This month focuses on the Massive Data Leak that exposed 16 Billion Credentials, the New Malware Campaign Using PDFs To Impersonate Popular Applications, and Microsoft’s Next Step in its Passwordless Authentication mission.

16 Billion Credentials Exposed In Massive Data Leak

Over 16 billion login records (usernames and passwords) were discovered publicly accessible online, affecting major platforms like Apple, Google, Facebook, Microsoft, and 29 countries’ government systems.

Summary

• This was not the result of one hack, but an aggregation of data collected over the years by infostealer malware from countless infected machines.
• Researchers reported finding 30 unprotected datasets containing these credentials, highlighting an unprecedented scale of exposure.
• In May 2025, for example, cybersecurity researcher Jeremiah Fowler found 47GB of data with 184 million records exposed on an Elasticsearch server hosted by World Host Group — some of which included government email addresses.
• Data included government accounts from several countries, indicating a widespread systemic vulnerability.
• Rather than exploiting zero-days or breaching firewalls, the data was collected through malware that logs credentials from infected devices, silently and over time.
• Researchers noted many credentials were from previous breaches, but also included fresh infostealer logs, making the threat more relevant and active.
• The stolen data mirrored formats used by infostealer logs — URL, username, and password triplets — ready for exploitation.
• While some of the data may be old, a large portion of the credentials are still valid, and many users reuse passwords across services.
• The leak didn’t trigger headlines because there was no named victim, ransom, or regulatory breach disclosure — it flew under the radar.
• This data can be used for credential stuffing, phishing, identity theft, financial fraud, and more, especially for organizations without MFA.
• Organizations without multi-factor authentication or proper credential hygiene are extremely vulnerable to exploitation from this dataset.
• Immediate Actions for Individuals should include;

• Focus on email, banking, and social platforms. Avoid password reuse across accounts.
• Use a Password Manager to manage unique, complex passwords per service — a crucial barrier against credential reuse attacks.
• Enable MFA on every account to add a strong layer of protection. Use app-based or hardware key MFA when possible.
• Scan devices regularly for infostealers and other threats.
• Look for unauthorized logins, password reset attempts, or new devices, and set alerts for suspicious actions.

• Immediate Actions for Organizations should include;

• Use EDRs to protect endpoints against infostealers with real-time threat detection and containment.
• Use password managers, SSO, and identity federation to reduce attack surface.
• Regularly monitor the dark web for leaked credentials tied to your organization

• Read more about the massive data leak here

New Phishing Campaign Uses PDFs to Impersonate Popular Applications

A growing phishing trend called Telephone-Oriented Attack Delivery (TOAD) tricks victims into calling attacker-controlled phone numbers, often included in PDF email attachments posing as trusted brands like Microsoft and DocuSign.

Summary

• These Malicious PDFs include fake QR codes or embedded links using annotations, sticky notes, or form fields. They redirect victims to phishing sites, typically impersonating services like Microsoft 365, Dropbox, or PayPal.
• During the callback, attackers impersonate customer service agents using VoIP numbers, spoofed caller IDs, and realistic call center tricks like hold music to install malware or steal credentials.
• Financially motivated groups like Luna Moth use TOAD to trick users into installing remote access tools (RATs) or banking trojans, often under the guise of IT support.
• Brand spoofing remains a top tactic in phishing attacks, making brand impersonation detection tools critical in defending against these threats.
• Attackers also abuse Microsoft’s Direct Send feature to spoof internal users and bypass email filters, making phishing emails appear as if they originate from within the organization.
• Threat actors exploit language models (LLMs) by manipulating their responses to direct users to malicious login pages through poisoned AI-generated URLs or fake website prompts.
• Cybercriminals are seeding GitHub with fake open-source APIs and tools—like “Moonshot-Volume-Bot”—to poison AI training data and compromise developers via malicious blockchain transactions.
• Criminals use services like Hacklink to inject phishing links into compromised .gov and .edu sites, manipulating search engine results to display malicious pages as legitimate.
• The combination of callback phishing, brand impersonation, AI misuse, and search engine poisoning underscores the evolving, multi-layered tactics of modern phishing attacks that blur trust boundaries and technical safeguards. 
• Read more about it here.

Microsoft To End Support For Its Authenticator App in August 2025

Microsoft announced it will end support for passwords in its Authenticator app starting August 1, 2025, as part of a broader move toward passwordless authentication.

Summary

• The autofill feature will stop working in July 2025, and from August, saved passwords will no longer be accessible within the app.
• Microsoft is encouraging the use of passkeys, Windows Hello, and FIDO2-based methods to improve security and reduce reliance on passwords.
• The shift is aimed at protecting users from phishing, credential theft, and password reuse, which remain major attack vectors.
• Saved passwords and addresses will be synced to users’ Microsoft accounts and become accessible through the Microsoft Edge browser, which must be set as the default autofill provider.
• Microsoft already disabled the ability to add or import passwords in Authenticator as of the previous month.
• Any passwords not saved before the transition will be permanently deleted after August 2025.
• The change does not affect passkeys; however, users must keep Authenticator enabled as the passkey provider for their Microsoft account.
• Users are advised to migrate to dedicated password managers such as Microsoft Edge, iCloud Keychain, Bitwarden, or Google Password Manager for a smoother experience.
• Microsoft recommends users export their passwords from Authenticator and import them into their new manager, ensuring they set it as the default autofill tool on their devices.
• To read more about it on Microsoft Support

Sources

• https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/
• https://thehackernews.com/2025/07/hackers-using-pdfs-to-impersonate.html
• https://support.microsoft.com/en-us/account-billing/changes-to-microsoft-authenticator-autofill-09fd75df-dc04-4477-9619-811510805ab6