesperson sent a reply that did not explicitly address the problems. The email said only that the company had “made a number of improvements” since receiving the researchers’ report, without specifying what those were.

Tile sells stand-alone tags, but its tracking technology is also embedded in laptops, headphones, smartwatches, and other products made by companies like Dell, Bose, and Fitbit. The researchers reverse engineered Tile’s protocol and Android mobile app used with the Tile Mate, the company’s most popular tracker tag. They say their findings may not apply to other models of Tile tags or the Tile technology used in products made by third parties.

**How Tile Tags Work**

Tile trackers operate similarly to tracking tags made by Apple, Google, and Samsung. But Tile’s system differs in important ways. Like the others, Tile tags are battery-powered and use Bluetooth to broadcast their location to a user’s phone. Users can slip a tag into a briefcase, luggage, or vehicle, or attach it to keys, a phone, laptop, or even a pet collar to track the location of these items.

Each Tile tag broadcasts the tag’s MAC address and a unique ID, which changes periodically. If an item paired with the tag goes missing the owner, using their Tile app, can instruct the tag to emit a sound to locate it. For items farther away, the system relies on the network of phones belonging to other Tile users. These also pick up the broadcast of any Tile device near them. And since 2021, Ring cameras, Echo devices, and Tile tags have been integrated into Amazon’s Sidewalk network, meaning Ring and Echo devices can pick up the location of Tile tags as well.

Each time these devices pick up the broadcast from a Tile tag, the location, MAC address, and unique ID of that tag get sent to a Tile server where it’s stored in a database, the researchers found. The owner of a lost tag and item can then use their Tile app to query the database for their latest location. The problem, according to the researchers, lies in how Tile has implemented this system.

Tile claims that user information transmitted across its network can’t be seen by anyone. “You are the only one with the ability to see your Tile location and your device location,” the company states in its privacy policy. But the researchers found that the MAC address and unique ID that a Tile tag broadcasts is not encrypted, allowing someone in the vicinity of a tag with a Tile app on their phone or a radio frequency antenna to intercept this information as its transmitted and track the location of the tag and associated item or its owner.

Other tag makers replace the MAC address with a rotating unique ID and only transmit the ID. By changing the ID periodically, someone recording broadcasts from a tag cannot easily link multiple broadcasts to the same tag to track the movement of that tag and associated item or owner.

But because Tile’s system transmits both the MAC address and the unique ID, and does not encrypt this transmission, someone can intercept this information. Tile’s unique ID also rotates—it changes every 15 minutes if the tag is near the owner’s phone or once in 24 hours if not—but because the MAC address is static and does not change, it can be used to track a tag regardless of the changing ID. Even if Tile chose to not transmit the MAC address, the researchers say, the way Tile generates the changing ID is not secure and can still be used to track a tag.

“An attacker only needs to record one message from the device … to fingerprint it for the rest of its lifetime,” says Kumar, who says this creates a risk of systemic surveillance for anyone whose tag is caught up in a scan.

Law enforcement could potentially use this to identify anyone in an area that has a Tile tag or Tile-enabled device. And because this location information seems likely to be stored unencrypted on Tile’s server, researchers say, Tile could also track the location of tags or share this information with any third party.

“These issues transform Tile’s infrastructure into a global tracking network,” the researchers claim in a paper they wrote about their findings.

When an Apple, Google, or Samsung tag gets detected in a scan, the report that gets sent to the company servers containing the tag’s ID and location information is end-to-end encrypted so that no one can intercept the broadcasts as they’re transmitted, and the companies themselves cannot see the location information to track the movement of the tags. Only a tag owner can see this information because a key on their phone decrypts the location data on the company’s server that is associated with their tag ID.

“They have designed their system intentionally such that they aren’t able to recover your location or the location of where your items are,” says Specter. “Because they don’t want to be in the business of knowing where all people are at all times.”

**Talking Anti-Stalking**

In a study published last year, researchers measuring the misuse of Bluetooth location trackers—including devices from Apple, Tile, Samsung, and Chipolo—found that more than 40 percent of stalking victims had been tracked with Bluetooth tags hidden in their cars, purses, or backpacks.

To address this, makers of location-tracking technology have implemented solutions to alert users when a tracking device they don’t own appears to be moving with them. But the researchers say that Tile’s implementation is flawed in ways that both undermine its effectiveness and make it susceptible to being used to track the movement of other users.

Unlike other trackers—which conduct a continuous scan for trackers in a user’s vicinity that they don’t own and automatically alert the user to the presence of these trackers—Tile’s so-called Scan and Secure system has to be manually initiated by a user through the Tile app. The scan lasts only 10 minutes, and the user has to be moving around an area while the scan is in progress to detect tags that are moving with them. Users have to also remember to re-initiate scans periodically to detect any rogue devices that might be traveling with them since their last scan.

Tile’s app performs six Bluetooth scans during the 10 minutes and extracts the MAC address and unique ID from each broadcast it detects. The app then checks these addresses against a database to determine if they are paired with the phone of the person doing the scan. Any address or ID that is not paired with their phone is designated “unknown.” The app produces a report of these tags for the person to view. It also sends a message to the Tile server with all the MAC addresses and unique IDs detected during the six scans, and the number of times they appeared.

But the researchers found that the Scan and Secure feature is undermined by another feature Tile offers for preventing theft. The researchers say this anti-theft mode is unique to Tile, and the problems it presents for Tile users may be the reason.

The aim of anti-theft is to prevent would-be thieves from running a scan using a Tile mobile application to see if there is a Tile tag paired with an item they plan to steal. But when a tag owner enables anti-theft to make their tag invisible to would-be thieves, those tags also won’t be visible to someone running a scan to determine if they are being stalked with a rogue tag. This means a stalker could hide their stalking tag by putting it in anti-theft mode. A scan will still detect the tag and send its MAC address, unique ID, and location to Tile’s servers, but the tag won’t be included in the scan results that are displayed to the user who initiated the scan, effectively making potential stalking victims blind to rogue devices that may be following them.

Kumar says other makers of location trackers avoid this by not even offering anti-theft mode for their products.

“They never say, ‘Here’s a tag that can prevent your devices from being stolen.’ They say it helps recover lost devices. Anti-theft is just not a feature,” she says. “That’s a compromise that these companies are willing to make in order to have stronger anti-stalking properties.”

The researchers also say that the anti-theft mode isn’t foolproof because a user with a modified Tile app can easily circumvent it to collect and display all MAC addresses and unique IDs recorded during a scan, regardless of whether any of those tags are using anti-theft mode.

Tile believes it solves the anti-theft abuse problem by requiring that anyone who enables anti-theft mode for their tag provide a government-issued ID and live photo of their face to Tile before anti-theft mode will be enabled. Users of this mode also have to consent to a $1 million fine if they are convicted of using Tile for stalking—though the researchers point out that it’s unclear if this is enforceable.

Tile states in its terms that the identity information users provide will be shared with law enforcement if Tile believes someone has abused the feature for stalking. But the company is inconsistent about whether law enforcement needs a warrant to get this information. In a FAQ the company says it will “work with law enforcement through a properly issued court order to identify the owner of a suspicious Tile.” But in the terms for its anti-theft mode, users agree that their “personal information can and will be shared with law enforcement at our discretion, even without a subpoena” to aid investigations of suspected stalkers.

Lastly, the researchers say someone can abuse the Scan and Secure feature to frame someone else for stalking by executing a replay attack to impersonate their Tile tag. Using a radio-frequency antenna to collect the unencrypted broadcasts from another user’s tag, an attacker can extract the MAC address and unique ID from these broadcasts, and transmit that in another location. If a user conducts an anti-stalking scan in that location, they would see this MAC address and unique ID in the scan, and this information and the location of where it was scanned would be sent to Tile’s server, making it appear as if that tag was near the person who did the scan. There is no way to determine, the researchers say, if a MAC address and unique ID was emitted by a legitimate Tile device or someone maliciously replaying that information.

The researchers say many of the problems they found could be addressed simply by Tile encrypting the broadcasts from its tags, and they don’t understand why the company apparently hasn’t followed the example of its competitors.

Tile Tracking Tags Can Be Exploited by Tech-Savvy Stalkers, Researchers Say

Companies are going to great lengths to protect the infrastructure that provides the backbone of the world’s digital services—by burying their data deep underground.

Inside the Nuclear Bunkers, Mines, and Mountains Being Retrofitted as Data Centers

An app called Neon Mobile which pays a small price for privacy is storming the popularity chart in the US Apple app store.

TechCrunch reports about a “bizarre app” inviting you to record and share your audio calls so that it can sell the data to AI companies. And if that’s not weird enough on its own, it’s ranking No. 2 in Apple’s US app store at the time of writing.

The name of the app is Neon Mobile and it promises to pay users hundreds or even thousands of dollars per year. Why would you do it? Its reasoning is the old “they already know everything about you anyway” adage and “you might as well get paid for it then.”

Neon will sell the data collected by the app to “AI companies for the purpose of developing, training, testing, and improving machine learning models, artificial intelligence tools and systems, and related technologies.”

The payment is $0.15 per minute if you’re the only Neon Mobile user in the conversation, and this doubles when the person on the other end uses the app as well. With a maximum payout of $30 per day and the understanding that the call has to be made through the app, you’ll have to be on the phone a lot to make thousands of dollars, but we can see why this might be an attractive offer to some people.

Some people are even already planning to do it as a second job. One commenter says:

> “They just want the voice data. So if you and a friend agree to talk about pretend situations for an hour a day to make $900 a month that seems pretty easy. If both parties are doing it that comes out to $18 an hour which is pretty good.”

Neon Mobile promises that:

*   It will never sell your personal data to any third party.
*   It does not knowingly or intentionally collect personal data about children under 16.
*   It will only record your side of the call unless it’s with another Neon user.

We have some doubts about how it will accomplish the one-sided recording technically, as well automatically filtering out names, numbers, and other personal details.

As always, there are some caveats. Looking at the Privacy Policy we noticed:

*   **Neon collects a lot of personal and technical data about you**, like identifiers, contact details, usage data, payment information, event participation, account activity, testimonials, and other data from third-party sources.
*   **Any third-party integrations are your responsibility**. These third-party integrations may ask for permissions to access your personal data, or send information to your Neon Account. It is the user’s responsibility to review any third-party integrations.
*   **Your personal data is shared with others.** Neon regularly passes personal data to service providers and “trusted partners” for things like hosting, marketing, sales support, and analytics. combined marketing, support, and analytics.
*   **You have certain rights, but not absolute ones.** You can request to access, delete, or correct the personal data Neon Mobile collects or maintains about you, but Neon may deny requests when the law allows.
*   **You need to watch out for opt-outs.** If Neon wants to use your data in a new way, or if it plans to disclose it to another third party not already covered in the Privacy Policy, it will give you the choice to refuse this new use or disclosure. But this an “opt out” opportunity, so you will have to pay close attention to every change in the Terms of service and the Privacy Policy.
*   **The disclosure rights are quite broad.** Neon reserves the right to disclose data to comply with legal obligations, protect rights and safety, investigate fraud, or respond to law enforcement requests, with broad latitude for “compelled disclosure”.

In other words, Neon gathers and combines a wide range of personal and usage data, shares it with partners and third parties, and reserves broad rights to repurpose or disclose it—leaving users to monitor policy changes and opt out if they don’t agree.

Given the breadth of the data collection and the numerous caveats (while framed as protections against abuse), I’d argue that Neon Mobile is paying a low price for users’ privacy.

It’s also worth noting that if you become disappointed with the app or its returns, it takes more than just deleting the app from your device .

> “If you delete the Neon app (but do not close your Neon account), your calls can still be recorded when other Neon users who have the app call you. If you want to stop call recordings with other Neon users, close your account through your profile settings.”

I’d also advise anyone using the app to inform the person on the other end that the conversation will be recorded, since failing to do so may have legal implications.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Neon App pays users to record their phone calls, sells data for AI training 

Cybersecurity researchers have discovered an updated version of a known Apple macOS malware called XCSSET that has been observed in limited attacks.
"This new variant of XCSSET brings key changes related to browser targeting, clipboard hijacking, and persistence mechanisms," the Microsoft Threat Intelligence team said in a Thursday report.
"It employs sophisticated encryption and obfuscation

Malware / Browser Security

Cybersecurity researchers have discovered an updated version of a known Apple macOS malware called **XCSSET** that has been observed in limited attacks.

"This new variant of XCSSET brings key changes related to browser targeting, clipboard hijacking, and persistence mechanisms," the Microsoft Threat Intelligence team said in a Thursday report.

"It employs sophisticated encryption and obfuscation techniques, uses run-only compiled AppleScripts for stealthy execution, and expands its data exfiltration capabilities to include Firefox browser data. It also adds another persistence mechanism through LaunchDaemon entries."

XCSSET is the name assigned to a sophisticated modular malware that's designed to infect Xcode projects used by software developers and unleash its malicious capabilities when it's being built. Exactly how the malware is distributed remains unclear, but it's suspected that the propagation relies on the Xcode project files being shared among developers building apps for macOS.

Earlier this March, Microsoft uncovered several enhancements to the malware, highlighting its improved error handling and the use of three different persistence techniques to siphon sensitive data from compromised hosts.

The latest variant of XCSSET has been found to incorporate a clipper sub-module that monitors clipboard content for specific regular expression (aka regex) patterns matching various cryptocurrency wallets. In the event of a match, the malware proceeds to substitute the wallet address in the clipboard with an attacker-controlled one to reroute transactions.

The Windows maker also noted that the new iteration introduces changes to the fourth stage of the infection chain, particularly where an AppleScript application is used to run a shell command to fetch the final-stage AppleScript that's responsible for collecting system information and launching various sub-modules using a boot() function.

Notably, the modifications include extra checks for the Mozilla Firefox browser and an altered logic to determine the presence of the Telegram messaging app. Also observed are changes to the various modules, as well as new modules that did not exist in previous versions -

*   vexyeqj, the information module previously called seizecj, and which downloads a module called bnk that's run using osascript. The script defines functions for data validation, encryption, decryption, fetching additional data from command-and-control (C2) server, and logging. It also includes the clipper functionality.
*   neq\_cdyd\_ilvcmwx, a module similar to txzx\_vostfdi that exfiltrates files to the C2 server
*   xmyyeqjx, a module to set up LaunchDaemon-based persistence
*   jey, a module to set up Git-based persistence
*   iewmilh\_cdyd, a module to steal data from Firefox using a modified version of a publicly available tool named HackBrowserData

To mitigate the threat posed by XCSSET, users are recommended to ensure that they keep their system up-to-date, inspect Xcode projects downloaded or cloned from repositories or other sources, and exercise caution when it comes to copying and pasting sensitive data from the clipboard.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

New macOS XCSSET Variant Targets Firefox with Clipper and Persistence Module

Austin, Texas, USA, 23rd September 2025, CyberNewsWire

**Austin, Texas, USA, September 23rd, 2025, CyberNewsWire**

New SpyCloud 2025 Identity Threat Report reveals dangerous disconnect between perceived security readiness and operational reality.

SpyCloud, the leader in identity threat protection, today released the **2025 SpyCloud Identity Threat Report**, revealing that while 86% of security leaders report confidence in their ability to prevent identity-based attacks, 85% of organizations were affected by a ransomware incident at least once in the past year – with over one-third affected between six and ten times.

Further illustrating the gap between perceived confidence and actual exposure, the market survey of over 500 security leaders across North America and the UK revealed that over two-thirds of organizations are significantly or extremely concerned about identity-based cyberattacks, yet only 38% can detect historical identity exposures that create risk due to poor cyber hygiene like credential reuse. As organizations grapple with sprawling digital identities across SaaS platforms, unmanaged devices, and third-party ecosystems, attackers are capitalizing on these gaps.

> “From phishing and infostealer infections to reused credentials and unmanaged access, today’s threat actors are exploiting overlooked identity exposures,” said Damon Fleury, SpyCloud’s Chief Product Officer. “These tactics allow adversaries to bypass traditional defenses and quietly establish access that can lead to follow-on attacks like ransomware, account takeover, session hijacking, and fraud. This report surfaces the critical truth that many organizations feel prepared but their defenses don’t extend to the places adversaries are now operating.”

**Identity Sprawl is Expanding the Attack Surface**

Identity has become the gravitational center of modern cyber threats. An individual’s digital identity now spans hundreds of touchpoints, including corporate and personal credentials, session cookies, financial data, and personally identifiable information (PII) across SaaS platforms, managed and unmanaged devices, and third-party applications. 

These elements when exposed on the darknet create a vast, interconnected attack surface ripe for exploitation. SpyCloud has recaptured 63.8 billion distinct identity records from the dark web, a 24% increase year-over-year. This illustrates the unprecedented scale of data circulating in the criminal underground, leaving organizations vulnerable because they lack the visibility and automation needed to shut down these exposures before they become additional entry points for follow-on identity-based attacks.

This surge in exposure is fueling broad concern. Nearly 40% of organizations surveyed identified four or more identity-centric threats as “extreme” concerns, with phishing (40%), ransomware (37%), nation-state adversaries (36%), and unmanaged or unauthorized devices (36%) leading the list.

**Insider Threats Begin with Identity Compromise**

The report also highlights that insider threats, whether malicious or unwitting, often share a common origin: identity compromise.

Nation-state actors, including North Korean IT operatives, are leveraging stolen or synthetic identities to infiltrate organizations by posing as legitimate contractors or employees. SpyCloud’s investigative findings show that attackers are assembling synthetic identities using phished cookies, malware-exfiltrated API keys, and reused credentials to pass background checks and weak screening processes. Further emphasizing this point, previous SpyCloud research found that 60% of organizations still rely on manual, ad-hoc communication between HR and security teams. Without hardened security screening that gives organizations visibility into candidates’ historical identity misuse and connections to criminal infrastructure, these actors can remain undetected until it’s too late.

At the same time, legitimate employees, contractors, or partners may unknowingly introduce risk when their identities are compromised. These unwitting insiders are frequently targeted through phishing and infostealer malware, resulting in stolen credentials and session cookies that provide persistent access to internal systems.

Phishing, in particular, was cited as the leading entry point for ransomware in 2025, accounting for 35% of incidents – a 10-point increase over the previous year.

**Defenses Fall Short in Responding to Identity-Based Threats**

Despite growing awareness of identity-driven threats, most organizations are not equipped to respond effectively:

*   57% lack strong capabilities to invalidate exposed sessions
*   Nearly two-thirds lack repeatable remediation workflows
*   About two-thirds do not have formal investigation protocols
*   Less than 20% can automate identity remediation across systems

Only 19% of organizations have automated identity remediation processes in place. The rest rely on case-by-case investigation or incomplete playbooks that leave gaps attackers can exploit.

> “The defense mission has changed,” said Trevor Hilligoss, SpyCloud’s Head of Security Research. “Attackers are opportunistic, chaining together stolen identity data to find any available access point. Yet traditional defenses remain narrowly focused on behavior and endpoints – missing the identity exposures that enable persistent, undetected access. The data shows organizations must extend protection to the identity layer, and keep a continuous eye on exposures and remediation to shut down threats before follow-on attacks can occur.”

**Closing Identity Gaps Before Insider Threats Escalate**

The report underscores the need for a holistic approach to identity protection. This means continuously correlating exposures across users’ full digital footprint – including past and present, personal and corporate identities – and automating remediation of compromised credentials, cookies, PII, and access tokens. In doing so, organizations move beyond account-level protection and gain visibility into identity risks threat actors were previously exploiting.

SpyCloud’s holistic identity intelligence empowers organizations to prevent identity-based threats by:

*   Detecting fraudulent job candidates before access is granted
*   Identifying compromised employees and users across devices and environments
*   Invalidating exposed sessions and credentials at scale
*   Accelerating investigations through automated correlation of darknet exposure data

> “Teams that excel in identity security know exactly where exposures exist, can address them at scale, operate with clearly defined responsibilities, and continually adapt rather than simply react,” added Fleury. “The future belongs to those who treat identity as mission-critical – building systems that detect compromise early, respond decisively, and beat threat actors from launching further attacks while keeping a strong and secure workforce.”

Users can click here to access the full report or contact SpyCloud to learn more. 

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics and AI to proactively prevent ransomware and account takeover, detect insider threats, safeguard employee and consumer identities, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights on your company’s exposed data, users can visit spycloud.com.

**Contact**

**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

Tag

#apple