There’s a question we get asked constantly, and it’s the right one to ask: “Can 1Password see the contents of my vault?”

The answer is no, and it’s because of how we built the product, not just a promise we’re making. That’s an important distinction, because “we promise” has never been an acceptable answer in this industry. After all, promises get broken, and companies get compromised, acquired, and are under constant attack from threat actors.

1Password’s commitment to our security principles is genuine, but what matters more is how we’ve built that commitment into our product and architecture, and the transparency we back it up with with our security white paper.

So here’s the precise answer: The way 1Password is built means that we are incapable, on a technical level, of decrypting and reading your vault contents. We're not policy-prevented or contractually restricted; we are technically incapable. This post explains what that means, why we built it this way, and what the real tradeoffs are.

Your data is encrypted before it ever leaves your device

When you save a password, a credit card number, or a note in 1Password, the first thing that happens is encryption, and it happens on your device, before any data moves anywhere.

Encryption here doesn’t mean we “hide” or “scramble” your data and promise not to look. It means your plaintext vault item is transformed into ciphertext using cryptographic keys that are only available on your devices. Without these keys, 1Password is unable to decrypt and read your data.

The two keys in question are your 128 bit Secret Key (a 34-character value separated by dashes) and your account password. Together, these produce the cryptographic key that locks and unlocks your vault.

Here’s the critical part: neither your Secret Key nor your account password is ever transmitted to 1Password or stored on our servers. We never possess the keys needed to decrypt your vaults. When you set up your 1Password account on a new device, you’re not “downloading” your key from us, you’re entering it yourself (either manually or using a QR code), and your device uses it locally to decrypt the vault data it receives.

What we store on our servers is the encrypted version of your vault contents: ciphertext that is, for all practical purposes, indistinguishable from random data without the key to decrypt it. If our servers were compromised tomorrow and an attacker exfiltrated every byte of stored data, they’d only have encrypted blobs they cannot read.

Your vault content are encrypted on your device. What reaches our servers is unreadable ciphertext.

Even the fastest supercomputer would take (literally) billions of billions of years to try and guess a 128-bit encryption key. That’s what we mean when we say 1Password’s security isn’t built on promises; it’s built on math.

What “zero-knowledge” actually means and what it costs

The design pattern described above is called zero-knowledge architecture. It means the service provider, in this case, 1Password, has zero knowledge of the plaintext contents of what it’s storing.

Zero-knowledge is a meaningful claim because it is an immutable fact of our architecture. But zero-knowledge is a security guarantee with real product implications and intentional constraints.

The most significant tradeoff is account recovery. If you forget your account password or lose your Secret Key, we cannot return them to you, because we don’t have them. (If you forget your password, you can regain access to your account by generating a recovery code, but this still requires you to have access to the email account you used to create the account.)

The same constraint shapes what features we can build. Any capability that would require 1Password to see your plaintext data is, by design, off the table. We can’t offer server-side search across your vault contents. When we scan your saved passwords and tell you which ones have appeared in a breach, we do that computation on your device and only a partial hash of your password is checked against breach databases, so we learn nothing about the actual credential. Some things that would be convenient to build are simply incompatible with the architecture, and we think that’s the correct tradeoff.

The decryption key lives on your device. Encrypted data syncs to our servers, but the key never does.

Zero-knowledge also means we can’t be compelled to hand over vault contents we don’t have. A court order can require us to produce data, but it can’t require us to produce a decryption key that doesn’t exist on our systems. (You can read our full policy on legal requests here.)

When computation has to happen in the cloud

The zero-knowledge constraint of only processing unencrypted data on a user's device works well for storing and syncing data. But some features, particularly enterprise capabilities like company-wide security reporting, require server-side computation. So our question in building those features has been: how can we do this without undermining our architecture and creating a new exposure point?

This creates a real problem. If you need to process data in the cloud, and that data needs to be in a usable form during processing, how do you prevent the cloud infrastructure from being a point of exposure? The standard answer in most other software is to trust the server, use access controls, audit the logs, and hope the infrastructure isn’t compromised.

We weren’t satisfied with that. So we built cloud processing on top of a technology called confidential computing.

The core idea: instead of processing data on a regular server, we run computation inside a hardware-enforced enclave. Think of it as a sealed processing room: data goes in, results come out, and the room is impenetrable at the hardware level.

The enclave combines hardware-backed isolation, verified code execution, and cryptographic attestation – protocols designed to minimize what services can learn. Not even the cloud provider running the hardware can observe what’s happening.

The enclave is a hardware-enforced sealed room. Data is processed inside; nobody — including 1Password — can reach in.

We also publish the code that runs inside these enclaves, and we use cryptographic attestation so that you can independently verify it’s running the code we published and not some modified version. An independent security firm audited the implementation and found no critical vulnerabilities. The full report is publicly available, the code is available, and the verification mechanism is built into the protocol.

Why this design matters more now

Password managers contain sensitive and valuable secrets for individuals, families, and companies alike, so they are often subjected to attacks by bad actors. That has been true for years, and it’s only becoming more true as technology evolves.

Password managers are increasingly the credential layer for a broader set of tools: browsers, developer environments, workplace automation, and now AI-powered agents that can take actions on your behalf. We’ve written about how we approach agent identity and the trust decisions that come with it. As those connections multiply, the question becomes: how do we allow the right tools to access the right data at the right time, without expanding trust more than necessary?

The right answer is to stick to proven security principles: zero trust, zero-knowledge, and cryptographic designs published and reviewed by our customers and the community.

Want to learn more?

If you’re a customer, this is how your data is protected. If you’re evaluating password managers, these are the questions worth asking: Where does encryption happen? Who holds the keys? What can the service provider see, and what can they be compelled to produce?

If you want to go deeper, our cryptography white paper walks through the technical implementation in full detail. Our confidential computing blog post covers the enclave architecture specifically.

Even as 1Password and the digital world evolve, we will continue to insist that security should be verifiable, not just claimed. Everything we build maintains that standard.

Coding agents like Codex are helping developers write, execute, and prepare code for production. Every action that AI coding agents take against a database, an API, or a deployment pipeline requires access to credentials. Today, these credentials typically live in .env files, scripts, or hardcoded in repositories, where they can be easily exfiltrated and are difficult to govern and audit. The shift from AI assistance to AI execution has outpaced how teams manage the secrets needed for execution.

1Password and OpenAI are working together to close this gap. The 1Password Environments MCP Server for Codex makes 1Password the trusted access layer for Codex: credentials are issued just-in-time and scoped to the task, while keeping them outside the model’s context window. Developers get the access they need to build and ship, while secrets stay where they belong. The same integration helps catch secrets at the source. Codex can be prompted to use 1Password and the 1Password MCP to store and use credentials that it needs.

Why secrets should stay out of prompts, code, and model context

Every credential placed inside an agent's context is a credential at risk of easily being exfiltrated. It can be logged, cached, reused across sessions, or surfaced in unexpected outputs. A secure architecture treats a coding agent as a tenant, not a vault: it gets secure access to do its job, but never custody of the secret itself. 1Password Environments is built on that principle. Instead of sharing .env files or hardcoding credential values, teams work from a shared environment where secrets are made available at runtime to the application, without the values ever appearing in code, terminals, or model context.

This secure access model is built on the same vault technology and security architecture used across 1Password. Secrets remain end-to-end encrypted and centrally managed, with access limited to authorized users and groups, and through custom permissions.

This architecture matters more as coding agents take on a bigger share of the development workflow. Any agent that executes code needs credentials, and any credential copied into local files or prompts, or hardcoded into repositories is a credential at risk. 1Password Environments gives teams a way to support these workflows without trading security for developer velocity.

Connecting 1Password Environments to Codex

The integration uses a local MCP server – packaged inside our Password Manager and developer tools – to connect Codex and 1Password Environments, and is available to both 1Password business and personal accounts. MCP connects models to tools and context, specifically with 1Password’s MCP Server for Codex, developers can grant Codex access to credentials directly inside their coding workflows while keeping secrets outside of code. That last part is key: the MCP server here is designed so that Codex can act on secrets without ever seeing them.

Here's what happens when a developer or builder asks Codex to configure an environment:

• Start a task in Codex: For example, ask Codex to create an app and configure the environment it needs.

• Codex connects to the 1Password MCP server: This happens over a local MCP server connection, where Codex can discover and invoke available actions from instructions the MCP is providing.

• Requests are validated through 1Password: The MCP server communicates with the 1Password desktop app, which handles identity, authorization, and secure access.

• A user always needs to approve access: Every interaction requires explicit 1Password user auth prompt approval before Codex can proceed.

• Codex creates and manages an environment: It can create environments, list and manage variable names, and prepare configuration without accessing raw secrets.

• Secrets are used at runtime: Applications run using secrets from 1Password, without copying credentials into prompts, local files, or repositories.

It’s important to note the architectural guarantee: secrets never leave 1Password and are always secure. The MCP server does not read or return secret values through the MCP channel, surface secrets in the model’s context window, or write them to disk. Codex can create environments, list variable names, and invoke applications that use those secrets, but the values themselves never leave 1Password.

Here’s what actually happens at runtime: 1Password injects the required variables directly into the application process when it runs. The values exist in memory only for the authorized process, and only for as long as the process needs them. Codex orchestrates, the application executes, and 1Password issues the credentials.

This integration reflects 1Password’s approach to MCP and agentic workflows. Secrets are securely injected at runtime for an authorized process and users must explicitly authorize access for the scoped task. MCP works best when access is scoped, user-approved, and keeps credentials out of the agent context.

What builders can do with Codex and 1Password Environments

If you’re a developer or builder, this integration is designed to fit into how you already work, while reducing the need to handle secrets directly or copy them into prompts, local files, or repositories. With this integration, developers can:

• Bootstrap new projects with 1Password-managed environments so you don't have to create or share .env files.

• Allow Codex to create and manage environments so your code runs with the right configuration, while underlying secrets stay in 1Password.

• Stay in control of every access since each Codex interaction with 1Password requires explicit user approval.

• Use Codex to scan repositories for secrets in plain text, then move these secrets into 1Password for secure storage, and replace them with references in code.

• Use Codex to extend environments across stages. Use your local environment as a baseline to help bootstrap staging and production environments.

What this unlocks for engineering and security teams

This integration reduces the overhead of managing secrets in AI-driven workflows, while giving teams more control over how those workflows are adopted.

With this integration, teams can:

• Eliminate manual secret cleanup and the context switching it requires.

• Move existing secrets into secure storage as part of the normal coding workflow, not as a separate hygiene task.

• Support Codex adoption while keeping credentials outside the model’s context window.

• Give developers a fast path to AI-assisted workflows while security teams retain oversight of how secrets are accessed.

• Centralize secrets in 1Password instead of letting them scatter across repositories, files, and local environments.

Get started with 1Password Environments and Codex

We're launching the 1Password Environments MCP Server with Codex as a proof point for a broader thesis about the future of agent access.

Coding agents are the leading edge of a larger shift: AI agents joining the workforce and needing real access to real systems. Every one of them will need credentials, but none of them should have custody of those credentials. 1Password is building the access architecture for a future where every agent: coding, operational, and customer-facing gets access through the same trusted layer. Codex is where that future starts.

How to turn it on

This new feature is available to all joint 1Password and OpenAI customers with access to our Password Managers and 1Password developer tools.

To get started, visit the 1Password Marketplace listing for step-by-step documentation on connecting Codex to 1Password using the local MCP server.

Authentication is built on the assumption that identity can be verified once and trusted for a specified period. Over time, the security industry has gotten very good at validating that trust through a chain of identity providers, certificates, and infrastructure that confirm that a user is who it claims to be at login. Authentication assumes that identity and intent will stay relatively stable and predictable because it was designed for people whose behavior is largely stable and predictable.

Agents break that assumption entirely. They act non-deterministically, starting with one task and expanding their scope as they work, accessing new files and APIs, making their identities difficult to track. When an agent acts autonomously on a person's behalf, the question is no longer whether it can log in; it's how it uses access after it does.

To establish a control plane for agents, Nancy asks, “If you’re a CTO and you’ve been told to deploy internal agents into production, what are the no-excuses minimum controls for identity, authorization, secrets handling, and audit?

Fotis Chantzis, Agent Security Lead at OpenAI, joined Zero-Shot Learning, 1Password’s AI builder podcast, to talk through why the protocols built for human identity don’t hold up under those conditions, and what teams can do to secure agents in production.

Static authorization fails when agents get new ideas

Continuous authorization is the practice of evaluating and enforcing access permissions at each step of an agent's workflow, rather than granting access once at the start of a session.

OAuth and OIDC assume relatively stable scopes and front-loaded authorization decisions. A user signs in, approves access once, and the system moves forward with that grant.

But agents make decisions and take actions beyond the original intent of the person who authorized them.

As Fotis says, "There is no concept of continuous authorization that agents require because an agent starts with one task and then decides that it needs to do something else."

For example, a coding agent might start by accessing local files, then decide mid-task that it needs to browse the web for API documentation. At that point, it writes a new task and downloads the documentation file. Nothing was re-evaluated to determine whether that change should be allowed. An agent can take dozens of these actions in seconds, adding new tools and risk with each move.

A functional identity model for agents must continuously evaluate access as the workflow evolves. Otherwise, teams face the familiar tradeoff of blocking too much and slowing work, or approving too much and holding their breath.

At 1Password, we see the value in continuous, workflow-aware authorization, where access is brokered at runtime, scoped to each action, and enforced at each step through a control layer that mediates how credentials are used.

Nancy framed this as a question of how authority moves between users, agents, and tools: “This brings us to the concept of delegation chains and how we should think about them, scope, duration, thresholds, and the systems those agents are allowed to access.”

Attribution has to survive across tools, runtimes, and sessions

Attribution is the ability to trace every action an agent takes back to the human who initiated it and the authority under which it ran, across every system the agent touches.

Nancy framed the operational challenge directly asking, when an enterprise needs to investigate an incident or audit access, how does it determine which agent actually accessed a system or dataset, and under whose authority?

For agents, attribution breaks as work moves between systems because each step is recorded separately, severing the connection to the original user or task.

Without attribution, we lose governance.”

–Fotis Chantzis, Agent Security Lead, OpenAI

In an incident response scenario, teams work backward from logs to reconstruct what happened. With agents, that quickly becomes difficult. The agent may start in one environment, then call multiple systems, each logging events separately and without shared context.

In one system, the action might appear under a user identity. In another, it shows up as a service account. In a third, it’s tied to an API token. Each step appears valid on its own, but the connection between them isn’t preserved.

Investigators can see the individual steps, but not the full chain of actions or who was responsible for them.

Nancy connected this to a growing need for execution traces that can compare an agent’s intended plan with what it actually did, step by step, across prompts, tool calls, and outputs. For auditing, this proves that the agent operated within the bounds of what it was supposed to do.

A stronger approach preserves attribution at each step, so every action can be traced back to its initiator and the authority under which it was performed.

That shift from reconstructing activity to proving it changes what’s possible in audit and in policy enforcement.

Authority has to be mediated

Mediated credential use means routing an agent's access through a controlled layer (a proxy, gateway, or injection layer) that binds credentials to specific destinations, rather than passing the underlying secret to the agent directly.

The most immediate risk from continuous agent action is how the systems handle credentials.

It's essentially game over if a credential ends up in the context window of the agent."

–Fotis Chantzis, Agent Security Lead, OpenAI

Once a secret is exposed to the model, it introduces the risk of credential exposure, whether through a prompt-injection attack or other, less malicious means. Handing an agent a credential isn't effective delegation.

The alternative is to mediate access rather than hand it over. Systems can route access through controlled infrastructure, such as proxies, gateways, or injection layers, that bind credentials to specific destinations and enforce their use. The agent can request access, but never holds the underlying secret. A compromised agent may still attempt unintended actions, but has far less freedom to abuse the authority granted to it.

The minimum control plane before deploying to production

In the episode, the hosts agreed that the control plane, the system that enforces how access is used across identities, tools, and actions, has to persist as agents act, across systems, over time, and through changing intent.

The baseline looks different from human access controls:

• Credentials have to be short-lived and scoped to the task, not granted broadly and reused

• Execution has to be constrained by the environment, not assumed to behave

• Secrets can’t be exposed to the model; they have to be mediated at the point of use

• Every action has to be attributable back to both the agent and the human who delegated it

• Policy has to be enforced continuously, so intent drift is detected before it becomes an incident

Authentication still matters, but it can’t carry the full load. Identity tells you who delegates an agent; it doesn’t control what happens next.

Teams can't wait for standards to catch up

But IT teams don’t have the luxury of waiting. Agents are already operating in production.

Agentic security is still a moving target. To secure agents today, teams need continuous authorization, attribution, and mediated access. The standards agents will rely on around identity, delegation, and authorization are still evolving. Extensions to OIDC, verifiable credentials, and cross-provider delegation models are in development but not yet ready.

In the meantime, most teams aren’t waiting for a perfect model. They’re adapting existing controls, tightening credential lifetimes, introducing mediation layers, and treating agents as first-class machine identities with explicit boundaries.

Design system work follows a well-defined loop: read the ticket, check the Figma spec, find the right component primitives, apply the right tokens, write the Storybook stories, run the tests, open the PR. The steps are consistent enough that when we looked at our design system backlog, we didn't just see a list of tasks; we saw a set of instructions waiting to be executed.

So we set an agent loose on the loop. At first, it was a semi-hot mess. But then we gave it the right context, and boom, it has completely changed how we improve our Design System.

Here’s our approach on what we did and what we learned.

Why we started with our design system

Every team considering agentic coding faces the same question of where to begin. The tempting answer is your largest codebase or your most complex feature. The right answer is wherever the work is most well-specified, and the feedback loop is fastest.

Our React component library, the web layer of our design system, happened to be both. Conventions are strict by design: that's the whole point of having a design system. The output shape is predictable and well-documented: a component, some design tokens, a story, and a test. The blast radius of any change is traceable. And if a token is wrong, the tests catch it automatically, without a human having to notice.

That combination of explicit conventions, predictable outputs, and automatic validation describes exactly the kind of bounded context where agents do well. When we looked at where to prove the pattern before adapting it to larger, messier codebases, the design system was an obvious answer.

What happened when we pointed a general-purpose agent at our design system

The first attempt was to take a well-scoped ticket, hand it to a capable coding agent, and see what comes out.

The results were instructive, and not in the way we hoped.

The agent could read the ticket and navigate the codebase. But without design system-specific context, it filled knowledge gaps with confident-sounding guesses.

It placed tokens at the wrong tier in the hierarchy. Reached for raw HTML elements instead of the correct component primitives. The agent often chose components that looked right in isolation but were semantically wrong for the system, the kind of inconsistency a developer would catch immediately because it breaks patterns that only make sense in the context of the product as a whole.

It opened PRs that didn't follow the team's merge template; the code was often compiled, and tests even passed, but the output wasn't idiomatic. It was close enough to look right yet different enough that a reviewer had to do substantial correction work before anything could merge.

We hadn't saved developer time by making it easier to open a PR; instead, we'd moved the work downstream.

Without institutional knowledge, the agent’s work was insufficient. It knew how to write React, but it didn't know how our design system writes React: the specific directory structure, the token tier model, the CI conventions, and the component primitives we use instead of raw elements. That knowledge lives in the heads of everyone who works on the system, not in any file the agent could easily read.

The fix: making tacit knowledge explicit with agent skills

The solution was to stop expecting the agent to infer what experienced contributors know implicitly and start encoding that knowledge as explicit, executable instructions.

We wrote a set of skills covering the core design system contributor workflows that included

• Scaffolding a new component

• Defining tokens

• Writing Storybook stories

• Adding icons across platforms

• Opening a merge request

• Debugging a CI failure

• Tracing cross-platform impact from a token change

Each skill provides the agent with exact file paths, naming conventions, import patterns, and build commands to make them executable by our agent.

We also exposed Knox through MCP for consumer-facing workflows where agents don’t necessarily have the Knox repo available but still need authoritative guidance on components, design tokens, and interaction patterns. This gave agents a way to ask the design system what exists, how to use it, and which patterns are appropriate without relying on guesswork or outdated copied context.

We folded in our existing builder-facing documentation, including real examples from the product, so the agent could anchor its decisions in consistency. Instead of the agent inferring what's in the system by reading source files, it can ask our design system directly. Our MCP server also added documentation on the user’s intent and the problem a specific component would solve. It enabled the agent to not only make it visually correct but also function as the user would expect in the product UI.

Right away, the agent’s output improved. It stopped guessing conventions because the repeated contributor workflows were now explicit. It had focused skills, clear commands, and a human-qualified ticket to work from.

How to do this for your own design system

This approach generalizes the specific tooling we used, a custom MCP server, CI-triggered runs, and skills committed to the repo can be adapted to any design system with enough test coverage and explicit conventions.

1. Pick the right starting scope

Don't start with your most common ticket type; start with the one you specify most often.

Good candidates:

• Adding a component variant

• Defining a new token tier

• Updating an icon pipeline

Poor candidates:

• Broad refactors

• Anything that touches cross-team contracts

• Work that requires design judgment

• Tickets that the system doesn’t capture

A safe guide is that if a new contributor couldn't implement the ticket from the description alone, the agent can't either. The agent's output ceiling is the quality of its input.

2. Write skills, not documentation

Most design systems have documentation that defines what things are, but few have executable instructions written as skills, which tell an agent what to do, in what order, with exact commands.

Write a skill for each atomic workflow your contributors repeat. Keep them narrow; a skill that does one thing well is easier to maintain and easier for the agent to execute correctly than one that covers every case. Commit them to the repo alongside the code they describe, and when a convention changes, update the skill.

3. Match the context layer to the workflow

Agents working inside a well-structured repo can often read source files effectively when they have narrow skills that tell them where to look, what conventions to follow, and which commands to run. For the Jira-to-PR pipeline, the foundation was repo access, explicit skills, and CI review.

Not every agent workflow starts with a full design system repo available. Consumer-facing agents, prototyping tools, and downstream product workflows may still need authoritative guidance.

If your tooling supports MCP, a lightweight MCP server wrapping your component API, token registry, or Figma library data is the right answer. The agent queries it at runtime instead of guessing.

If a full MCP server is out of scope, a well-maintained DESIGN_SYSTEM.md context file that the agent loads at session start accomplishes most of the same goal at lower fidelity and is still significantly better than nothing.

4. Wire the trigger to a human qualification step

The best trigger we found was a ticket label.

A developer reviews the ticket, decides it's well-scoped, applies a label, and the pipeline fires. This keeps a human in the qualification loop while automating everything downstream.

5. Make the agent surface uncertainty

The PR description should explicitly name the decisions the agent wasn't confident about. A reviewer who knows exactly where to look can validate a draft in minutes, but a reviewer hunting for hidden assumptions will spend hours.

We asked the agent to flag uncertainties. For example, a PR that says "I wasn't sure whether this token belongs at the alias or component tier; I chose alias, but please verify" is far more useful than one that looks confident and buries the guess.

6. Measure PR quality before speed

Resist the temptation to lead with velocity metrics. The number that tells you whether the system is actually working is pull request quality.

Start with what percentage of agent PRs need only review and minor tweaks versus a substantial rewrite. A high rewrite rate means you've shifted work downstream, not eliminated it.

Component accuracy is a useful proxy. Does the agent reach for your actual design system primitives, or does it fall back to raw elements when it doesn't know what to use? If it's reaching for raw elements, your MCP context layer isn't working.

What the ticket-to-PR pipeline produces

In our workflow, a developer labels a ticket as ready. Then a few minutes later, a PR opens with idiomatic code, an approach summary, and explicit notes on where the agent was uncertain.

With this context, the reviewer's job becomes iteration, not inception. They're looking at a working draft with known uncertainties called out up front, not a blank editor.

The quality gap between "agent with skills and real design system context" versus "agent reading files cold" is large enough that it felt more like crossing a threshold than an incremental improvement.

Below the threshold, agents generate code that appears plausible but requires significant correction. Above it, they generate drafts that a reviewer can actually build on.

An unexpected outcome: design-led prototyping

While building the ticket-to-PR pipeline, another question came up: could we give designers the same setup our engineers use for rapid prototyping?

Using the MCP-backed Knox context, we built a prototype playground with prebuilt product templates, an agent to query components, and a simple slash command to scaffold a new prototype from scratch, integrating guidance directly into the user workflow.

A designer describes what they want to build or links to a Figma frame, and the agent generates a working interactive prototype using real design system components ready for iteration and feedback. They share it with a deploy link.

This changed a workflow that previously required developer time into something a designer could run on their own.

A stakeholder review that used to mean a static mockup or a time-consuming Figma clickthrough could now be a clickable prototype built with the actual component library, matching the product's fidelity and interactions.

A few things we learned here that we didn't expect:

• Smaller tasks produce better results than large ones ("build the sidebar" before "build the entire dashboard")

• Naming components specifically ("use the secondary neutral button") beats describing the desired appearance

• Detailed Figma component annotations (size, padding, intended behavior, and states) translate directly into better agent output, because the agent reads that documentation the same way a developer would

What we'd do differently

• Ticket quality is not automatable. The agent is a strong implementer of well-specified work and a poor interpreter of ambiguous requirements. The qualification step (a human deciding whether a ticket is genuinely ready) is the most important step in the pipeline, and it can't be delegated to the agent.

• Start with the narrowest possible scope. Our early instinct was to write a single "implement a design system ticket" skill. What actually worked was breaking it into eight focused skills that the agent could compose as needed. Narrow skills are easier to maintain, easier to debug when something goes wrong, and easier for the agent to execute correctly.

• Treat agent credentials the way you'd treat any machine credential. The design system MCP disconnects after a fixed window, making an agent credential that persists indefinitely a liability. Issuing short-lived, scoped access for agent workflows isn't a UX inconvenience. It's baseline security practice, and it's consistent with how you'd handle any other automated system that has access to your codebase.

Vercel’s design system tooling powers some of the most widely used component libraries in production. Andrew Qu has been tracking how teams are starting to embed agents directly into that layer:

"The gap between design and production has always lived in the component library, where intent either survives or gets lost in translation. With Generative UI, the component library stops being the end of the handoff and starts being the substrate the model renders from. When the model is grounded in what your components are and how they behave, it stops generating one-off UI and starts generating things that belong in your product.”

–Andrew Qu, Chief of Software, Vercel

Design system work will always require human judgment on the questions that influence your product. What's changed is the ratio of that judgment work to the implementation work that follows it.

Agents are increasingly handling the latter. The point is to free the people who understand the system to focus on the work that actually requires human judgment.

AI coding tools have changed who builds software. The barrier to entry has dropped to the point where a designer, an analyst, or a first-time founder can turn an idea into a working app in an afternoon. That shift is real, and it's accelerating.

But every app needs to talk to something. Every API call, database connection, and automated workflow runs on secrets: API keys, tokens, SSH keys, service account credentials. And those secrets have to live somewhere.

For most people building with AI tools today, secrets end up in a .env file, a chat message, a script, or a note that will "definitely get cleaned up later." AI coding tools are good at helping you get something working fast, but they tend to suggest the fastest path to a functioning prototype, not the most secure one. The result is real credentials stored in plain text, scattered across machines and codebases, hard to track and easy for threat actors to find when a machine is compromised.

This is how credential sprawl starts. Not with a dramatic failure, but one unknowing shortcut at a time.

Developers rely on secrets management tools: Now AI builders need them too

Until recently, managing developer credentials was mostly a concern for engineering teams with the time and expertise to configure dedicated tooling. The people who generate secrets have historically been developers trained in secure coding.

Today, that's changed. Designers are prototyping internal dashboards. Operations teams are automating repetitive tasks. Data analysts are connecting pipelines to interactive graphics. Founders are shipping their first apps without engineering teams. None of them signed up to become cybersecurity experts, but they're now handling some of the most sensitive credentials and secrets in their organizations, often without a clear path to doing it safely.

The new wave of AI builders are frequently seeing directions from their vibe coding tool to either put plaintext credentials into a .env file on the computer desktop or store them in a secrets manager. The former is the most risky way to manage secrets, and the latter is the most secure. That is why every AI builder needs a secrets manager.

Secrets management tools are already in 1Password

1Password is where millions of people store their most sensitive information. What you may not know is that every 1Password subscription already includes a full set of developer security tools.

SSH Agent, the CLI, SDKs, environments, service accounts, and secret references are all part of 1Password. They let apps, scripts, and AI coding agents pull secrets from 1Password at runtime rather than hardcoding them into code or configuration files. Service accounts handle automation without requiring shared personal credentials. The CLI and SDKs mean good security can be part of the build process from the start, not something you retrofit when a prototype moves into production.

1Password's developer tools have been part of the product for years. But keeping secrets secure shouldn't require knowing which corner of the app to look in, whether you're a senior engineer, a data analyst, or someone who shipped their first app last month. Making these tools visible to everyone gives all builders the same starting point.

What's changing

Developer tools are now visible in the 1Password desktop app sidebar for all users, matching the experience already available in the browser extension.

We've also rebuilt our developer documentation. The new quick start guides are organized around what you're trying to do, not how the product is structured:

• Developer quickstart: common setups, step by step

• Admin quickstart: what's available and how to roll it out across your organization

• Workflow guides for SSH and Git, developer secrets, deployments, AI access, and building integrations

Admins retain full control over how these features are used across their organization.

How you can use 1Password developer tools today

With 1Password developer tools, you can already:

• Store and use SSH keys without keeping them on disk

• Keep secrets out of code and .env files using 1Password environments and secret references

• Use the CLI and SDKs to access credentials at runtime, including from AI-assisted build workflows

• Create service accounts for automation instead of sharing personal credentials

• Connect secrets into CI/CD pipelines without exposing them

These tools are included in your existing subscription. There's nothing additional to buy or deploy.

The secure path should be the obvious, easy path

AI tools have made building faster than it's ever been. The cost of that speed, if we're not intentional about it, is secrets scattered across machines, codebases, and chat logs that nobody is tracking, and credentials that remain valid long after a prototype becomes a production system.

1Password was built on the idea that security works best when it's the easy choice, not an extra effort on top of the work you're already doing. Making developer tools visible is a small change in the interface with a clear purpose: make the secure path the obvious one, so more builders will take it.

If you want to see how this fits into your team's development workflows, join us on June 10th for a live webinar on developer credential security. Or check out thequick start guides and see how it fits into what you're already building.

Today we're releasing the 1Password Device Trust MCP Server, an open-source server that connects your Device Trust data directly to the AI tools your team already uses, like Claude or ChatGPT. It's available now for all customers on Device Trust Connect.

As AI agents take on more of the work across your organization, IT and security teams need visibility and control that keeps pace. The Device Trust MCP Server is part of how 1Password is extending that control to the way security teams actually work today, inside AI tools, in plain language, with every action logged and auditable.

Once it's running, you can query your entire device fleet without leaving your AI client. Which devices have disk encryption off? Who owns the machines failing compliance checks? How long does it typically take to resolve a specific issue across the fleet? Instead of navigating dashboards or writing custom scripts, you just prompt.

What is MCP, and why does it matter?

If you use AI tools like Cursor or Claude, you may have already come across the Model Context Protocol (MCP). MCP has become the standard way to connect LLMs and AI agents to data sources and tools. It’s an open standard that lets AI tools connect to external data sources and take action on your behalf, with built-in controls over what those tools can access and do. It's supported by every major AI platform, and the ecosystem has grown from around 1,200 servers in early 2025 to over 6,400 today. IT and security practitioners are increasingly doing their work inside AI-powered tools, and MCP is what makes those tools useful for real administrative workflows.

The Device Trust MCP Server plugs your device security data into that ecosystem. Instead of switching between tools, admins can stay in their AI client of choice and get answers in seconds.

What you can do with the Device Trust MCP

Once connected, you can ask questions like:

• "Which devices are currently failing checks?"

• "Who owns the devices with disk encryption disabled?"

• "Which of my devices are vulnerable to this CVE?"

• "Which devices have the most Chrome extensions installed?"

• "Show me all macOS devices running outdated versions of ChatGPT."

• "What's the average time to resolve issues for this check?"

The server covers the full Device Trust API surface across 59 tools, including devices, people, issues, checks, audit logs, live queries, exemption requests, and reporting tables. Smart features like auto-pagination, field projection, and device-owner enrichment make it easy to pull complete, clean answers without extra steps. And because it's part of the broader MCP ecosystem, it compounds with your other AI integrations, combining device data with security intelligence, identity, or ITSM sources to answer questions no single tool could on its own.

How the Device Trust MCP server works

The MCP Server runs locally on your machine and binds to localhost by default, so your Device Trust data stays in your environment. Setup takes a few minutes and boils down to three steps:

1. Clone the open-source repo

2. Set your Kolide API key and MCP authentication (bearer) token as environment variables

3. Start the server and connect your AI tool (Claude, Cursor, or any MCP-compatible client)

From there, your AI tool handles translating natural language questions into the right API calls and returns clean, human-readable answers. Every invocation is logged for auditability, and all endpoints require bearer token authentication.

Full setup instructions are available in this support document.

Built for the way IT and security teams work with AI

1Password Device Trust already detects AI tools running on your endpoints. Now it gives security teams AI-native tooling to manage those endpoints too.

This server is a part of 1Password's broader investment in AI across our product suite. It joins the MCP Server for 1Password SaaS Manager, which provides SaaS visibility and governance data to AI agents. Together they reflect one of 1Password’s bedrock security principles: AI agents should work with your data in a way that's useful, auditable, and secure, without ever exposing credentials or sensitive secrets.

You can get started with 1Password Device Trust MCP Server here, or learn more about Device Trust on our product page.

1Password has never been more popular in the workplace. Okta’s 2026 “Businesses at Work” report reveals that, of the 8,000+ apps that Okta analyzed, “The security tool 1Password showed the highest industry-level growth, notching a 370% YoY increase in the technology sector.”

This statistic refers specifically to the number of individual 1Password users on the Okta platform, indicating a sharp increase in the rollout and adoption of 1Password across business users.

This growth is no coincidence. As 1Password becomes foundational to how employees build and operate AI-powered workflows, it is increasingly embedded in the critical path of the modern “AI builder.” The result is a surge in demand for secure access across tools, credentials, and agents, starting in the technology sector and expanding outward.

What drove 1Password’s growth on Okta's platform?

The stated purpose of Okta’s report is to: “...track how enterprise technology adoption continues to evolve, and… how identity strategies must evolve alongside it.”

1Password’s dramatic growth among Okta customers reflects our company’s evolution. Our innovations in AI and agentic security are resonating deeply with enterprise customers, many of whom are seeking to adapt their identity security strategies to securely enable AI across their workforces and technology stacks.

Okta’s report also reveals that agentic AI is an urgent need, since 91% of the organizations they surveyed are using AI agents. The majority of those orgs, however, are in early or limited stages of agent deployment. It’s not hard to understand why; the identity and access risks posed by AI can significantly hamper a company’s ability to fully integrate agents into their workflows.

Businesses have historically had limited ability to manage these risks or enforce company policies around AI use. 1Password’s 2025 Annual Report found that one in four employees has used AI applications that weren’t approved by their company, and over a third of employees admit to having knowingly disregarded their company’s AI policies. Employees regularly adopt shadow AI tools that can expose sensitive information in a variety of ways, and AI agents are an entirely new class of identities that present novel risks. As security analyst Francis Odum puts it, “Because existing access solutions were not designed for dynamic, probabilistic machine identities…This leads to over-privileged agents, limited auditability, and elevated data loss risk.”

1Password has been making significant moves to enable businesses to embrace AI without sacrificing security. In the past year, this has included launching partnerships with AI leaders like Cursor, developing an AI Agent Security Benchmark to help businesses understand and manage the risks of different AI models, and deepening integrations between 1Password Enterprise Password Manager (EPM) and 1Password SaaS Manager to help teams manage shadow IT and AI.

Most significantly, we recently launched 1Password® Unified Access, which lets teams discover, secure, and audit access across humans, agents, and machine identities, enabling organizations to adopt AI confidently and securely.

1Password’s growth in the past year has been driven by our proven dedication to building the next layer of AI security, and that growth trajectory is only being accelerated through new and upcoming tools like just-in-time credential access for agents, secrets management for AI builders, and more.

Strong security foundation accelerates growth

1Password’s rapid growth was reflected at other points within Okta’s report; we are the fastest growing app in Canada, and ranked 13th on the list of “most popular apps” within the startup category. As Okta puts it, “If the fastest growing apps represent new momentum, the most popular apps are the familiar platforms companies rely on, year after year.”

In short, what this report indicates is that 1Password’s growth is being driven not only by our recent innovations, but by our strong foundation and reputation for security. Our rapidly growing number of users on the Okta platform is a testament to how deeply our offerings and principles have resonated with the modern enterprise.

This is only the beginning. 1Password’s commitment to serving the ever-evolving needs of our customers will continue to drive our innovation and growth in the years to come.

Want to see our innovations in action? Explore 1Password Unified Access.

This blog has been adapted from an excerpted section of 1Password’s ebook, Credential sprawl: How AI increases the risks. To read the complete ebook and learn more about how AI is accelerating credential sprawl, click here.

In Ancient Rome, the military had a daily “watchword” that soldiers used to enter the camp. An official would inscribe the watchword on clay tablets, which were distributed throughout the various military units. If a tablet wasn’t returned, they swiftly tracked it down and punished the soldier who had failed to return it.

Clearly, one thing has been true from Ancient Roman times until now: if you want to stay secure, you need to know where your passwords are.

Unfortunately, keeping track of credentials is more difficult for a modern organization. Today’s companies have to manage an ever-growing number of credentials that go well beyond traditional passwords, such as developer secrets, passkeys, shared logins, API keys, SSH keys, service accounts, and SSO access tokens.

This problem is especially urgent due to the rise of AI-based tools and agents, which have not only increased the scale and scope of unmanaged credentials, but also present access and identity management challenges that tools like SSO and PAM aren’t equipped to handle.

Credential sprawl tends to quietly accumulate across systems, often going unaddressed until a breach exposes the vast web of risky, unmanaged access. In this blog, we’ll make a case for addressing this issue proactively, by examining all the ways it extracts a cost from companies.

What are the risks and costs of credential sprawl?

When credential sprawl runs rampant through a company, the costs manifest in a variety of ways, from an increased blast radius in the event of a breach, to time-consuming manual processes to manage security posture, compliance, and incident response.

Compliance failures

IT and security teams are consistently faced with the difficult task of achieving and proving compliance with regulatory standards like SOC 2, PCI DSS, ISO 27001:2022, and HIPAA.

Each of these standards has requirements related to the secure use and storage of credentials. For instance, PCI DSS requires that, “Audit logs capture all changes to identification and authentication credentials…”

SOC 2 similarly has various requirements related to how companies provision access to credentials, including requirements dictating that “Your organisation should implement processes to remove credential access when an individual no longer requires such access.”

With the increasing need to manage how AI and agentic AI access and store credentials, it’s worth noting that SOC 2 extends their requirements not only to user credential access, but to how “internal and external infrastructure and software” access credentials.

Regulatory bodies, on the whole, expect companies to prove that they’ve done their due diligence to protect sensitive information. “Due diligence,” in the case of managing credentials, means implementing essential tools to give admins oversight over where and how credentials are being used. Credential sprawl fundamentally undermines a company’s ability to do so.

Furthermore, regulatory bodies aren’t likely to cut companies any slack. If anything, they’re increasing their scrutiny. As Itamar Apelblat pointed out in an article for BleepingComputer, “In each of these frameworks, the organization is accountable for what happens to regulated data and regulated workflows. When AI agents are the ones acting inside those systems, accountability doesn’t disappear.”

Risk exposure

Compliance standards place so much emphasis on credential and access management because credential sprawl greatly increases an organization’s risk of cyber attack, and attackers are eager to take advantage of it.

Compromised credentials are the single most common entry point for attackers, and have been for some time; 50% of CISOs who’ve experienced a material breach in the last three years identified compromised credentials as a root cause.

Credential sprawl significantly increases a company’s attack surface. Each credential that’s stored without security and IT oversight presents an opportunity for bad actors to breach systems, particularly backend credentials like OAuth tokens and API keys, which often have broad permissions, and which are now being used by AI agents. And with automation and AI adoption spreading so rapidly, companies are facing more risk than ever.

In 2025, IBM reported that shadow AI accounted for 20% of breaches, and 97% of AI-related security breaches involved AI that didn’t have proper access controls. IBM also points out, “...that data was most often stored across multiple environments, revealing just one unmonitored AI system can lead to widespread exposure.”

Incident Response

Breach remediation and incident response are already costly and time-consuming processes. Credential sprawl is only worsening these issues, as breaches involving data stored across multiple environments take the longest to resolve.

As TechTarget reported, NHIs and agentic AI complicate this issue further: “Since many organizations use NHIs to link cloud environments… secrets are often duplicated or reused across multiple systems, making remediation and rotation difficult if a single identity is compromised.” Shadow AI, for instance, adds more complexity and cost to breach response; a breach involving shadow AI can cost up to $670k more than a comparable breach that didn’t involve it.

According to GitGuardian, 70% of secrets that were leaked in 2022 were still valid in 2025. That’s a deeply worrying figure, indicating that compromised credentials aren’t being remediated by any standard business process; they’re not expiring automatically or being rotated by teams.

How can organizations manage credential sprawl?

Managing credential sprawl requires a multi-pronged effort that addresses the myriad types of credentials and places they can live.

Secrets management for AI and business-led IT

Broadly speaking, credential sprawl often comes down to the push and pull between security and productivity. The rise of AI has placed this conflict in stark relief: employees, and developers in particular, adopt AI to improve productivity. They often see security tools as intrusive blockers to their improved workflows.

1Password doesn’t just improve secrets management for developers; it removes friction. 1Password’s developer tools let teams securely vault secrets and make them available at runtime as developers code, so that they can work securely without interrupting workflows.

When it comes to agentic AI use, 1Password has also taken steps to let teams take advantage of the benefits of AI-assisted coding without ignoring the risks. Our Cursor integration “... gives developers a secure, just-in-time way to ensure required secrets are made available to Cursor’s AI agents via 1Password Environments. The result is an AI-native development workflow where… secure access becomes a natural part of writing and running code.”

1Password® Unified Access also includes shadow AI discovery, enabling IT and security teams to discover and manage the use of unapproved AI apps or local agents across their ecosystem. This is just the beginning, as 1Password is building a new foundation for runtime access governance for AI agents and machine workloads.

This is the next frontier of credential management: governing not just who logs in, but how software identities authenticate, operate, and persist across environments.

Credential management

As the analyst and researcher Francis Odum reported, “1Password’s architectural anchor is its Enterprise Password Management (EPM) core. This zero-knowledge vault serves as the singular ‘system of record for all workforce credentials,’ spanning both human users and non-human identities (NHI)...”

Modern credential management platforms, such as 1Password, secure more than passwords, and are a mission-critical tool for companies to rein in credential sprawl and manage agentic AI use. 1Password’s EPM centralizes visibility into how credentials are used, allowing admins to enforce principles of least privilege through role-based vault access. Structured onboarding and offboarding workflows mean that users are only given access to the credentials, passkeys, and secrets that they need to do their jobs. And critically, EPM extends protection into developer workflows and AI-powered automation without introducing friction.

Since credentials are encrypted, teams can ensure that they can’t be accessed by infostealers and other targeted attacks. 1Password's breach monitoring also informs users and admins as soon as possible if a managed credential has been compromised.

It’s worth noting an essential element of EPM’s efficacy: credential governance must be deployed wall-to-wall. Businesses have to enforce credential management for every person, agent, secret, and workflow. Companies cannot stay secure by only protecting part of the identity surface.

How to manage credential sprawl and its costs

Credential risks are hardly a new issue. However, in recent years, managing where and how credentials are used has evolved from a Herculean task to a Sisyphean one. That is to say: it was never easy, but at some point it became close to impossible. Teams are faced with an ever-growing number of credentials across an ever-growing number of endpoints and apps. Credentials are hidden in codebases, Slack messages, AI chatbots, spreadsheets – and they probably still find a home on a sticky note or two.

Credential management has never been more difficult, but it’s also never been more crucial. In blunt terms: every unmanaged credential puts your ecosystem at risk. If credentials aren’t being secured wall-to-wall, then your business can have untold numbers of unsecured access points.

Credential management has been an essential (though often neglected) part of security for years, and it has only become more pressing with the rapid rise of AI. 1Password is the critical solution for companies to control how credentials are used across their ecosystems. By building on the strong security of our password manager, we’re creating systems that will let teams manage credentials wherever they may be, from the spreadsheet to the AI agent.

There’s never been a better time to start managing credential sprawl. Reach out for a demo.

Introducing new features in 1Password Enterprise Password Manager – MSP Edition to reduce client onboarding effort and give MSPs greater control over policies, access, and usage.

Setting up and managing client environments often involves repetitive, manual work. Each new managed company requires policy setup, access configuration, and ongoing oversight. Repeating this across environments slows onboarding, introduces inconsistencies, and makes it harder to maintain control.

To address this, 1Password is introducing Policy Templates, Seat Limits, and Granular Vault Permissions in 1Password Enterprise Password Manager – MSP Edition to reduce repetitive setup, enforce consistent access controls, and give MSPs greater control over client license usage.

Apply consistent policies from the start

Setting up policies for each client’s environment individually is time-consuming and increases the risk of inconsistencies. Policy Templates for MSPs allows owners, administrators, and MSP administrators to define and enforce policies once, then apply these policies across all or selected managed companies. With Policy Templates, teams can:

• Create reusable policy configurations for multiple clients

• Enforce consistent baseline security and access policies

• Centrally update templates and apply changes across environments

• Control which policies clients can or cannot override

These templates reduce manual setup during client onboarding and ensure each managed company environment starts from a consistent security baseline while still allowing flexibility where needed.

Keep client usage predictable and aligned with contracts

As clients grow, usage can quickly exceed initial expectations or contracted limits. Without clear controls, MSPs may only discover overages after costs have already increased. Seat Limits for managed companies allow MSPs to set and enforce a maximum number of users or guests that can be given licenses. With Seat Limits, MSP teams can:

• Align client usage with contracted agreements

• Prevent unplanned overages

• Maintain predictable margin and cost structures

• Proactively plan for growth discussions as client usage increases

Control access without slowing down support

Supporting clients requires access to their environments, but that access shouldn’t be broadly granted. Granular Vault Permissions within managed companies give MSPs and their clients precise control over who can access shared vaults. Managed companies can choose to give MSP technicians no default access and only assign access to specific vaults or assign access by role to support least-privilege access.

With granular, role-based vault permissions, MSPs can work with their managed companies to:

• Limit shared vault access to only the technicians who need it

• Assign access based on roles or specific users

• Maintain least-privilege access across client environments

This ensures technicians only access what’s needed to support clients while reducing unnecessary exposure. It also helps MSPs and their clients maintain stronger control over sensitive data sharing.

Built for how MSPs manage client environments

These capabilities are built for how MSPs manage client environments, from onboarding new clients to enforcing policies, managing user growth, and controlling access to client data. By reducing repetitive work and improving control, MSPs can onboard clients more efficiently and maintain consistency across every client environment.

These features are now available in 1Password Enterprise Password Manager – MSP Edition. Existing customers can start using these new capabilities through the MSP console. New MSPs can start a free 14-day trial to explore these capabilities in 1Password today.

The proliferation of credentials outside centralized visibility and control is known as “credential sprawl,” and attackers are eager to take advantage of it.

Unfortunately, credential management is a broad problem that only grows in complexity as organizations add new tools, employees, and partners. Today’s companies have to manage an ever-growing number of credentials that go well beyond traditional passwords, such as developer secrets, passkeys, shared logins, API keys, SSH keys, service accounts, and SSO access tokens. Each of these, if exposed in an attack or breach, can have severe consequences, and developer secrets pose particular, systemic risk.

Addressing credential sprawl has become especially urgent due to the rise of AI-based tools and agents. AI agents are a primary driver of credential sprawl because they create, use, and replicate credentials at machine scale. They have unique access needs and can behave both autonomously and unpredictably. Companies that want to integrate AI-based tools must carefully consider how to mitigate these risks to avoid an exponential rise in unmanaged and vulnerable credentials.

How do AI agents increase credential risk?

AI agents increase credential security risks through their reliance on non-human identities like API keys and service accounts, which are frequently overprivileged, long-lived, and poorly audited. Agents create and use these credentials at machine scale, beyond centralized oversight, leading to rapidly expanding credential sprawl with limited oversight for security teams. And while AI tools and agents pose new and distinct risks, they’re also expanding on credential problems that have existed for years, stemming from SaaS sprawl, shadow IT, and unsafe developer practices.

Traditional security tools are falling behind

As security analyst Francis Odum shared in his enterprise identity security report, “As organizations increasingly adopted SaaS applications, the need for enterprise-grade password management became more pronounced. Employees frequently relied on personal credentials for work accounts, increasing the risk of credential reuse and security incidents. While Single Sign-On (SSO) and Multi-Factor Authentication (MFA) became standard controls, they often failed to cover the full range of enterprise applications, leaving visibility gaps…”

In its research report, 1Password found that the average company has a third of its apps outside SSO’s protection. Our report also noted that, “One major indicator of how SSO is falling short is the amount of access that comes from employees whom IT believed to have been successfully offboarded. Over one-third (38%) of employees have successfully accessed a prior employer’s account, data, or applications after leaving the company.”

Now, AI is accelerating SaaS sprawl even further beyond what SSO was built for. 1Password’s research also found that 1 in 4 employees has used AI applications that weren’t approved by their company, and over a third of employees admit to having knowingly disregarded their company’s AI policies.

Employees are experimenting with AI coding tools, browser extensions, writing assistants, data analysis tools, and agent platforms, often before IT has evaluated or approved them. Many of these tools don’t integrate cleanly with enterprise SSO, and even when they do, adoption frequently begins outside official onboarding processes. Shadow AI poses serious risks, as even innocuous apps can contain security flaws that expose company data and credentials.

Each unmanaged app and AI tool represents at least one unmanaged credential that an organization can’t secure. And as the number of unmanaged credentials grows, so does the likelihood that one is exposed, overprivileged, forgotten, or used to create a direct path to unauthorized access. The result is an ever-expanding layer of applications and credentials that exist outside centralized governance.

Unmanaged AI agent access

AI agents represent an entirely new class of identities; they require varying levels of access, and they operate in ways that are frequently invisible to security tools.

As The Hacker News put it, “AI agents don't operate in isolation. To function, they need access to data, systems, and resources. This highly privileged, often overlooked access happens through non-human identities: API keys, service accounts, OAuth tokens, and other machine credentials.”

All NHIs pose credential risk – over-privileged service accounts, for example, have been putting CI/CD pipelines at risk for years – but the way that AI agents use them has increased their sprawl drastically. Figures vary, but in 2025, there were somewhere between 82 – but potentially up to 144 – non-human identities (NHIs) for every 1 human identity in the average enterprise environment. Regardless, that number is growing fast.

More concerning is the fact that many of these machine identities have highly privileged levels of access, often without the level of scrutiny that would typically be applied to highly privileged users. In fact, a recent study found that 1 in 20 NHIs carries full-admin privileges even though only 38% of total NHIs had been active within the last 9 months.

What this means is:

1. AI agents are being given access to these highly-privileged NHIs.

2. That access is often going unmanaged by security teams, who may not be able to differentiate it from normal activity.

3. Agents can retain this access after it is needed, use it in ways that are harmful, or expose it via prompt injection or other forms of compromise.

Together, these behaviors create a rapidly expanding layer of credentials that exist outside centralized identity systems.

Agentic applications and capabilities are evolving at unprecedented speed, and new tools are often being adopted before their risks are understood. Jason Meller, VP and Security Strategist at 1Password, wrote two blog posts on how powerful – and frightening – these tools can be.

“The short version: agent gateways that act like OpenClaw are powerful because they have real access to your files, your tools, your browser, your terminals, and often a long-term ‘memory’ file that captures how you think and what you’re building. That combination is exactly what modern infostealers are designed to exploit.”

–Jason Meller, Vice President and Security Strategist, 1Password

While OpenClaw certainly garnered some attention, its issues aren’t isolated to one tool alone. In MIT’s “AI Agent Index,” researchers found that the majority of agent developers share little about their tool’s security. “25/30 agents disclose no internal safety results, and 23/30 agents have no third-party testing information.” OpenClaw is an indicator of how severe the security risks can be when AI agents are given unmanaged levels of access; its popularity, and its security risks, have quickly forced security teams to reckon with the fact that the standard enterprise perimeter is not equipped to handle the issues of agentic AI.

AI worsens credential security practices

AI-based tools are also exacerbating credential sprawl by replicating poor credential security practices.

Vibe coding (using generative AI to write code) tends to reproduce poor security habits. For example, one largely vibe coded platform, Moltbook, was quickly found to have a misconfigured database within it that exposed over a million API authentication tokens, along with email addresses and private messages.

Again, this isn’t exclusive to a single platform. GitGuardian analyzed the use of Copilot – Microsoft’s AI assistant (used for vibe coding, among other things) – and they found that repositories with Copilot active are 40% more likely to have at least one leaked secret.

Vibe coding can also enable employees with less coding experience, and therefore less coding security training, to push through code that hasn’t received the standard checks and scrutiny.

Developer secrets, meanwhile, pose their own security challenges. Secrets sprawl is a particularly dangerous subset of credential sprawl; developer credentials tend to live outside of traditional identity security systems, and developers often hardcode secrets into code for simplified access during their workflows. If these hardcoded secrets aren’t discovered during security or access reviews, they pose serious threats to company security, as seen in a recent Uber breach, which began when the hacker “...located a PowerShell script with hard-coded privileged credentials for Uber’s Privileged Access Management (PAM) solution…”

Unfortunately, hardcoded secrets are only growing as a problem. GitGuardian’s 2025 report, The State of Secrets Sprawl, shows how rapidly this problem is accelerating. “In 2024, we found 23,770,171 new hardcoded secrets added to public GitHub repositories. This figure represents a 25% surge in the total number of secrets from the previous year.” As they put it, “secrets sprawl is steadily worsening over time.”

Secrets sprawl can spread in a number of ways, including when developers accidentally expose secrets in public-facing code. However, GitGuardian’s report highlights a more basic concern: “[while] source code management tools have been the primary focus of secrets detection… secrets appear wherever teams collaborate, often in collaboration and project management tools like Slack, Jira, or Confluence.”

Plaintext secrets being sent through apps like Slack represents a dangerously lax approach to secrets hygiene. Unfortunately, cybercriminals are aware of this trend. Dark Readingreports that“...cybercriminals and nation-state actors alike are following a proven playbook and capitalizing on ‘bad secret hygiene’ to further their campaigns.”

AI is now accelerating this dynamic. As developers use AI copilots to generate code, spin up infrastructure, or automate workflows, machine credentials are created and reused at greater speed. All of this is expanding the identity surface far beyond what traditional identity and access management (IAM) and privileged access management (PAM) systems were designed to govern.

Traditional identity security is falling behind

Monitoring how employees use and store credentials has always been challenging. But AI fundamentally changes the identity security model.

AI tools and agents don’t authenticate, store, or use credentials the way humans do. They rely on embedded tokens, API keys, service accounts, and programmatic access patterns. They operate continuously, duplicate easily, and often persist long after their original purpose has ended.

Traditional identity security tools were designed for human behavior, with interactive logins, session-based authentication, and clearly defined privilege tiers. They were not designed to govern autonomous software identities that scale and authenticate programmatically without supervision.

In a way, this is almost by design. As Saumitra Das put it in an article for Corporate Compliance Insights, “By nature, autonomous agents are trained to find the easiest and most efficient way to complete the assigned job. This means that they can often identify ways around guardrails…”

Traditional access control methods are quickly proving to be inadequate, as AI and event-driven automation create NHIs at a scale we haven’t seen before. As TechTarget reported, “Most legacy IAM and privileged access management (PAM) tools were never designed to handle that level of volume and churn.”

The article goes on to point out some of the issues related to how NHIs use credentials, including:

• NHIs use a broad array of authentication methods, like JSON tokens, cloud IAM roles, OAuth2 secrets, and API keys. Each of these has its own unique security needs.

• NHIs are often given outsized access and long-lived credentials so that teams can ensure the tool will have the access needed to automate various business processes.

• Anomaly detection can’t always notice when something has gone wrong with an AI agent, since they don’t really have “normal” behavioral patterns to deviate from.

Each of these factors can seriously damage the efficacy of a company’s security stack.

How can teams manage credential sprawl for agents?

Traditional IAM tools and strategies cannot manage the (sprawling) issues of credential sprawl, especially in a world where so much access isn’t coming from people at all. Rather, teams will require a multi-pronged effort that approaches the problem from multiple angles.

Unified access management for AI Agents and humans

AI-related credential sprawl reflects a fundamental change in how authority is delegated inside the enterprise. AI systems are no longer tools that assist humans; agents increasingly act with independent access to applications, data, and workflows. Yet most access controls still assume a human at the keyboard.

Employees, and developers in particular, are encouraged to adopt AI to improve productivity, but without purpose-built tools to safely delegate access to agent and machine identities, workers resort to unsafe workarounds outside the reach of traditional security tools. Addressing AI-related credential sprawl requires tools that govern non-human access without slowing down workflows.

1Password® Unified Access helps teams create a framework to:

• Discover risk: Identify unmanaged AI tools and agents running on developer and end-user devices, and detect credentials and secrets stored in local files and developer environments.

• Secure credentials: Vault exposed credentials and remove access for risky AI tools and agents. Deliver credentials to agents, automation, and CI/CD at runtime to reduce long-lived secrets and ensure they’re used only when needed.

• Audit agent actions: Gain clear attribution for every action, showing when and how credentials are being used and who’s using them across humans, agents, and machines.

SaaS management

Credential sprawl and SaaS sprawl are irrevocably intertwined. For IT and security teams to effectively determine where and how credentials are being stored, they need to know what applications their employees are using.

The unfortunate nature of SaaS sprawl, though, is that it’s next to impossible for teams to find the time or resources to take control of it manually.

1Password SaaS Manager solves this problem through automation. With over 40,000 app integrations, it lets teams build and maintain a complete inventory of the apps their employees use – including the apps that can’t be secured behind SSO. That includes capabilities for continuous app discovery to illuminate the use of shadow IT – and shadow AI apps – across an organization.

With automated onboarding and offboarding workflows, teams can also ensure that employee access to apps is provided only when needed, without running the risk of unapproved access from improperly offboarded employees.

Identifying which applications are in use, whether they’re company approved or not, is a critical step to making sure that every credential is being used and stored securely. A team cannot achieve wall-to-wall credential security if any part of their application surface is going unmanaged.

AI is here: do you know where your credentials are?

Credential sprawl is far from a new problem. But rather than improving, it only seems to be getting worse, as teams are faced with an ever-growing number of credentials across an ever-growing number of endpoints and apps. Credentials are hidden in codebases, Slack messages, AI chatbots, spreadsheets – and they probably still find a home on a sticky note or two.

An updated and enforceable credential management strategy has never been more crucial. In blunt terms: every unmanaged credential puts your ecosystem at risk.1Password is the critical solution for companies to reign in and control how credentials are used across their ecosystems. By building on the strong security of our password manager, we’re building systems that will let teams manage credentials wherever they may be, from the spreadsheet to the AI agent.

Want to learn more? Read the full ebook on AI credential risk management. Ready to start managing credential sprawl? Reach out for a demo.

Security is tied to business operations in many (often unappreciated) ways, but the connection is rarely more visible or consequential than during an acquisition or partnership. In those deals, a company stakes its reputation and finances on another company, and a lapse in security can throw the whole thing into chaos.

That’s the subject of this episode of Chasing Entropy, in which Dave Lewis talks with Matt O'Leary, 1Password’s Vice President of Corporate Development and Strategic Partnerships. They discuss what changes about M&As and partnerships when security is tied directly to the product, the brand, and the deal itself.

Caveat emptor in M&As

O’Leary’s core idea is simple: when a company makes an acquisition, it inherits the whole business, not just the part that looked attractive in the pitch. That includes the technology, the team, the process gaps, the legal exposure, and any security weaknesses that were not obvious at first glance. O'Leary makes the case that strong dealmaking starts with risk discipline, because a transaction only creates value if the company can integrate what it buys without importing problems that slow everything down.

He also explains that good corporate development starts with the roadmap, not the deal. An acquisition makes sense when it helps the company move faster than building on its own. That is why corp dev has to stay tightly aligned with product, engineering, and security leadership. In a cybersecurity company, technical diligence carries extra weight. If a target has a serious security or technology issue, that is not a detail to clean up later. It is a reason to walk away.

Go as deep as you possibly can, before you cut the proverbial check…If there is any major issue with the technology, if there is any significant exposure to cybersecurity risks in a company we are targeting, those are deal killers.” - Matt O'Leary

The risks and rewards of partnerships

The conversation also sharpens the distinction between partnerships and acquisitions. O'Leary argues that deep partnerships can create major leverage because they expand reach, increase product value, and connect a platform to the tools customers already use. But they also transfer risk. If two companies are tightly integrated, trust becomes shared. A failure on one side can damage both. In that sense, partnerships may be lighter than acquisitions, but they still demand the same seriousness around diligence, reputation, and customer impact.

When you’re doing an integration partnership, you’re tying your brand, and the trust that you stand for with another company’s. So you really need to be thoughtful about how you go about that.” - Matt O'Leary

After the deal: integration and communication

One of the strongest parts of the episode is the discussion about integration. O'Leary is clear that post-close integration is the hardest part of M&A. Retaining key people, understanding founder motivation, aligning technical architecture, and planning how products and teams will come together all matter before the announcement, not after. Dave Lewis brings home this lesson by sharing a story of a botched M&A, where the acquiring company failed to lock in the engineering staff. “We had the big celebration party and none of the engineering team were there, and we were like, ‘What’s going on?’”

He also emphasizes the importance of customer communication, since M&As can raise questions and trigger concerns. “You want to communicate to customers that the standards that we apply to ourselves – that are the reason they bought our product – are the same standards that we will apply to the new product and service that we have acquired.”

For anyone interested in corporate development, O'Leary’s advice is direct. Curiosity matters more than a fixed career path. The best operators learn across functions, ask better questions, and build enough context to understand how product, security, legal, and finance decisions connect. For founders, his advice is just as clear. Build relationships with corp dev teams before you want an outcome. Trust and credibility take time, and good deals depend on both.

A password manager should make everyday tasks feel simple.

Whether that's:

• Saving a new password

• Signing in on your phone

• Finding the right item

• Moving your data from another password manager

We’ve made a set of updates across 1Password in our latest release to improve exactly these moments. Let's get into it!

A direct way to move your credentials into 1Password

Switching password managers hasn’t always felt straightforward. Exporting sensitive data into files, moving them yourself, and importing them again adds friction and risk.

We’re improving that with a direct credential transfer.

This work is part of the Credential Exchange Protocol (CXP), an industry effort to make credential migration more secure and interoperable. We helped author the FIDO Alliance’s Credential Exchange Format (CXF), a proposed standard that defines how credentials like passwords, passkeys, and other sensitive data can be structured and transferred safely between providers.

For you, this means a simpler experience on both iOS and Android, letting you move your credentials into 1Password without relying on manual export and import, and eliminating the need to handle sensitive files yourself.

Get your Autofill setup working smoothly on Android

Currently, Autofill on Android depends on several system settings, and when something isn’t configured correctly, it’s not always clear what the problem is or how to fix it.

So we’ve made this easier. 1Password now brings those settings into one place and checks them for you. You can see at a glance if something isn’t set up correctly, like Autofill not being enabled, the wrong service selected, or a required permission turned off. For each issue, 1Password explains what’s wrong and takes you directly to the right Android setting so you can fix it. You can also see a simple summary of your setup, so you know whether everything is working as expected or if something needs attention.

All of this can be found on the home screen of 1Password by navigating to Help > Autofill health check.

Instead of digging through menus or guessing what’s broken, you get clear, step-by-step guidance to get Autofill working again.

Smarter login item creation from the start

We’ve improved how new login items are created in 1Password. When you add a login, you can now search for the service you’re saving and 1Password will automatically fill in key details like the correct name, website, and icon.

For example, instead of saving a login as “login” or a long URL, it can be saved as “Instagram,” with the right website and icon already in place. You can still edit anything before saving. But now it takes less work to create a clean, complete item from the start.

That means your vault is easier to scan, easier to search, and easier to use over time.

Updates built with usability at the core

At 1Password, we spend a lot of time thinking about how it feels to use our products, from the big features to the small moments.

When our users tell us that we’re a reliable and easy part of their lives, that’s a huge win for us.

So let us know what you think about these updates on X, Instagram, and Reddit, and stay tuned for our next set of updates in the next one.

The latest National Institute of Standards and Technology (NIST) draft guidance on mobile driver’s licenses (mDLs) is about more than one use case or credential type. While the draft primarily focuses on the financial sector due to its high-assurance requirements, the bigger takeaway is that government-issued identity can be cryptographically verified and shared more selectively. This provides strong, cryptographically verifiable evidence of identity and shows what a more interoperable digital identity ecosystem could look like

1Password has contributed to the work behind this draft. We believe that identity systems need to be developed through global standards and collaboration across multiple verticals. Open ecosystems scale; closed ones often fail.

mDLs replace document uploads with cryptographic verification

An mDL is a government-issued verifiable digital credential. It serves as the digital version of your physical driver’s license, defined as a highly specified mobile document (mDoc) under international standards.

To identify a person with cryptographic trust, the ecosystem relies on three parties:

• An issuer that signs the credential

• A wallet that securely stores and presents it

• A verifier that checks its authenticity

A simple real-world example is airport security, where the DMV is the issuer, your Apple Wallet is the wallet, and the TSA is the verifier when you present your mDL.

While this might sound more complex than simply flashing a physical ID, the experience can be seamless when implemented well. Historically, users had to upload an image of their driver’s license, which exposed their sex, address, weight, and other unnecessary personal data. With an mDL, you securely transmit only the attributes needed for that interaction.

For example, you would only expose the state you live in to qualify for services, nothing else in a well defined flow. mDLs turn automated online verification from an image processing problem into a cryptographic verification problem.

How an mDL standardizes high-assurance identity needs

At a high level, the mDL flow operates in a few simple steps:

• A state issuer, like the DMV, verifies your identity and issues a digitally signed credential to your wallet.

• Later, a verifier, like a bank, asks for specific identity attributes.

• You authenticate locally on your device (e.g., using Face ID or a fingerprint) and consent to share the data.

• The relying party receives a cryptographically verified result, rather than a raw image upload.

While the NIST architecture is focused on high-risk transactions in banking, account application and digital enrollment, this pattern can be applied to many other business verticals.

One area of the draft we focused heavily on was NIST’s decision to prioritize the W3C Digital Credentials API and avoid custom URI-based wallet invocation. This approach ensures that users clearly see which site is making the request and what attributes are requested, while also enabling CTAP-based proximity protections for cross-device flows. From our perspective, the ecosystem should converge on interoperable standards rather than ad hoc wallet-invocation workflows or the creation of proprietary protocols. Fragmented standards lead to more complicated implementations and a poorer user experience.

Our view is that this architecture works best when mDLs are used at key trust moments, such as identity proofing and high-risk transactions. Once that trust is established, the user can provision a purpose-built authentication method, such as a passkey, for everyday access

Standards make trust functional

We align with the NIST draft's goal: the industry must converge on interoperable standards, not custom integrations or fragmented protocols.

The digital identity ecosystem is a mix of published standards and still-evolving specifications like ISO 18013-5/7, W3C Verifiable Credentials, the Digital Credentials API, OpenID for Verifiable Presentations, and OpenID for Verifiable Credential Issuance. This work spans multiple standards bodies and communities, and 1Password has been contributing heavily to the organizations driving these protocols, including FIDO, W3C, and OIDF.

Because we build both consumer and enterprise security products, we are in a unique position to complete the feedback loop between standards formulation and actual product development. For this ecosystem to succeed, the rough edges for users, browsers, and wallets need to be worked through in the standards process in real time.

This work also requires alignment across different global jurisdictions. We are keeping an eye on the EU Digital Identify (EUDI) wallet work and other related regulatory work to inform future product decisions.

What mDLs suggest for the future of digital wallets

Over time, we expect the line between a traditional "password manager" and a digital "wallet" to keep getting thinner.

A modern wallet should do more than store passwords, credentials, or personal information. It should be able to protect a broader set of high-value credentials in a way that is secure, privacy-preserving, and easy to use across all your devices. That includes the kinds of government-issued credentials emerging in the mDL ecosystem.

This is one reason this space is so interesting to us. The long-term opportunity is far bigger than one single credential type or one specific industry. It’s about helping people seamlessly prove the right thing, to the right party, at the right time, without oversharing or adding unnecessary friction.

Putting identity in the driver’s seat

NIST started with the financial sector because it is a high-assurance environment facing fraud pressure and strict compliance requirements like the identity-proofing components of Know Your Customer (KYC). Finance is just a starting point. We highly recommend reading the draft and applying these learnings to your own industry's problem space.

mDLs are not a silver bullet, but they are a meaningful shift in how digital identity can work online. Cryptographically signed credentials are much harder to fake than document images, and standards-based workflows improve both usability and security.

That’s why 1Password is participating in this work. We believe in global standards. We believe digital identity should be controlled by the individual. And we believe the best systems will be those that give people greater control over their data while improving security and privacy.

Whether you’re juggling travel bookings with friends or packing the kids’ suitcases, planning a summer vacation can be far from relaxing. And once you get to your destination, the confirmation codes and passport numbers are always buried in the group chat when you need them most. But when you have all your travel essentials saved securely in one place, you can skip the scramble and put safe travels on autopilot.

Before you take off this summer, check these tips to keep your information safe and your trip on track.

Before you leave

• Set up strong account passwords. Your personal information lives in a host of accounts, from airlines to hotels to car rentals. Make sure all of that stays secure by using 1Password to generate and save unique passwords for every account.

• Securely store travel details. Shared travel information, like passport numbers and Airbnb codes, shouldn’t get lost in a group text. Store them in a shared vault in 1Password so everyone can access them safely and seamlessly.

• Back up data for easy access from anywhere. If your phone gets lost or damaged during your travels, you’ll need an alternate way of accessing your critical data. Keep copies of sensitive documents and your digital wallet in 1Password so you can access that information from any device with your recovery code.

• Organize vaults for Travel Mode. When in use, 1Password’s Travel Mode lets you remove selected vaults from your device. If you have any sensitive information unrelated to your trip, you can move it to a designated vault to keep it private while you’re in transit.

• Turn on two-factor authentication (2FA). It’s always a good idea to have an extra layer of protection on your accounts, but especially so when you’re traveling. 1Password identifies accounts that don’t yet have 2FA and also functions as an authentication app for one-time passcodes, so you can easily add that second layer of security.

During your trip

• Use Nearby Items for seamless check-ins. We all know the pain of standing outside a vacation rental frantically searching for the entry code. Add locations to saved items in 1Password and they will automatically appear at the top of your app when you get close.

• Turn on Travel Mode. If you organized your vaults in 1Password before leaving, turn Travel Mode on once you’ve left home. Only the vaults you marked safe for travel will be visible, so you can protect your privacy on the road and in the air.

• Turn off Face ID. Removing biometrics like Face ID adds another layer of security while you’re traveling. Make sure to set up a strong password or passcode for your phone instead.

• Set shorter auto-lock windows. Minimize how long your phone and apps like 1Password remain unlocked. If you get separated from your phone during your travels, these settings can prevent others from gaining access to your accounts.

After you return

• Delete unnecessary apps and accounts. If you downloaded any apps or added any accounts for your trip that you don’t need at home, delete or close your accounts before deleting the apps. A breach of a dormant account can take longer to notice and address.

• Review statements for unknown charges. While you’ll have charges from new merchants and potentially in new currencies, it’s best to check accounts even after you’re home for any unexpected charges. The earlier you report a suspicious transaction, the better.

• Check your password health. Double check that all of your accounts are protected with strong passwords. 1Password’s Watchtower automatically monitors accounts for compromised passwords and sends alerts when they need your attention.

Your vacation will end, but the habits you build for safe, smooth travels don't have to. Passwords for family streaming services can live in shared vaults. Credit cards and your home address can be safely stored for faster autofill when you’re online shopping. With the right tools to keep your accounts organized and secure, you can put your digital life on autopilot, too.

If cybersecurity teams were rock bands, offensive security professionals would be the cool drummers; they don’t just have a fun job, they help show the rest of the team where to go.

In this episode of TheChasing Entropy Podcast by 1Password, Dave Lewis speaks with a legend of offensive security, Dustin Heywood, known to many as EvilMog. Heywood is an executive managing hacker and senior technical staff member at IBM, and the conversation runs the gamut from password cracking and Active Directory abuse to AI privilege creep and quantum planning. The through line is simple: most security failures start with access, trust, and bad assumptions about how systems behave under pressure.

Heywood’s background explains why he sees the problem this way. He came up through network engineering, military communications, enterprise infrastructure, and offensive security. That path matters because his view of security is operational, not theoretical. As he continually reiterates, businesses are not trying to be secure for the sake of security. They are trying to keep operating, and security has to support that goal or it gets bypassed.

Rethinking access for the agentic world

A big part of the episode focuses on the risks of agentic AI, although Heywood argues that AI is exposing access problems that were already there. He runs through some of the weaknesses he encounters in his day-to-day job that AI agents are set to exploit, like overpermissioned service accounts and broad integrations.

Heywood’s main concern, and where he sees the biggest opportunity to make a difference, is the gap between identity and intent. He gives the example of a person using an agent to buy concert tickets at a specific time and with a specific budget, but

A user might want an agent to buy concert tickets under a clear budget and time window, but today’s systems rarely encode that level of permission. In practice, the agent often gets broad backend access and can do far more than the task requires, to the detriment of both the human user and the ticket company.

I think we need to overhaul identity management as a whole [to adapt to agentic AI]…We don’t have an intent-based authorization process right now, and that's where we need to go.” - Dustin Heywood

That leads to the episode’s strongest point about machine identity. Most organizations still think about access in terms of human users. That model does not hold up when a company has thousands of employees and tens of thousands of machine identities tied to services, devices, integrations, and automation. If those identities are overprivileged, an AI layer on top of them becomes a force multiplier for existing risk.

Quantum mania?

The discussion then shifts to quantum threats, and Heywood takes the issue from abstract future risks to concrete concerns. He is less focused on dramatic “decrypt everything later” scenarios and more focused on the systems around the data. If quantum-capable attacks weaken the trust layers behind OpenID Connect, SAML, certificate authorities, VPN certificates, and federation systems, attackers do not need to break every encrypted file directly. They can go after the identity and key infrastructure that grants access. That is the planning problem security leaders need to understand now.

His advice on crypto agility to prepare for quantum computing is practical. Start with inventory, know where cryptography lives in your environment, how certificates are issued and renewed, and what would have to change if a major algorithm or trust model becomes unusable. He also points out that many companies still struggle with certificate management at a basic level. If certificate rotation is manual, the organization is already behind. Automation is not optional here.

Stronger credentials shouldn’t mean added friction

On credentials, Heywood takes a hard line that is worth adopting: assume every password entered into a remote system will eventually leak. That changes the goal from “password theater” to unique credentials, automated rotation where possible, stronger storage, and lower user friction. If security makes daily work harder, people will work around it. His advice for security leaders is to strengthen weak and legacy encryption, start being more aggressive about clamping down on overpermissioned admins, and simplifying security wherever possible.

Talk to your employees about friction in your environment. Eliminate friction spots in security and focus on how you can be a business enabler.” - Dustin Heywood

Security leaders who are dealing with AI adoption, identity sprawl, legacy authentication, or PKI debt should definitely listen to the episode. Heywood is refreshing because he treats security as a systems problem tied directly to business operations and user behavior.

AI has gotten very good at generating answers. The bigger opportunity now is helping people take action.

That shift is already underway, and AI is moving from chat into real workflows: researching, navigating applications, and completing multi-step processes across systems. But the moment AI moves from answering questions to getting things done, one problem becomes impossible to ignore: secure access.

Secure access, in this context, means ensuring the right human or AI agent can reach the right application or credential at the exact moment an action is taken without exposing sensitive data or stopping the workflow to ask someone to log in manually. Every meaningful agentic workflow depends on this, but most existing access protocols weren't designed for it.

That's why we're expanding our partnership with Perplexity, by making 1Password’s secure access capabilities seamlessly integrate with Perplexity Computer.

AI agents are a new kind of actor in enterprise systems

Perplexity is building an orchestration platform that coordinates models, tools, and connectors to automate complex work. As Perplexity Computer operates across enterprise environments, access stops being a convenience question and becomes a trust question.

Consider what this looks like in practice: It's mid-March at a twelve-person CPA firm, and twenty new clients have dropped off boxes of files. In past years, the junior staff would spend ten days logging into Chase, Fidelity, Coinbase, and a dozen other portals one client at a time. This year, the senior CPA hands the intake list to Perplexity Computer. The agent asks 1Password for each credential, pulls the 1099s, logs into the IRS practitioner portal, files the extensions, and drops everything into UltraTax. The credentials never touch the model; the CPA spends her fourteen hours reviewing returns instead of typing them, and the firm takes on six more clients than last year because the bottleneck moved.

That's what Perplexity Computer does. And 1Password helps execute these workflows quickly and securely.

"We're focused on expanding what AI can do on a user's behalf," said Dmitry Shevelenko, Perplexity's CBO. "To do that effectively in the enterprise, secure and seamless access has to be built into the experience from the start."

AI agents don't behave like humans. They operate probabilistically, persist across workflows, and act at machine speed. A single workflow might touch a browser session, a system login, a token, and a service credential all in sequence, with all requiring different permissions. Without a secure way to provide agents access, you're either slowing the workflow down with manual authentication or accepting credential sprawl as the cost of moving fast. Neither works at scale.

What 1Password and Perplexity are building together

In the next phase of this partnership, we're working toward a model where access is provisioned dynamically as part of the workflow itself. A human stays in control by defining what should happen and what's allowed by the agent executing the work, but every action remains authorized, governed, and auditable. Crucially, credentials are never exposed to models or prompts.

This builds directly on 1Password® Unified Access, our recently released platform for discovering, securing, and auditing access across human, machine, and AI agent identities. Expanding the Perplexity partnership is a direct demonstration of how Unified Access works in practice. "Our partnership with 1Password helps ensure that as we expand what AI can do, we're doing it in a way organizations can trust," Shevelenko added.

The diagram below illustrates how 1Password Unified Access grants secure access to Perplexity's agent, without directly exposing credentials to it.

Security and productivity have long been framed as a tradeoff, but they don't have to be. If AI is going to deliver real value in the enterprise, the secure path has to be the easy path. That is what we're building together with Perplexity.

Click here to learn more about how 1Password Unified Access governs credential access for humans, agents, and machine identities.

For security teams, credential sprawl is like dust; you don't notice it until it has accumulated.

Over time, access spreads across SaaS apps, developer tools, automation workflows, and now AI agents. People sign up for tools to get work done and connect accounts using OAuth because it is fast and familiar. Credentials get reused across scripts, stored in environment variables, or passed between systems that were never meant to share a common control layer.

The problem only becomes visible when you zoom out and realize that all these individual decisions have created a network of external dependencies that now sit on top of your internal access model.

That is where credential sprawl turns into a supply chain risk. Add enough overpermissioned OAuth connections and suddenly, access to your internal systems is at the mercy of the security posture of every third-party service that has been granted access along the way.

What is the attack chain for an OAuth-based supply chain brief?

Recent incidents have shown how this access pattern can turn into a breach.

Here’s how it has played out:

1. An employee connects a third-party tool using Google Workspace OAuth.

2. The permissions are granted through a standard consent flow.

3. At some point later, that third-party service is compromised.

4. The attacker obtains the token and uses it to access internal systems.

There is no need for the attacker to bypass authentication, because the token is valid. There is also no need to escalate privileges, because the permissions are already in place.

What makes this type of attack so insidious is that, from the perspective of most security systems, the hacker’s activity does not appear anomalous. The requests are authenticated, the client is recognized, and there are no failed login attempts or obvious indicators of abuse. The attacker is operating within the boundaries that have already been approved.

The issue here is that trusted access has been extended into an environment that sits outside of direct control.

Preventing it requires knowing which connections exist, ensuring access is granted only at the moment it is needed, and maintaining a clear record of who or what used it and when.

Managing the risk of overpermissioned tools in Google Workspace

Every time someone clicks “Sign in with Google” or “Sign in with Microsoft” on a new app, they are creating a new trust relationship between their company and a third-party service. In many cases, that happens without any formal review from security or IT. The scopes granted during that flow are often broader than people realize, and once the token exists, it tends to persist quietly in the background.

Over time, these connections add up. Some are actively used, others are forgotten, and very few are tracked continuously.

The pace of shadow IT adoption has only increased with AI tools, where the fastest path to value usually involves connecting directly to existing accounts. 1Password's research found that more than half of employees download apps without IT approval. OAuth makes that easier than ever: connecting a new tool takes one click and leaves no footprint in your identity provider's app catalog. And when it comes to third-party AI integrations, access can rapidly go from "benign" to "breached".

How to check your exposure to OAuth-based supply chain attacks

Before getting into architecture or long-term fixes, let’s go over some advice you can use right now.

If you are using Google Workspace, you can see which third-party apps currently have OAuth access:

• Go to Security → API controls → App access control

• Review the list of connected applications

• Look for apps with broad scopes or unclear purpose

It's a quick check, but it answers an important question: what has access right now.

While you are there, it is also worth tightening the default posture. Limiting unconfigured apps to basic profile information reduces the impact of new connections that happen without review.

Replacing point-in-time checks with automated OAuth discovery and secrets rotation

The kind of review we shared above is useful, but it does not solve the underlying issue, because the set of connected apps is constantly changing. New tools get added, old ones linger, and the same pattern repeats with different services over time. Looking at a single snapshot only tells you what exists at that moment.

But you can change that with a few shifts that bring visibility and control closer to where access already happens.

First, treat discovery as an ongoing process rather than a periodic audit. The inventory of connected applications changes every time an employee signs up for a new tool, grants additional permissions, or stops using something without revoking it. A review you ran last quarter does not tell you what connected yesterday. The goal is a continuous view, so that risk prioritization is based on what exists now, not what existed the last time someone looked.

Second, look at how long credentials live. Many tokens remain valid far longer than the task that required them. Shortening that window changes the economics of an attack. A token that expires quickly is far less useful if it is exposed. For OAuth connections specifically, Google Workspace admins can set token expiry policies directly in the Admin console. For agent and automation credentials, the answer is issuing them at the moment of use through a credential broker rather than distributing long-lived secrets in advance.

Third, keep environments separate. Credentials used in development workflows should not carry over into production systems. Even basic separation limits how far access can travel if something goes wrong.

Fourth, reduce how often credentials end up in uncontrolled places. In practice, they show up in scripts, environment variables, and application contexts more often than teams expect. Moving toward centralized storage and issuing access at the moment it is needed helps contain that spread.

Finally, pay attention to how access is used after it is granted. Most detection systems are designed to catch failed attempts or obvious anomalies. They are less effective when valid credentials are used in ways that do not match normal behavior. Building a baseline of expected activity for machine identities makes those deviations easier to spot.

How 1Password helps prevent supply chain attacks

1Password is designed to make your access surface visible and manageable.

1Password SaaS Manager provides a continuous view of the applications connected to your environment, including those added through OAuth. When an employee connects a new tool using "Sign in with Google," SaaS Manager surfaces that connection automatically: the app name, the user who authorized it, the permission scopes granted, and a risk rating based on how broad those scopes are.

Security teams can review connections directly in the dashboard, revoke access with a single action, and set policies that restrict new connections to basic profile scopes by default. The inventory updates continuously, so the view reflects what exists now, not what was audited last quarter.

With 1Password Unified Access, credentials and secrets will be discovered and stored in a centralized system rather than spread across scripts and local environments. As credential brokering capabilities come to the platform, access will be issued at the moment it is needed, which reduces how much standing privilege exists at any given time. Every action tied to a credential can be traced back to who or what used it.

Going forward, teams will continue adopting new tools and OAuth will remain the default way to connect them. Credentials will continue to move across systems unless something is done to contain and govern that flow.

The work is not in preventing every connection or third-party tool, but understanding where those connections exist, how much access they carry, and how that access is being used over time.

FAQ: Protecting Your Supply Chain from Credential Sprawl

Q: What should I do if a third-party AI tool I use is compromised? A: Revoke the OAuth token in your Identity Provider (Google/Microsoft) immediately, rotate any credentials the tool had access to, and audit your internal logs for unauthorized requests using that tool’s Client ID.

Q: Why are environment variables a supply chain risk? A: Many platforms don't encrypt "standard" environment variables at rest. If an attacker hijacks a trusted integration's token, they can read these secrets in plain text, leading to a cascade of further breaches

Q: How do I find out which third-party apps have OAuth access to my Google Workspace?: Open your Google Admin console and go to Security → API controls → App access control → Manage Third-Party App Access. This lists every application that has been granted OAuth access by users in your organization, along with the permission scopes each app holds. Look specifically for apps with access to Gmail, Drive, or calendar data that were never formally reviewed by IT. You can revoke individual app access directly from this view. For ongoing monitoring rather than a one-time check, SaaS Manager automates this inventory continuously and flags connections with elevated or risky scope grants.

Click here to learn more about how 1Password Unified Access can help you manage credentials and access for humans, machines, and AI agents.

Cyber conflict is easiest to misread when we treat it as an isolated technical event. In this episode of Chasing Entropy, Dave Lewis speaks with analyst and author Allie Mellen about her book Code War and why the cyber strategies of the United States, China, and Russia make more sense when viewed through the lens of history, doctrine, and political intent.

From the Gulf War to Russia’s war in Ukraine, cyberattacks are most effective when they reinforce defined objectives within a larger campaign and help a state apply pressure, gather intelligence, or shape the environment around a conflict.

History shapes cyber strategy

A nation’s cyber strategy is rooted in its political history and military doctrine.

Mellen traces the US approach to a culture of experimentation and technical tinkering. China’s cyber ecosystem emerged from hacktivism and state-linked talent pipelines. Russia’s path was shaped by the post-Soviet collapse, when cybercrime became tied to survival and later overlapped with state interests.

Those origins still influence how each country organizes teams, chooses targets, and pursues advantage. Countries do not enter cyberspace as blank slates. They bring older power habits with them, and those habits continue to shape how cyber campaigns are built and used.

That is the first step to decode cyber conflict. The tools may be technical, but the logic behind them is familiar. States still pursue leverage. They still coordinate across different forms of power. They still use whatever tools best support their goals.

Mellen also pushes back on the way cyber conflict is portrayed in pop culture, often appearing as code on screens and elite operators in high-tech rooms. That framing misses the larger story. One of the more memorable examples in the episode is her discussion of how WarGames helped push US policymakers to take computer security more seriously in the 1980s. Public narratives matter, even when they get parts of the story wrong.

Attribution defines intent

This is where the conversation becomes especially useful for security teams.

Mellen argues that defenders need to understand who is behind an operation, not just what malware was used. Attribution helps explain motive, likely targets, and what may come next. It helps distinguish between disruption, intelligence gathering, and influence activity, which changes how defenders prioritize response and what they watch for next.

That matters for governments, but it matters for enterprises too. Security teams build better threat models when they understand how a group typically operates and what it wants. Technical indicators still matter, but they are more useful when paired with context about intent.

This is also where the episode connects to a broader shift in the security landscape. As more activity is delegated to automation and AI systems, defenders need better ways to understand who acted, under whose authority, and toward what goal. The attribution problem is becoming more central.

AI makes deception cheaper and attribution harder

The episode closes on AI with a sober tone. Mellen sees real value in automation, especially when it speeds up workflows and reduces manual effort. She also points to a growing challenge: AI lowers the cost of deception, makes false flag activity easier, and adds friction to attribution.

That raises the stakes for defenders. In a more fragmented internet and a less stable geopolitical environment, it becomes harder to tell what an operation is meant to do, who benefits from it, and how confidently you can respond. The problem is no longer just technical detection; it’s an interpretation.

That is what makes Mellen’s argument so useful. The mistake is a misunderstanding of the role cyber plays inside broader campaigns of pressure, intelligence, and influence. When defenders treat cyber incidents as isolated technical events, they miss the larger strategic context.

Listen to the full conversation with Allie Mellen on Chasing Entropy, then take another look at whether your threat model reflects how cyber conflict actually works.

AI agents are increasingly used to refactor large codebases, but many teams lack a clear understanding of where they succeed and where they fail. At 1Password, we applied agentic tooling to a multi-million-line Go monolith, and in this blog we'll share what worked, what broke, and what it means for teams adopting AI in production systems.

Here’s the situation: 1Password runs a large Go monolith called B5. It has been the foundation of our product for years and continues to perform well in production, both in terms of reliability and scale.

Now, Unified Access is designed to support both human and agent-driven workflows at high request rates and low latency. As we continue adding and enhancing its capabilities, we need clearer service boundaries and more independent scaling characteristics. Over time, that means evolving parts of the system in a way that preserves the privacy, performance, reliability, and security properties we have already established.

Coming up with an actionable plan for tackling this problem sounded like a good job for agents.

In our case, this meant applying agentic refactoring: using AI agents to analyze, plan, and execute changes across a codebase, from dependency mapping to system decomposition.

There’s a version of this story where agentic tooling analyzes a large codebase, produces a clean extraction plan, and service decomposition follows a predictable path from there.

Parts of that story did play out as expected. We built an agentic toolchain that analyzed millions of lines of code and gave us a clear, defensible extraction order, and that work has meaningfully improved how we think about decomposing the system.

What ended up being more valuable, though, was what we learned once we applied those tools to real changes in a live production environment. That is the part that tends to get glossed over, and it is the part that actually determines whether this approach works.

Building the analysis layer

The first question we had to answer was sequencing. In a system that handles sensitive data at scale, extraction order is a correctness constraint. If you get the sequence wrong, you can introduce subtle failures that are difficult to detect and even harder to unwind later.

To make that problem tractable, we built an agentic toolchain that combined a few different sources of truth.

We used Go SSA analysis to understand code structure, SQL parsing to identify data dependencies, and a DataDog MCP integration to bring in runtime coupling data. Together, these gave us a domain ownership map, a coupling graph, and a prioritized extraction order.

The output largely matched what you would expect from experienced engineers looking at the system. It suggested starting with Vault, which has its own API, dataset, and security boundary, followed by Billing, then AuthN and AuthZ, with Identity remaining as the core.

One pattern that worked especially well was using agents to build deterministic tooling rather than relying on them for ongoing interpretation. In this case, agents helped write parts of the SSA analyzer, and the analyzer then produced a reproducible domain map. That distinction matters because once the tool exists, you are reasoning over a stable artifact rather than debating what the model believes the system looks like.

An unexpected benefit of this work was that the instrumentation we added to support the analysis also improved our end to end transaction visibility in DataDog, which has been useful beyond this project.

Finding the human to agent ratio

In parallel with the extraction analysis, we applied the same approach to a long-standing cleanup task in the codebase.

Our Go server used MustBegin to start database transactions, which panics on failure. That behavior made sense early on because it surfaced database issues quickly during development, but at production scale it is not the behavior you want when connections time out or request contexts are cancelled. In those cases, returning a clean error is the correct outcome.

The migration required updating more than 3,000 call sites across production and test code, which is why it had been sitting in the backlog.

The approach we took was highly structured. We generated a deterministic manifest of every call site using SSA, classified those sites into a small number of patterns, and defined explicit templates for each one. From there, we wrote a detailed playbook that described exactly how agents should execute the migration, including a list of common failure modes and clear instructions on when to stop and escalate instead of guessing. To scale execution, we ran multiple agents in parallel using git worktrees so that changes remained isolated.

Execution itself took a matter of hours. The majority of the time was spent building the tooling and writing the specification.

That ratio is the important part. When the work is fully specified and bounded, agents are both fast and accurate. When they encounter something outside the specification, the system is designed to surface that rather than attempting to resolve it implicitly.

Where agents need stronger constraints

We then moved on to a more complex task, which was extracting a service from the monolith.

Even for a relatively small service, this kind of work requires coordinated changes across schema evolution, read and write paths, deployment sequencing, and shared data contracts. These are interdependent decisions that need to happen in the right order. The primary issue we saw with this task was related to sequencing and invariants.

For example, the agent would attempt to backfill UUID columns before updating the code responsible for inserting new rows. That sequence introduces silent data loss, even if the underlying system is otherwise well designed. In other cases, it treated shared tables as if they were independently owned by the new service, which would have created conflicts at deployment time. These patterns persisted even when we provided explicit instructions about ordering and constraints.

We also saw a recurring behavior that we described internally as “speculation.” When the agent lacked sufficient context, it filled in the gaps with assumptions that appeared reasonable but were not verified. In one case, it inferred that a particular identifier format was a ULID and propagated that assumption through a series of changes, which ultimately required rolling back the entire session.

The pattern that works is using agents to produce deterministic artifacts, then forcing execution through those constraints. For instance, in Cursor, we see lots of customers use Plan Mode with a bigger, slower model (like GPT5.4 or Opus) to produce a concrete plan.md file, edit the file as needed, and then actually build with a smaller, faster model that is excellent at coding (like Composer)." - Tido Carriero, VP of Engineering, Cursor

For this class of work, the productivity gains were real but more modest. In practice, we saw something close to a 20-30% improvement. The agents were helpful, but they did not replace the need for careful coordination and review.

This points to a broader shift we’re seeing at 1Password. AI agents are becoming a new class of actor in systems, one that introduces non-determinism, persistence, and scale that traditional models were not designed to handle. That has implications not just for engineering workflows, but for how access and trust are managed across systems.

Lessons for teams using AI agents in code

There are a number of lessons other teams can take away from 1Password’s experience, and their applications extend beyond this single use case.

Lesson 1: The bottleneck for agentic refactoring is not code generation

Agents are very effective at reading code, analyzing structure, and drafting changes. Where things become difficult is in managing sequences of decisions that have ordering constraints or are difficult to reverse. This includes schema changes, deployment sequencing, and shared state boundaries. If those are not handled correctly, the system will fail regardless of how clean the generated code is.

Lesson 2: Non-determinism needs to be carefully contained

Language models are non-deterministic, which is part of what makes them useful. In the context of production migrations, however, that variability becomes a source of risk. The pattern that has worked well for us is to use agents to build deterministic tools, such as analyzers and manifests, and then constrain subsequent work to those outputs. This creates a stable foundation even when the agents themselves are not fully predictable.

Lesson 3: Incomplete specifications lead to implicit ones

When an agent does not have enough context, it will fill in the gaps, often in ways that are locally reasonable but globally incorrect. The only reliable way to address this is to make the specification explicit, including invariants, ordering constraints, and clear escalation paths for anything that falls outside the defined patterns.

Another important shift is around how to think about coverage. The goal is not to have the agent handle every possible case. The goal is to have it execute confidently on well-understood patterns and escalate quickly when it encounters ambiguity. This requires being intentional about where automation stops and human judgment takes over.

Lesson 4: Parallelism only works when isolation has already been solved

Running multiple agents at once can be very effective, but only when changes are independent and conflicts are structurally eliminated. Otherwise, you end up increasing the surface area for inconsistency rather than reducing execution time.

How this impacts 1Password’s agentic approach

We are rolling out agentic tooling across the engineering organization with a clear understanding of where it provides leverage.

We know that agents are most effective when the problem is well specified and that deterministic tooling provides the constraints that make that possible. Engineers remain responsible for defining system boundaries, modeling dependencies, and ensuring that sequencing is correct.

These insights will help us shift the nature of the work we allocate to engineers, understanding that the highest leverage activities are not writing code or prompting models, but defining systems in a way that can be executed safely and predictably.

The problems we are working on, including decomposing a production system under live traffic and structuring multi-agent execution, do not yet have well-established playbooks. We are building those in real time, and that is where most of the interesting engineering work is happening.

If that is the kind of problem you enjoy working on, we are hiring.

April marks Southwest Asia and North Africa (SWANA) Heritage Month, a time to recognize and celebrate the rich cultures, histories, and contributions of SWANA communities. At 1Password, we’re proud to highlight the people who bring these perspectives to life in our work and shape our culture every day.

This month, we’re spotlighting Kaynat Chowdhury, Customer Success Manager and Communications Lead for our SWANA Employee Community Group. We sat down with Kaynat to learn more about her career journey, her impact in Customer Success, and how community and belonging have shaped her experience at 1Password.

Meet Kaynat

Can you share a bit about your career journey and what led you to Customer Success? Was this a path you always saw for yourself?

When I was in school in Bangladesh, I studied Science and then Commerce, then I came to Canada to get a Bachelor’s Degree in Sociology. All the while, I had no idea I was going to be in tech and in Customer Success. However, it really was the best decision and I feel that Customer Success found me more than I found it, and once I was in it, I realized it was a perfect fit. It combines everything I enjoy: building relationships, problem-solving, and making a real difference for the people I work with. Was this the path I always saw? To be honest, no! It’s quite hard to be an immigrant in a new country (I have been here more than a decade now) and truly know what path will be possible. You're just doing your best with what's in front of you. But I am so glad I stayed open, because Customer Success turned out to be everything I didn't know I was looking for.

As a Customer Success Manager, you work closely with organizations to help them get the most value from 1Password. How has that work evolved as we’ve expanded into areas like Unified Access, SaaS Manager, and EPM?

It has been incredible to see the reception our clients have with our product expansion from EPM into Unified Access and SaaS Manager. I have had the privilege of interacting across thousands of clients over the years and people really love our product and are curious about what we are building. This evolution is also allowing me to have much more strategic discussions with IT leaders and security teams about how 1Password fits into their broader security posture.

You’ve been at 1Password for four years and have seen the company evolve quite a bit. What’s felt most meaningful to you as that growth has taken shape, and what are you most looking forward to next?

Four years! I cannot believe it. When I think back to where I started versus where I am now, the growth has been remarkable – and not just for the company, but personally for me too. I went from Customer Success Representative, to Customer Success Manager, and now Customer Success Manager, Level 2. Watching 1Password evolve from a well-loved password manager into a comprehensive security platform has been genuinely exciting to be part of. The most meaningful moments have always been the human ones, though; the customers who tell you that your work made a real difference (which in my role, I get to hear a lot of) and the colleagues who show up for you every single day. Being part of a team like that is something I don't take for granted, and I want to continue contributing to that culture as we grow.

During your time here, we’ve also seen our inclusion efforts grow, including the launch of Employee Community Groups like SWANA. As Communications Lead for SWANA, what does your role involve, and how do you approach building connection and visibility for the community? 1Password's inclusion efforts have been wonderful to see and to be a part of. The love for my SWANA community and the amazing leads I share space with is truly unmatched. As Communications Lead, my role is really about making sure our community feels seen, heard, and celebrated, both within SWANA and across the broader 1Password organization. That means everything from crafting our messaging, to helping plan events and amplifying the stories of our community in ways that feel authentic and meaningful. What I love most about this role is that connection is at the heart of everything. The SWANA region is incredibly diverse, spanning so many cultures, languages, and experiences, and I think that richness is exactly what makes our community so special.

How has being part of the SWANA community shaped your experience at 1Password? Honestly, it has made me feel more at home. I already loved working at 1Password, but SWANA added a layer of belonging that is hard to describe. As someone who immigrated from Bangladesh, there is something really meaningful about having a space where your culture and your background are not just acknowledged but celebrated. It has connected me to colleagues I might never have crossed paths with otherwise, and some of those connections have become some of my most valued relationships here.

What would you say to someone from a background represented within the SWANA community who is considering a path in tech or cybersecurity today?

I would say: do not let the unfamiliarity of the industry intimidate you. When I was studying Sociology in Canada, I never imagined I would end up in tech. But here I am, and I genuinely love what I do. The skills you bring from your background, your ability to navigate different cultures, to communicate across differences, and to be resilient in unfamiliar spaces, are not weaknesses. They are strengths that this industry needs. Tech and cybersecurity need more diverse voices, more perspectives, more people who understand the world in different ways. The path may not always be clear, but the community around you will support you. Lean on it.

Happy SWANA Heritage Month

Kaynat’s story is a reminder that there’s no single path into tech – and that the perspectives we bring with us are often what make the biggest impact. Whether she’s building trusted partnerships with customers or fostering connection and visibility within the SWANA community, her work reflects the kind of care, curiosity, and leadership that drive both our business and our culture forward. As we celebrate SWANA Heritage Month, we’re grateful for the community Kaynat helps build and for the impact she makes every day in shaping 1Password as a place where people feel a true sense of belonging.

If you’re interested in joining us, explore open roles at 1Password.

When Anthropic revealed the existence of Mythos, the frontier AI model they deemed too dangerous for public release, the security community was alarmed. And it’s not hard to see why: Mythos is capable of detecting software vulnerabilities at a previously unimaginable scale, and autonomously crafting exploits to weaponize these flaws. According to Anthropic, Mythos created 181 exploits of Firefox in testing, ninety times more than the company’s previous model (Claude Opus 4.6).

The security world is facing down the prospect that soon, hordes of agents will turn the systems they rely on into Swiss cheese. But while concern is an appropriate reaction to this coming storm of vulnerabilities, panic is not. Instead, security and business leaders need to treat the next few months (which are likely all we’ll get before a Mythos-level model is widely available) as a precious gift: time to batten the hatches and prepare not just for a temporary crisis, but a permanently altered paradigm.

If there’s a silver lining to this storm cloud, it’s that it’s bringing the security community together to build collective solutions. As part of that effort, I was proud to contribute to The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program, a paper developed by Gadi Evron and Rich Mogull at the Cloud Security Alliance (CSA), CISO community, [un]prompted, SANS, the OWASP Gen AI Security Project, and a broad coalition of industry leaders.

This paper offers a roadmap for security leaders to make the most impactful changes at their organizations and work toward “Mythos-ready” resilience. Their recommendations combine AI-driven defensive capabilities, accelerated vulnerability operations, hardened core controls, updated risk models, and stronger cross-industry coordination to operate at machine speed and withstand continuous waves of AI-driven attacks.

The paper takes a broad look at how security can prepare for this new era of patch management – from how to use LLMs for code scanning to how to deal with security team burnout – but this blog focuses on my key takeaways. They reflect a shift in how defense actually works now that vulnerability discovery happens faster than any team can respond. In this world, the practical question is what an attacker can reach after initial access, and how far that access can spread.

In a Mythos environment, a flaw matters most when it leads to credentials, tokens, or keys that can be reused elsewhere. That is where incidents turn into breaches.

How to update patch management for AI-driven exploits

In the pre-AI world, vulnerability management was constantly compared to “whack-a-mole:” an unglamorous, tedious job that was never really finished. Now, the arrival of Mythos has made this old, piecemeal approach obsolete. As the paper says: “The window between discovery and weaponization has collapsed to hours. Attackers gain disproportionate benefit, and current patch cycles, response processes, and risk metrics were not built for this environment.”

The obvious implication of this shift is that organizations need to make serious investments in their discovery and remediation efforts, including employing LLMs to help identify and triage urgent needs. But, as the paper says, “we cannot outwork machine-speed threats.”

Trying to respond to every vulnerability will likely prove impossible, which means the real focus needs to be on containing the blast radius of any breach. More precisely, the goal is to ensure that a single exploit cannot be used to move across systems. And that means focusing on controlling access.

In practice, an exploit is usually the entry point of a breach, not its end state. What determines impact is the set of credentials or tokens available from that position, and whether they can be reused to access other systems.

Access makes the difference between an “incident” and a “disaster.” Human and agentic hackers alike are looking for opportunities for lateral movement, so they can use a vulnerability exploit as a beachhead for a larger attack.

Attackers are looking for:

• Exposed API keys

• SSH keys

• Overpermissioned service accounts

• .env files

• Weak authentication methods (which runs the gamut from SMS codes to compromised passwords)

Bringing these secrets and credentials under control creates bottlenecks where defenders can contain breaches. Anthropic itself advises this approach: segmentation, strong authentication, and visibility over the entire attack surface. Their recommendations for preparing for a post-Mythos world include:

• Adopt a zero trust architecture

• Tie access to verified hardware rather than credentials

• Isolate services by identity

• Replace long-lived secrets with short-lived tokens

• Decommission unused systems, since they tend to be unpatched

If you’re wondering how to protect your systems from vulnerabilities discovered by Mythos, the answer is about credential management as much as patch management. By centralizing every credential, from the .env files developers use to the service accounts agents operate, you create a “kill switch” for lateral movement.

Secure AI agents and manage agentic identities

As The “AI Vulnerability Storm” makes clear, agentic AI will be an indispensable tool in the fight against breaches, and the paper emphasizes the importance of getting the entire security team comfortable with using agents as soon as possible. But it’s equally important to build strong guardrails for agents throughout your organization. Here’s the upside: designing for good agents protects you from bad agents.

Any effort to secure agentic access must begin with discovery, since employees using shadow AI represent a glaring vulnerability. Agents and AI-based tools are vulnerable to prompt injection, can incorporate sensitive information into their training data, or contribute code that hasn’t been properly vetted or tested. Without proper training and tooling, employees (both developers and non-technical “builders”) might give their AI tools the same level of access they have themselves, rather than a scoped, least-privilege subset. And each time an employee gives an agent a hardcoded SSH key instead of a short-lived token, they create a path that could be used by an adversarial agent in a vulnerability exploit attack.

The challenge with agents is that they do not behave like traditional identities. They do not require interactive login and often run continuously without clear session boundaries or direct human oversight.

Instead of trying to make agents fit within existing IAM systems that were designed for human access, security leaders need to treat them as an identity class of their own, with unique authentication and authorization needs. This requires a shift away from static credentials, human approval for agent access, and enforcing strong, context-aware authentication, particularly for systems and workflows accessed programmatically. This not only reduces the likelihood of a malicious agent intruding, it also helps security teams quickly separate anomalous behavior from the background hum of “agents being agents.”

How security can adapt to the post-Mythos world

The idea of vulnerabilities going from “discovered” to “exploited” in hours is certainly worrisome, but the good news is that security practitioners are dealing with this problem as a united front; that’s what Anthropic’s Project Glasswing is all about. Preparing for this new reality will require a constellation of approaches, from how we test code to how we automate patches, and 1Password is ready to meet the moment by helping to secure access for humans and their agents.

Security programs that rely primarily on patch speed will struggle in this environment. Teams that adapt will assume compromise and design security approaches so that a single vulnerability does not expose access that can be reused across environments.

And the best time to start adapting is now.

Is your security program Mythos-ready? Learn more about how 1Password® Unified Access can help secure agent access.

SEASON TWO HAS LANDED!

Bob Lord has spent decades building and leading security programs, from early internet crypto work at Netscape to roles at Twitter, Yahoo, the Democratic National Committee, and CISA. In this episode of Chasing Entropy, he and host Dave Lewis get practical about why the security advice most people hear doesn’t match how real compromises happen.

Across secure-by-design, AI systems, and software supply chains, security breaks down when organizations treat outcomes like someone else’s problem.

Why secure-by-design is an incentives problem

When Bob talks about secure by design, he is deliberately not trying to write another technical framework. Plenty exist. His question is different.

If we already know how to prevent a long list of common issues, why do we keep shipping the same defects?

Secure-by-design breaks down when companies treat security as a feature or a compliance exercise rather than something they are accountable for delivering as a customer outcome.

Draw a line to quality and safety movements outside software, especially in automotive safety. Car companies used to compete on lifestyle and appearance, not safety. Customers did not know what to ask for. Manufacturers had little reason to prioritize safety until norms, regulations, and accountability shifted.

Software, in Bob’s view, is still in the pre-seatbelt era. We have normalized shipping unsafe components, building with unsafe processes, and delivering unsafe defaults. Then we act as if customers should be able to configure their way out of systemic risk.

From that lens, CISA’s Secure by Design work focuses on three principles:

1. Take ownership of customer security outcomes. Shipping a patch is not enough if you do not know whether customers update. Measure adoption and remove friction.

2. Embrace radical transparency. Make vulnerability handling easier, not adversarial. Build a real safe harbor for good-faith research.

3. Lead from the top. Meaningful change is driven by senior business leadership. You don’t delegate quality to the quality team, nor do you delegate security outcomes to security teams alone.

How AI systems become permission amplifiers

The AI section lands because it stays concrete.

Dave shares a story where an internal LLM was asked, “Who at the company doesn’t like me?” The system reportedly queried HR data and responded, highlighting that agentic systems can become permission amplifiers.

What changes in AI environments is not just the interface, but the speed and scale of access: systems can act across email, chat, HR, internal tools, and business apps faster than most access controls were designed to govern.

In many organizations, no single person can pull data from email, chat, and HR systems and fuse it into a targeted answer. But companies are increasingly giving AI systems broad access paths without mature roles, rights, and auditing. Then we try to patch over it with soft instructions like “don’t be evil.”

The takeaway is pro-accountability. If the system can take actions and surface sensitive conclusions, you need guardrails that reflect that power.

Supply chain reality: “It’s upstream” is not a defense

Open source comes up in the context of underfunded teams that cannot afford premium tooling. Bob agrees the constraint is real, but he pushes back on the industry habit of outsourcing responsibility. Constraints don’t remove accountability when insecure or unmaintained components make their way into customer-facing products.

If a defect ships in your product, it’s yours, even if it came from upstream.

He also calls out a common failure pattern: vendors using unmaintained dependencies for years, sometimes far longer, and not giving customers visibility into what is actually inside the product. SBOM practices exist. Some companies do this well. Many do not.

Whether the issue is insecure defaults, overpowered AI systems, or vulnerable dependencies, the pattern is the same: organizations cannot keep pushing security outcomes downstream and expect users, customers, or open-source maintainers to absorb the risk.

Mentioned in the episode:

• https://hacklore.org

• https://pwn.college

At 1Password, we approach security through simplicity. We are developing an agent identity architecture to simplify and enhance the security of AI agents, ensuring interoperability with existing systems. Our approach is built in collaboration with customers, partners, and the standards community.

As part of this work, we recently responded to NIST’s AI agent authorization paper. Our view is that agent identity is not a single problem. It is a set of challenges spanning identification, attestation, enrollment, authentication, and authorization for machine workloads with reasoning capabilities. The ability to reason is what sets AI agents apart from traditional machine workloads.

This post is the first in a multi-part series on why agent-driven systems require us to rethink identity to enable continuous authentication and authorization for reasoning agents, and how that shapes both our response to NIST and our own approach to agent identity.

The agent identity problem

Where traditional machine workloads have a “set and forget” policy, the nature of reasoning workloads means a static policy can become out of date as the agent interprets and takes its next action. Agents that automatically deploy software are a great example of this escalation chain. A deployment agent begins with access to QA resources, but its access needs evolve when tests pass and may then require access to production services.

The principle of Zero Trust maintains that you should provide only the minimum access needed, but infinitely evolving logic makes it difficult to apply the correct access for the lifetime of an agent process. This paradox is what sets agent workloads apart and makes them more challenging than traditional machine actors. An identity and access management architecture for agents more closely matches the needs of a human rather than a traditional machine workload, but that architecture needs to engage machines instead of human actors. Simultaneously, an agent identity architecture must apply Zero Trust principles in real-time.

Existing identity and access management (IAM) protocols address some agentic requirements, and they are a practical starting point for maintaining interoperability. At the same time, approaches built on federation or on cryptographic trust anchored to a central authority can introduce performance overhead and added complexity as autonomy increases. These tradeoffs are reasonable in the near term, particularly as the ecosystem continues to mature. Over time, the direction should move toward identity standards that reduce coordination costs and provide a more direct path to fully autonomous identity verification.

What’s an identity?

Digital identity has taken many forms over the years, but it is easier to understand through its issuer. Operating systems, directories, and federation all tie an identifier back to an authoritative source. An issuer provides a cryptographic guarantee that an identifier is a trusted identity, and any system that trusts the issuer can trust the identities tied to it. Digital identity is cryptographically bound to the issuer, meaning there is no (trusted) identity without a trusted issuer.

How do issuers come to trust an identity?

At their core, an identity is a collection of attributes about an identity that others can verify. In the same way a web browser validates a domain by verifying a certificate’s signature against a trusted public key, a relying party validates a digital identity by checking its signature against the issuer’s public key. This verification process creates confidence that the entity is who they say they are and is authorized to act within a fixed scope.

Enabling autonomous systems

Non-cryptographic signals, such as where a process is running, who initiated it, and other provenance data, provide context that can be evaluated alongside, or in some cases independently of, a trusted issuer. This is the basis of attestation, where verifiable evidence about a workload is used to establish trust and, in many systems, to bootstrap enrollment into an issuing authority.

Attestation is a key part of the agent identity challenge because it enables issuers to automatically, in real time, bind an AI agent workload to an identity without human intervention. Automatic identity generation is critical for enabling and preserving autonomous systems and, therefore, allowing agents to operate more securely without humans in the loop.

Real-time Zero Trust

Automatic identity issuance also enables continuous enforcement of Zero Trust policies. Each attestation produces fresh, verifiable evidence of the workload, which can be used to dynamically adjust access. Instead of granting standing permissions, access is derived from the most recent attestation and constrained to what is justified at that moment. This is a real-time application of the Zero Trust principle, and is a first-order requirement for any agent identity framework.

In our feedback to NIST, we “recommend that Zero Trust Architecture (line 144) be a hard requirement for any solution NIST designs and accepts.” Prompt injection attacks are increasingly common, and we must accept that any framework securing a system susceptible to this broad threat must be treated as compromised by default. Zero Trust policy must be applied in real time, as close as possible to each agent action, with as little human intervention as possible. It must set the default path to the secure path, and the secure path must be the automated path.

The Zero Trust requirement is relevant to NIST’s framing of agent use cases. In our feedback, we recommend “splitting the use case on line 169, Enterprise AI Agents for Software Development and Deployment, into two separate use cases. The threat model for using an agent to develop software is very different from deploying software in production systems.” Generating code and taking action on production systems are two different trust domains. When an agent has access to customer data, infrastructure, or sensitive configurations, including API keys, a real-time Zero Trust system becomes even more relevant.

Securing agents starts with identity

Agent identity requires a model of authorization and authentication that can adapt in real time as agent behavior changes. 1Password is one of many organizations working to address the challenges of agent identity and access management, and meaningful progress depends on collaboration across the ecosystem. We are working with partners across foundation model providers, standards bodies, and emerging startups to shape an approach that is comprehensive, practical, and interoperable.

We encourage readers to review NIST’s work on AI agent authorization and to follow emerging drafts from the IETF and W3C. These efforts offer early visibility into evolving protocols and help clarify where the industry is converging.

From our perspective, advancing identity in this space will come through shared development rather than a single defining solution. Progress will depend on contributors aligning around architectures that support a range of enterprise, government, and consumer use cases. We welcome engagement from others working in this area, as well as perspectives that challenge or refine this approach.

Most organizations already have the policies they need in place. The problem is enforcement.

Employees must complete security awareness training, contractors must acknowledge updated agreements, and teams must meet compliance requirements. But the systems that track these requirements rarely connect to the systems that control user and device access. As a result, access is granted even when required conditions haven’t been met.

That’s why we're excited to announce that 1Password Device Trust can now take signals from other systems into account before allowing users to reach sensitive company apps and data.

External Checks in Device Trust

Until now, 1Password Device Trust focused primarily on device telemetry. That meant administrators could block employees from accessing company resources if their device failed to meet certain requirements, but they couldn’t enforce compliance based on signals that live outside of the device. With the ability to create custom External Checks, that changes.

Access to protected apps can now depend on:

• User compliance status

• Policy acknowledgments

• MFA enrollment status

• Active employment status

• Many other external verification signals

Access decisions are no longer limited to what’s happening on the device. They reflect whether the user of the device has met required conditions across systems.

How External Checks work

Administrators configure an External Check by connecting Device Trust to a third-party system via API. That external system becomes a source of truth for a specific requirement, such as whether a user has completed training or acknowledged a required policy.

When a user attempts to access a protected application:

1. Device Trust evaluates device posture as it does today.

2. Device Trust sends a request to the configured external system.

3. The external system returns a simple result: pass or fail.

4. Device Trust incorporates that result into the overall access decision.

If the check passes, access proceeds normally.

If the check fails, Device Trust can block access according to the policy defined by the administrator, while providing end users with custom remediation instructions so they know exactly how to resolve the issue.

This keeps enforcement centralized in Device Trust while allowing organizations to rely on their existing HR, training, or security systems as sources of truth.

Extending Zero Trust by closing the Access-Trust Gap

Zero Trust is about verifying that only the right user, on the right device, under the right conditions, can access the right application. External Checks help organizations move closer to that model by connecting the disparate systems that are already in place to make a more informed access decision.

By bringing identity and compliance signals into Device Trust, security teams can reduce gaps between compliance systems and real-world access. Ready to set up External Checks for your organization? Check out our documentation here to get started.

For many companies, passkeys are growing in popularity. They’re a practical way to reduce phishing risk, improve login security, and cut down on the weaknesses that come with password-only authentication.

However, businesses can’t replace passwords everywhere overnight. Passkey support has expanded across major platforms, identity providers, and business tools, but most companies still run in mixed environments. Some apps are ready for passkeys today, but others still depend on passwords, two-factor authentication (2FA) flows, or security questions for admin workflows and account recovery. 

So the real question is not whether passwords disappear tomorrow. It is whether your organization should start adopting passkeys for business accounts now, where they make the most sense, and how to manage the transition without creating unnecessary difficulty for employees or your IT team.

What are passkeys and how they work

A passkey replaces a traditional password with a cryptographic key pair. One key is public and stored by the service or app. The other is private and stays on the user’s device or in their credential manager.

A password is a shared secret between the user and the service. Passkeys remove the shared-secret model and are designed to authenticate only with the legitimate service, not with a fake site set up to capture login information.

When you sign in to a service with a passkey, the service sends a cryptographic challenge. The private key responds only after you unlock your device with a biometric method or a local PIN. The key never leaves the device, and the service does not store a password-equivalent secret that can later be stolen or cracked.

Passkeys are both secure and easy to easy.  Instead of typing a password, you can choose the account they want to log in to and unlock your device the same way you already do every day, whether with Face ID, a fingerprint, Windows Hello, or a local PIN.

For businesses, passkeys require extra consideration. They’re secure and useful but they require proper management. Passkeys are created, stored, and managed by a chosen credential manager, often the standard one built into the operating system or browser unless another provider is used.

Passkeys are an authentication technology, but they’re also a management decision. If employees are going to use them across work devices, shared workflows, and multiple SaaS tools, your business needs a clear approach to storage, syncing, recovery, and governance.

Passkeys vs passwords: what should businesses choose?

The main security advantage of passkeys for business is that they remove several of the weaknesses attackers rely on most in password-based systems.

Passwords can be weak and easy to guess with brute force attacks. Weak passwords can also be reused across work and personal accounts. They can be phished, intercepted, and exposed in third-party breaches. Even when businesses enforce strong password policies, the underlying password model still leaves room for credential theft.

Passkeys improve on that model. Because authentication is tied to a cryptographic key pair rather than a shared secret, there is no password for an employee to type into a fake login page and no reusable credential for an attacker to steal and use elsewhere. Passkeys authenticate only with the legitimate service they were created for, which makes them resistant to phishing attacks designed to imitate real login pages.

They also reduce the risk created by stolen credential databases. In a password-based environment, a data breach can expose password-related data that may later be cracked or reused in credential stuffing attacks. With passkeys, the service stores only the public key, which cannot be used to recreate the private key held by the user. That makes large-scale credential theft far less useful to attackers.

For businesses, this translates into practical security gains. Passkeys can reduce account compromise linked to phishing, lower the risk created by password reuse, and strengthen protection for high-risk identities such as admins, finance teams, HR, and executives. 

However, stronger authentication doesn’t eliminate the need for sound access management. Businesses still need trusted devices, clear identity policies, an incident response plan, and role-based access controls. Passkeys make the authentication layer more resilient, but they work best as part of a broader security model rather than as an isolated fix.

The current state of business passkey adoption

For businesses, the market has clearly moved past the experimentation stage.The shift is already visible in enterprise adoption data. In early 2025, the FIDO Alliance reported that 87% of organizations surveyed in the US and UK had either deployed passkeys or were in the process of rolling them out, and 47% had already deployed them to at least some employees. Among organizations using passkeys, 62% reported improved sign-in success rates, 58% reported a better user experience, and 50% said passkeys had helped reduce IT costs linked to passwords and account recovery.

Passkeys are a viable option for businesses today, especially in identity layers, email environments, and high-value administrative workflows. But it is still not enough to assume that every application in a real-world SaaS stack is ready for a full passkey rollout.

Many business tools, legacy enterprise applications, vendor portals, and niche SaaS products still rely on passwords, MFA patterns, or recovery models that do not fully support passkeys. Even when a major platform offers passkey support, that support may not extend cleanly across every workflow, fallback path, or administrative scenario. 

So the state of adoption in 2026 is best understood as transitional. Passkeys are real, valuable, and increasingly mainstream, but hybrid authentication is still the operational reality for most businesses.

How to adopt a hybrid model for passkeys for business

The operational reality is that the path forward is not a clean break from passwords. It is a hybrid model that combines passkeys where they are available with strong password security where passwords are still necessary.

A fully passwordless environment is possible in more controlled settings, especially when a company has tight control over its devices, identity systems, and application access. But that is not the norm for most organizations. 

In practice, teams still depend on a mix of third-party tools and services: some already support passkeys and others still rely entirely on passwords or fallback credentials for recovery, administration, and legacy workflows.

A more practical adoption model is necessary. Businesses need to introduce passkeys where they meaningfully reduce risk, especially in high-value or phishing-prone environments, while continuing to protect the systems that remain password-based. Just as important, they need to manage both models in a way that feels consistent for employees and does not create gaps in oversight or governance.

Because passkeys aren’t universal yet, password management is still essential. A business password manager is no longer just a place to store passwords. It becomes the layer that helps companies manage the transition from one authentication model to another without losing control of either.

For businesses, that means passkey adoption is not only a question of authentication technology. It is also a question of how credentials are stored, synced, recovered, and governed across the organization.

A closer look at passwordless authentication for business

Most businesses aren’t moving from passwords to passkeys in a single step. They are managing a mixed environment where some accounts can use passkeys today, while others still rely on passwords, legacy login flows, or fallback credentials. That makes credential management more complex, not less.

In that context, the role of a business password manager starts to shift. It is no longer only a place to store passwords. It becomes the layer that helps teams manage both password-based and passkey-based access in a secure, consistent way across devices, browsers, and operating systems.

Proton Pass for Business can help organizations support both passwords and passkeys. It gives businesses a practical way to move toward modern authentication without losing control over the systems that are not ready to follow at the same pace.

For IT teams, that matters not just from a usability perspective, but from a governance one as well. Policy enforcement, 2FA enforcement, audit logs, provisioning, and role-based sharing controls all become part of the transition.

This is what makes passkey adoption a broader operational decision, not just a login experience upgrade. If employees create and manage passkeys in fragmented ways across personal devices and default consumer tools, your business can end up with inconsistent recovery processes, weak visibility, and unclear ownership. A managed platform helps avoid that by giving IT a way to support adoption while maintaining oversight.

Why businesses will always need access management

Even in a future where passkeys are supported across most business systems, your organization still needs an access management layer. The challenge of managing access does not disappear just because passwords do. 

Businesses still need a consistent way to store and sync credentials across devices, manage recovery if an employee loses access to a device, control how credentials are shared or delegated, and maintain visibility over access as people join, change roles, or leave the organization. 

In that scenario, the value of an enterprise password manager shifts from simply storing passwords to helping IT manage passkey-based access in a more controlled, secure, and governable way.

Your first steps to implementing passkeys

Not every account needs to move at the same pace. Passkeys should be implemented for accounts that would create the greatest risk if compromised.

• Admin accounts are usually the clearest first priority. If one of these accounts is phished or misused, the impact can extend far beyond a single team member’s account. 
• Finance teams are another strong early priority, since they are frequent targets for fraud, payment redirection, and executive impersonation. 
• HR accounts also deserve attention because they often sit close to sensitive employee data, onboarding workflows, and identity-related systems.

It also helps to look beyond the job role in your organization and think about exposure in terms of workflow. Passkeys tend to make the most sense in environments where employees regularly sign in to high-value systems from managed devices and where phishing risk is a real concern. That often includes identity platforms, email ecosystems, cloud consoles, and other security-sensitive internal tools.

By contrast, low-risk applications, rarely used tools, or vendor-controlled systems may not need to be part of the first rollout, especially when support is still limited or recovery flows are not mature. A phased approach usually creates better outcomes than trying to make every system follow the same timeline.

How to start your phased passkey adoption program

Introducing passkeys to your business environment requires a structured rollout. The goal is to introduce stronger authentication where it makes the most impact, while keeping the rest of the environment secure and manageable during the transition.

A practical adoption plan usually includes a few core steps:

• Map your current authentication environment. Start by identifying which tools already support passkeys, which support FIDO2 or WebAuthn more broadly, which are tied to identity providers that can enforce phishing-resistant authentication, and which still remain password-only. This gives you a realistic view of where passkeys can deliver immediate value and where existing login flows still need to stay in place.
• Define how passkeys will be managed. This is one of the most important decisions in the rollout. You’ll need to determine whether passkeys will be handled through platform-native credential managers, third-party tools, or a hybrid approach. A business password manager that also supports passkeys can be especially valuable here, because it helps reduce fragmentation across supported and unsupported apps.
• Prepare employees for the new sign-in experience. Teams do not need a technical explanation of the cryptography behind passkeys, but they do need to understand what changes in practice. That includes how sign-in will work, what recovery options exist, and how passkeys fit alongside the passwords they may still need in other systems. A good rollout makes secure behavior feel simple and familiar.
• Keep your password program strong during the transition. Passkeys may reduce dependence on passwords over time, but they do not eliminate the need for strong password security in the meantime. Businesses still need unique passwords, 2FA where appropriate, secure sharing controls, and clear lifecycle governance for the systems that are not yet ready to move.

A phased rollout works best when it treats passkeys as part of a broader authentication strategy, not as a standalone feature. The companies that get the most value from passkeys are usually the ones that introduce them gradually, manage them centrally, and keep the rest of their credential environment under control at the same time.

Common business concerns about passkeys

What happens if an employee loses their device?

If the lost device is the only place where the passkey is stored, the employee may not be able to sign in until access is recovered through another enrolled device, a backup authenticator, or an approved recovery process. Passkey rollout should not depend on a single device with no fallback plan.

Businesses need to decide in advance how employees will regain access, who can approve recovery, and which accounts require stronger safeguards. A business password manager can help by storing and syncing passkeys across authorized devices, which reduces dependence on one phone or laptop and gives the business a more controlled way to manage access continuity.

Can passkeys work across multiple devices and operating systems?

Yes, but the experience depends on how passkeys are stored and managed. Some organizations may be comfortable with synced passkeys across employee devices, while others may prefer more tightly controlled or device-bound approaches for higher-risk roles. The important point is that cross-device use should be designed deliberately, not assumed to work the same way in every team or every environment.

What if some apps support passkeys and others still require passwords?

That is the reality for most businesses today. Passkey adoption does not require every application to move at once. In practice, most companies will run a hybrid authentication model for some time, using passkeys where they are supported and keeping strong password management in place for systems that are not yet ready.

Will passkeys make password managers unnecessary?

Not really. Even in a more passkey-heavy environment, businesses still need a way to manage credentials consistently across users, devices, and systems. That includes storage, syncing, access control, recovery, visibility, and governance. In other words, the need for credential management remains, even as the credential type changes.

Are passkeys ready for every business system today?

No. Support has expanded significantly, especially across major platforms and identity providers, but many business tools still rely on passwords, older MFA flows, or fallback recovery models. That is why phased adoption tends to work better than trying to force universal rollout too early.

Do passkeys remove the need for broader access controls?

No. Passkeys strengthen authentication, but businesses still need device trust, role-based access controls, recovery planning, and clear governance. They reduce phishing risk and remove reusable secrets, but they work best as part of a broader security model.

So, should your company move beyond passwords?

For most businesses, the answer is yes, but through a phased transition rather than an all-at-once replacement. If your company already relies on major enterprise platforms with passkey support, faces meaningful phishing risk, and wants to reduce its dependence on shared secrets, then passkey adoption is worth starting now.

For businesses, that usually leads to a clearer conclusion: start adopting passkeys where they offer immediate security value, keep strong credential management in place for everything else, and make sure both are supported within a secure, well-governed access strategy.

Building the bridge from passwords to passkeys

That is ultimately what good passkey adoption looks like in business: not hype, not all-or-nothing migration, but a controlled shift toward phishing-resistant authentication where it matters most.

Enterprise support for passkeys is now real across major platforms. But coverage is still incomplete enough that most businesses need a bridge strategy rather than an immediate transition.

That is where Proton Pass for Business fits naturally. It helps teams manage credentials securely, enforce policies consistently, and support both modern authentication workflows and password-based systems. Access management, identity management, and monitoring are made easier for IT teams: Proton Pass offers centralized administration, SCIM provisioning, SSO support, audit logs, vault-level permissions, and company-wide policy controls.

If your business is ready to adopt passkeys and improve password security, try our business password manager for free or get in touch with our sales team. 

Account takeover attacks against businesses are increasing. According to research from Abnormal Security, 83% of organizations surveyed had been impacted by at least one account takeover attack in the previous year, and 26% reported facing an account takeover attempt every week. And in Proton’s SMB Cybersecurity Report, we found that 1 in 4 small businesses have been hacked despite their cybersecurity measures. 

The financial impact can be severe, too. Research from IBM reports that data breaches involving vendor compromise and account takeover average nearly USD 5 million in costs, with containment timelines often exceeding 250 days. 

That combination of frequency and impact helps explain why account takeover is so dangerous for businesses: attackers can simply sign in with legitimate credentials and begin operating from inside the organization, often before anyone realizes the account is no longer trustworthy.

In the UK, the government’s Cyber Security Breaches Survey 2025 report also shows that takeover attempts and compromised accounts form part of the wider incident picture. For businesses, that makes account takeover more than a login issue. It is an identity security, fraud, and business continuity risk.

What is an account takeover attack?

How account takeover differs from traditional attacks

The most common account takeover methods

Why business accounts are high-value targets

Detection signals businesses should watch out for

The business impact of account takeover

Your practical response plan for a suspected account takeover

Building a stronger security culture around account access

How Proton Pass for Business reduces account takeover risk

What is an account takeover attack?

Cybercriminals launch account takeover attacks by gaining unauthorized access to a legitimate account and then using it for malicious purposes. In business environments, that usually means obtaining an employee’s password, intercepting their authentication flow, or otherwise gaining valid access to a work account.

Once inside, an attacker can read internal communications, change account settings, move into connected apps, export confidential files, or impersonate the employee in conversations with colleagues, vendors, or customers. Because the attacker has gained valid access rather than forcing their way in through a visibly broken system, the activity looks like business as usual.

This is what makes business account compromise so dangerous. An attacker may appear to be a normal user until damage is already underway.

How account takeover differs from traditional attacks

Account takeover is so disruptive because it isn’t as easy to spot as the kind of obvious attack or breach many teams expect.

Business security teams often look for malware, exploited vulnerabilities, corrupted systems, or suspicious code execution. In an account takeover incident, no system may have been breached in the usual sense because the attacker has used legitimate credentials and ordinary sign-in flows.

This difference is important because teams need to look for credential abuse rather than perimeter intrusion. When an attacker signs in using the same login page as everyone else using valid credentials, the activity doesn’t appear suspicious in isolation.

Detection then depends less on spotting technical issues and more on noticing unusual behavior, such as strange login patterns, unexpected password resets, or abnormal access requests.

In other words, account takeover often succeeds by abusing the organization’s normal trust model.

The most common account takeover methods

Attackers can use several well-established methods to gain access to business accounts. Some are opportunistic, while others are highly targeted.

Credential stuffing

Credential stuffing happens when attackers take usernames and passwords leaked in data breaches and test them against other services. This works because people often reuse passwords across both personal and work accounts.

This makes unique passwords one of your organization’s best defenses against account takeover. Proton’s Data Breach Observatory shows that names and email addresses appear in nearly 9 out of 10 breaches, while passwords are exposed in 47% of incidents. When those credentials are reused across services, one breach quickly creates account takeover risk.

Phishing

Phishing remains one of the most common routes into business accounts. It can be used to steal passwords, session tokens, or MFA approvals, all of which can feed directly into account takeover.

SIM swapping

SIM swapping happens when an attacker convinces a mobile carrier to transfer a victim’s number to a SIM card they control. If a business still relies heavily on SMS-based authentication, then attackers can easily intercept login codes.

To protect against sim-swapping, two-factor authentication (2FA) methods are much more secure and suitable for higher-risk business accounts.

2FA fatigue and session theft

Even when 2FA is enabled, attackers may try to wear users down with repeated approval prompts or steal session tokens through phishing and malware. 2FA is essential, but it isn’t sufficient on its own.

Password spraying

Password spraying is a type of brute force attack, where attackers try a set of commonly used passwords across many accounts. Instead of hammering one user with hundreds of guesses, they test weak defaults like “Welcome123!” or predictable company-based patterns against a wider pool of employees.

Why business accounts are high-value targets

Business accounts are attractive because of the data and funds they potentially hold. A compromised email account can enable business email compromise: for example, business payment fraud is a scam in which criminals tailor an email to an organization, impersonate a legitimate contact, and try to redirect payments or obtain sensitive information. 

A compromised admin account can be even more damaging. It may allow attackers to reset passwords, access additional systems, export data, or weaken security controls. Once that happens, a single compromised identity can lead to a much larger incident.

Even ordinary employee accounts may connect to:

• Email and calendars.
• CRM and customer support tools.
• HR and payroll systems.
• Cloud storage.
• Internal chat and collaboration platforms.
• Shared credentials and password vaults.
• Developer or infrastructure tools.
  

Corporate account hijacking goes beyond just fraud. It’s an access control problem that can have organization-wide consequences.

Detection signals businesses should watch out for

Because account takeover often begins with valid credentials, detection depends on spotting irregular behavior.

• Unusual login times or locations: A login from an unfamiliar country, region, or time pattern can be suspicious, especially if it is followed by configuration changes.
• Unexpected password reset requests: Employees receiving reset emails they did not request may be seeing early signs of an attempted takeover.
• Unfamiliar devices or browsers: a login from a never-before-seen device is worth reviewing, particularly when paired with unusual app access or sharing behavior.
• 2FA prompts not initiated by the account owner: Unexpected 2FA approvals can signal that someone already has an account password and is trying to get through the second layer.
• Mailbox or forwarding rule changes: Attackers who compromise email accounts often create rules to hide messages, forward mail, or preserve access.
• Unusual activity in sensitive tools: A user suddenly accessing finance systems, admin dashboards, exports, or shared secrets in ways that don’t fit their normal responsibilities may indicate compromise.
• Suspicious changes in vaults or shared credentials: if passwords are modified, re-shared, or accessed in unusual ways, it may be a sign of account misuse rather than normal collaboration.

The business impact of account takeover

The reason account takeover fraud is so serious is that one compromised identity can suddenly create several kinds of damage. There is the immediate fraud risk. An attacker may impersonate an executive, employee, or vendor to request payment changes or confidential information.

There is also the data risk. A compromised account may expose contracts, customer data, internal files, or sensitive communications.

Then, there is the operational risk. Teams may have to lock accounts, rotate credentials, revoke access, review logs, verify communications, and check for lateral movement. 

If the attacker reaches privileged systems, the incident can escalate far beyond one compromised account. They may be able to deploy ransomware, maintain access to critical systems, or enable wider compromise across the environment. 

At that point, the issue is no longer simply securing a user’s identity. It can disrupt operations, delay recovery, and affect the organization’s ability to function normally, which is why account takeover must be accounted for in business continuity planning.

Your practical response plan for a suspected account takeover

Even with strong preventive controls in place, businesses still need to be ready to respond quickly when an account takeover is suspected. A fast, structured response can help contain the incident before it spreads to other systems or workflows.

1. The first step is to contain the risk by temporarily disabling the affected account, revoking active sessions, and resetting credentials. Teams should then review recent login activity and any suspicious changes linked to the account. If the account has broader permissions or access to sensitive tools, the response should move even faster.  
2. From there, the focus should shift to scope. Businesses need to understand what the attacker may have accessed, changed, or used while inside the account, including email rules, connected apps, shared credentials, and signs of lateral movement.
3. It is also important to contain any related exposure. A compromised identity may affect finance processes, vendor communications, internal tools, or customer data, so response should not stop at the account itself.
4. Once the immediate risk is under control, the incident should be used to strengthen what failed, whether that means improving credential hygiene, tightening 2FA enforcement, or improving detection through activity logs and identity monitoring workflows. These tools help surface suspicious login patterns, such as unusual locations, repeated failed attempts, odd-hour access, or unexpected account changes, so security teams can investigate earlier.

Building a stronger security culture around account access

Account takeover thrives when access is treated as a convenience issue instead of a security discipline.

A stronger security culture means employees understand that credentials are not just personal logins. They are access keys to business systems, customer trust, and operational continuity. It also means organizations make the secure path the easy path by giving teams proper tools, clear policies, and centralized support.

That is where enterprise password managers, passkeys, dark web monitoring, stronger 2FA practices, and secure offboarding work together. These controls help reduce credential reuse, improve account hygiene, and limit how much damage one compromised account can do. 

Detection belongs to the wider monitoring layer, but password managers can still support it by generating logs and reports that feed into investigation and alerting systems. Together, these controls make account takeover harder to execute and easier to contain.

How Proton Pass for Business reduces account takeover risk

Many account takeover incidents start with exposed, weak, or reused credentials, then escalate because employees don’t have a consistent way to generate strong passwords, store them securely, use 2FA reliably, or spot early signs of exposure. Proton Pass for Business reduces that risk by making stronger account practices easier to apply across teams, not just easier to recommend. 

Stronger password hygiene at scale

A secure password manager supports strong password generation, autofill, secure storage, and secure sharing, which helps teams move away from reused passwords, browser sprawl, and informal credential handling. 

This is essential for preventing account takeover because attackers often rely on password reuse and predictable login habits to turn one exposed credential into access across multiple services. Proton Pass also supports passkeys, which reduce reliance on passwords for supported services and offer phishing-resistant sign-in protection. It also offers a built-in 2FA authenticator and autofilling TOTP codes, which makes stronger login habits easier to use consistently.

Better visibility into exposed and risky credentials

Proton Pass includes Pass Monitor, which offers password health insights, dark web monitoring alerts for breached emails, and visibility into inactive 2FA. In practice, that helps organizations identify weak, reused, or already-exposed credentials before they are abused in credential stuffing or follow-on takeover attempts. 

A business password manager is ideal for account takeover prevention. It helps team members safely store and manage credentials, as well as helping teams identify the ones most likely to create downstream risk. 

More usable 2FA in day-to-day work

2FA helps make a stolen password less useful on its own, but adoption often breaks down when it feels inconvenient or fragmented. Proton Pass helps here by supporting a built-in 2FA authenticator and autofill for OTP codes, which makes stronger login habits easier to use consistently across supported accounts. That does not replace broader identity controls, but it does narrow one of the practical gaps attackers often exploit. 

Admin control and security signals that support investigations

Proton Pass also contributes useful admin and security visibility through reporting, logs, and activity information. This helps organizations review credential-related activity, support internal investigations, and feed relevant signals into broader security workflows where needed.

How Proton Sentinel complements Proton Pass for Business

Proton Sentinel is an advanced account protection program available across eligible Proton plans that creates a stronger layer of protection for Proton Accounts themselves, including stricter challenges for suspicious login attempts, greater visibility into logins and account changes, and 24/7 escalation of suspicious events to security analysts. 

That makes it relevant for protecting access to the Proton Account and, by extension, the sensitive data stored inside Proton services. But it should not be presented as if it detects suspicious logins across a company’s entire SaaS stack.

Proton Pass for Business helps reduce account takeover risk by improving password hygiene, making MFA easier to use, surfacing exposed or weak credentials earlier, and giving teams better control over how credentials are managed across the organization. Proton Pass for Business strengthens the credential practices that attackers most often exploit, while Proton Sentinel can add another layer of protection for the Proton account itself.

Ready to start? Protect your business accounts from takeover with Proton Pass — try it for free or speak to our sales team.

The tools your company uses to manage and share files are a statement about how seriously that company considers its data security.

More organizations are recognizing this, with the majority of businesses now touting it as a selling point.

Yet our latest research shows that nearly half of businesses actively marketing secure file sharing as a selling point can’t actually back up the claim — and most may not even be aware their file sharing service is unsafe. The clients evaluating them, however, are increasingly able to tell the difference.

If you’re already operating with genuinely secure file-sharing practices, including end-to-end encryption, this is your moment to use that as a competitive edge.

How SMBs actually handle file sharing

Our SMB Cybersecurity Report 2026 surveyed 3,000 founders, executives, and IT leaders across the US, UK, France, Germany, Brazil, and Japan, giving a detailed picture of how small and mid-sized businesses actually handle file sharing in practice, not just in policy.

When asked if they highlight file-sharing as a selling point in competing for new business, nearly 76% of companies said “yes” or “sometimes, depending on the client”. 

Additionally, 65% said it was “critically important” or “very important” to demonstrate secure handling of client data when winning new business. 

But of these same companies:

• 46% use non-end-to-end encrypted (non-E2EE) cloud services
• 35% still share sensitive client files by regular email
• 32% do so by physical means, including USB drives and printed copies.

Despite the prevalence of non-secure means of file sharing, 45% of SMBs are very confident or completely confident in the security of their file-sharing practices in protecting client confidentiality.

This is a significant disconnect — and a significant opportunity. Nearly half of the businesses leading with security as a selling point are doing so without the proper tools or practices to support the claim.

That means the playing field isn’t as competitive as it looks. For businesses that have genuinely embedded secure file sharing into how they operate, the gap isn’t a threat; it’s an opening.

All this points to the fact that security is no longer a nice-to-have, but an expectation.

File sharing safety has become a standard competitive argument, and the businesses that can immediately prove this — with specific tools, verifiable practices, and documented processes — are the ones converting security from a back-office investment into a genuine differentiator.

Where does your business stand?

File sharing sits at the intersection of operational efficiency and client trust. Many businesses have optimized for the former without fully accounting for the latter — and that’s precisely where the gap opens up.

Taking a close, hard look at your company’s file sharing practices is key to understanding which side of the camp you sit on. This includes asking the following questions:

Who holds your encryption keys? If your files are stored with a mainstream cloud provider, the answer is most likely with them, not you.

Standard encryption on platforms like Google Drive, Dropbox, or Microsoft OneDrive protects data in transit, but the provider retains access to the files themselves. Your data isn’t private from the platform — it’s only protected from outside parties.

That’s a meaningful distinction, and one that increasingly sophisticated clients are aware of.

Has your team shared a client file by email or other non-secure means in the last 30 days? Regular email, Slack messages, and printed documents aren’t end-to-end encrypted.

Files sent this way are prone to being exposed and intercepted at multiple points in transit. If the answer is yes, that’s a gap between your security posture and the claims your business may be making.

Can you prove the security of your file sharing platform or systems? If that question would give you pause, your security practices may not be as embedded — or as defensible — as you think.

Being able to explain and ideally demonstrate your business’s security measures will inspire confidence in prospective clients and facilitate deals.

Strategies for secure file sharing

For most businesses, file sharing happens dozens or hundreds of times a day across multiple tools, teams, and client relationships.

That scale is exactly why getting it right matters — and why getting it wrong compounds exposure and risk.

The good news? Closing the gap between claiming security and demonstrating it doesn’t require rebuilding how your business operates.

It means making a few deliberate choices and enforcing them consistently enough that they become a credible part of how you present yourself to clients.

1. Move to end-to-end encrypted cloud storage. Look for a provider like Proton Drive where files are encrypted on-device before upload, and where you — not the provider — hold the encryption keys. Zero-access architecture means that even if the provider is compromised, your data isn’t readable. That’s a key difference from mainstream cloud storage, and a claim you can easily make to clients with full confidence.

2. Make secure sharing the default by design. Security policies only work when they’re easier to follow than to bypass. Build your file-sharing workflow so that the most secure option is also the most intuitive. Every file sent by email because it was faster, every link shared through an unencrypted channel because the client preferred it — those are liabilities your business is choosing to accept.

3. Extend encryption to your backups. Encrypted storage provides limited protection if your backups live somewhere that doesn’t apply the same standard. Ensure that the zero-access principle extends to how and where you store backup copies of client data — and that you, not a third-party provider, control the keys.

4. Document and communicate your practices clearly. This is where security stops being a compliance checkbox and starts being a business development asset. Be specific about what your tools protect and how, and anticipate questions that clients have at the top of mind on how their files are managed, stored, and shared. The businesses that can answer that clearly and demonstrably aren’t just more secure — they’re more compelling.

Turn security into your new selling point

Most businesses share files dozens of times daily without giving it a second thought.

Every document shared through non-encrypted means another avenue of risk, while simultaneously leaving opportunity on the table. With much of the market still making claims they can’t back up, this is your chance to close the gap in verifiable ways and cut ahead of the competition.

But true business security doesn’t stop at just how you share and manage files.

Our SMB Cybersecurity Report 2026 shows where your peers stand on security today, where gaps often appear (and are likely to be missed), and what businesses getting it right are doing differently. Get all these insights for free in our full report.

<Download the report>

When you’re running a business, documents pile up fast. Contracts, employee records, and commercially sensitive client data tend to accumulate haphazardly unless you have a clear document management system.

Digital disorganization has real risks. It’s not just time-consuming to find what you need later, it can lead to operational errors or even security breaches.

When the wrong version of a document circulates, agreements could be executed on incorrect terms, and sensitive information could be unintentionally disclosed. These problems stem from poor document management and result in compliance issues and eroded trust.

Documentation management isn’t just about keeping your files organized; it’s about maintaining control. It helps ensure the right information is trusted, limits unnecessary access to sensitive data, and gives you visibility into who can view, change, or share business data. 

In this guide, you’ll learn:

• What documentation management is
• Why businesses need a method for managing documents
• 6 document management best practices

What is documentation management?

Document management is how your business stores, organizes, retrieves, and controls access to its files. 

Most businesses use document management systems (DMS) to control documents centrally. These are cloud storage platforms, such as Google Drive and Proton Drive, that let teams upload files, organize them in folders, set access permissions, and keep everything in one place.

A good DMS reduces version confusion and duplicated work, while giving teams clear visibility into where important files are kept.  

File management vs. document management

File management focuses on basic organization — folder structures, naming conventions, and storage locations. Document management builds on this foundation by introducing governance features such as version control, permissions, and activity tracking. If file management is your filing cabinet, document management is the cabinet plus the lock and the logbook.

Note: Organization is not the same as control

Many businesses implement document management systems to centralize files and restore order. But structure alone doesn’t guarantee that sensitive information remains protected. Not all DMS offer end-to-end encryption, which means files remain readable by the provider. This leaves you without control over your data and open to security risks — a breach of their systems becomes a breach of your data. Staying in control means your business data stays protected, and that access is limited to the people you authorize, no matter what happens to the provider. 

Why businesses need a method for managing documents

Poor document management creates problems you’ve likely encountered: 

• Slow down your productivity: The most obvious cost of poor document management is wasted time. And research backs this up — 96% of employees struggle to locate the most recent version of a document, and 83% have had to recreate files because they couldn’t find the original. That’s hours lost on searching for and recreating files, time that could’ve been spent on work that moves your business forward.
• Create confusion in collaborative work: When no one knows which version of a document is current, work gets duplicated, decisions stall, and errors slip through. In distributed teams, this uncertainty spreads quickly, leading to missed deadlines and underbaked deliverables. 
• Accidentally expose sensitive data: Weak access controls leave you vulnerable to breaches and careless mistakes. In a study of financial services companies, over 64% had sensitive files accessible to every employee. One misconfigured folder is all it takes to expose client data and end a business relationship.
• Make compliance harder to prove: In sensitive industries such as healthcare and finance, clear evidence of how documents are stored, accessed, and retained is required. If you can’t show compliance, you’re facing regulatory fines and damaged client relationships.

6 document management best practices

Here are six best practices to help you build a document management system that’s organized, secure, and easy to use.

1. Store your files in a single location

Centralizing makes finding the right file much easier and eliminates the need to search across inboxes, local drives, and cloud accounts. Set rules and permissions that contain documents in one place rather than spread across multiple systems with different limitations.

2. Establish folder structures and naming conventions — and apply them consistently

Organize folders by function or department (marketing, finance, HR, etc.), then by consistent subcategories such as year, project, or client name. For file names, include identifiers that make searching easy, such as dates, version numbers, and document type: ClientName_Contract_2025-01-15_v2.pdf. It’s much easier to find than “Final_revised_FINAL.pdf”.

3. Control who accesses sensitive documents

Not every employee needs access to every document in your company — a graphic designer doesn’t need to see employee records or financial reports. Set permissions that limit access to documents for only the right people and review permissions regularly. Outdated permissions from role changes, project completions, or employee departures create hidden security and privacy liabilities. If your team handles financial records, customer information, or product plans, maintaining confidentiality is part of running the business. When you lose track of who can access that data, the consequences can include regulatory scrutiny, lost deals, and reputational damage. 

4. Track versions closely

Imagine this: Five employees, editing five different copies of the same document. Which one do you use? When work goes through multiple hands, version control is essential. Tools, like collaborative documents, that allow your team to work on the same document simultaneously, make version control even easier. Changes become visible as they happen. Features such as inline comments, suggested edits, and version history reduce the back-and-forth that can slow teams down, especially when working across time zones.

5. Password-protect files that are shared externally

Sensitive files often need to be shared with investors, partners, or customers. When you share externally, follow a simple rule: access should remain identifiable, time-bound, and easy to revoke. Use sharing links with password protection and expiration dates rather than open links or email attachments. This way, access remains under your control; you can see who has it, limit how long they have it, and revoke it when necessary.

6. Choose a DMS with strong security foundations

Familiar tools like Google Drive are convenient solutions, but that convenience comes at the expense of your privacy and security. A fully encrypted DMS ensures files are encrypted before they leave your device, and that only you and your intended recipients can decrypt them. 

Not sure which platform to choose? Ask who holds the encryption keys and what jurisdiction the provider operates under. This reduces the risk that sensitive business data can be read, leaked, or misused. It also influences how well your security holds up during incidents, audits, or disputes.

Build your document management system with Proton Drive

Proton Drive is a privacy-first platform that supports document management best practices without compromising on security.

Enterprise DMS solutions are complex and costly; not every business needs or wants that. Proton Drive lets you build your document management system on a privacy-driven foundation that allows your teams to safely organize, manage, and share files. 

Proton Drive is end-to-end encrypted by default, so you can trust that no one but you and the people you share with can access your files — not even Proton can. And being based in Switzerland, your documents are protected by some of the strictest privacy laws in the world. 

With Proton Drive as your document management system, you can:

• Store all your business files in one place, protected by end-to-end encryption. Proton Drive is ISO 27001 certified and supports compliance with HIPAA and GDPR.
• Set permissions at the file or folder level to control who can view or edit sensitive documents.
• Access previous versions of your files for up to 10 years, so you can review or restore earlier drafts when needed.
• Create and edit documents with your team using Proton Docs and Sheets. Changes sync instantly, and version history keeps everyone aligned.
• Share files with password-protected links and expiration dates. Recipients don’t need a Proton account, and you can revoke access at any time.

Look no further for a document management solution that prioritizes security without the complexity.

“What’s the problem?”

That was the response Austrian data strategist Fritz Fahringer got when he raised concerns about companies using private emails to train AI systems when he spoke to an employee at a major US tech company.

The exchange stayed with him. It reinforced something he had already seen firsthand: In parts of the global tech ecosystem, access to customer data is more than a technical capability. It’s a business model.

To Fahringer, that represents a growing breach of trust between technology providers and the organizations that depend on them.

Fahringer, who previously led the development of datahub.tirol — one of Europe’s first trust-based regional data spaces, has spent years designing secure data-sharing systems and digital infrastructure for businesses and public institutions.

He saw firsthand how uncertainty over who can access, control, or benefit from data has held organizations back. It has slowed innovation, increased risk, and made leaders hesitant to adopt new technologies.

Fahringer isn’t alone in questioning these assumptions. For many European organizations, the possibility that providers may access, analyze, or monetize sensitive information is becoming a practical business risk.

Could a provider processes or transfers data in a way that conflict with GDPR or local regulations, the company using the tool may still be responsible? Could sensitive customer data, product plans, negotiations be exposed, accessed internally by the provider, or used in unintended ways? Could their data might be used to train models or improve services that ultimately benefit the provider or even competitors?

These are the concerns that bring businesses to VALTYROL, Fahringer’s business that is singularly focused on helping decision-makers take a more intentional approach to how their data is handled.

In this conversation, we speak to him about how breaking away from inherited tech dependencies — and owning the systems your data flows through — often begins with everyday tools like email and meetings

Let’s start with the fundamentals. Why should companies question who they depend on to run their technology?

Because those decisions have long-term consequences. If you rely heavily on providers whose priorities or legal environments you don’t control, you can gradually lose strategic flexibility and visibility over how your data is used.

In the past, it was sometimes difficult to explain why sovereignty matters. Many people didn’t really think about where their data was stored or who ultimately had access to it.

But in the age of AI — and also with the current geopolitical tensions — people are starting to understand that data is a strategic resource. If your data is stored and processed by companies outside your jurisdiction, you lose a certain level of control over how it can be used.

That’s why many organizations in Europe are beginning to rethink their dependencies. They want to understand who operates their infrastructure and what happens to their data.

What’s stopping businesses from breaking away from default reliance on global technology providers?

When I started my own company, I wanted to do things differently from the beginning.

My digital tools were scattered across many providers — Gmail, different cloud services, a VPN from another company. Most of them were based in the United States.

I decided to move everything into a more sovereign setup. I switched my email, password manager, VPN, and cloud storage to Proton.

It was important for me to bring everything together in one ecosystem that aligns with the values I talk about professionally.

But I know this well: Moving your entire IT infrastructure at once is very difficult. Most companies have built their systems over many years.

Sovereignty has to happen step by step. Some of the easiest places to start are communication tools — email, meetings, and collaboration platforms. These are areas where companies can adopt more sovereign solutions without rebuilding their entire IT architecture.

Over time, those decisions add up to a more independent and resilient digital infrastructure.

Why are tools like private email, VPNs, and secure meetings important for businesses today?

Businesses shouldn’t have to choose between usability and privacy.

A lot of work today happens outside the office — on trains, in cafés, or while traveling. In those situations, you’re often connecting through public networks, so using a VPN is a simple way to protect your connection.

But communication tools are just as important. Email and video meetings are where a lot of sensitive information is exchanged.

When you look at the common meeting tools, each one comes with a trade-off. Zoom has limitations on free calls. Microsoft Teams can be difficult to use. Google Meet works well, but then your data sits inside Google’s ecosystem.

So in many cases you’re choosing between different disadvantages.

What I liked about Proton Meet is that it removes that trade-off. It’s simple to use, and at the same time it respects privacy. For me, that combination is very important.

What made Proton stand out compared to the tools you were using before?

What stood out to me was that Proton offers a complete ecosystem.

With many services, you get only one piece — maybe email, or maybe storage — and everything else comes from another provider. Over time you end up with a fragmented setup.

Proton offered email, Drive, VPN, password management, and other tools within the same privacy-focused system. For a small business, that combination is very powerful.

It allowed me to move away from a patchwork of different services and consolidate everything under a provider that prioritizes privacy.

How do clients or partners react when they see that you’re using Proton?

Often people notice the Proton email address and ask about it.

They say something like, “Oh, you really take this seriously.”

For me, it’s not about selling Proton or convincing people to switch. But it shows that I try to live by the principles I talk about — especially around data sovereignty. When people see my Proton email, they realize I take sovereignty seriously.

It becomes a signal that these values are not just theoretical.

What advice would you give to European businesses that want to take more control over their data?

Moving your entire IT infrastructure at once is very difficult. Most companies have built their systems over many years.

But sovereignty can happen step by step.

Many European businesses are curious about AI, but at the same time they are cautious about how their data is used.

When data goes into large platforms outside Europe, companies often feel that they lose control over it. They worry that the data could be used to train models, generate value somewhere else, or even benefit competitors.

One practical approach is to start building a more sovereign stack over time. For example, I combine regional providers with European privacy-focused tools. My website is hosted with an Austrian provider that I can reach and trust locally, while Proton provides the communication infrastructure — email, storage, meetings, and VPN.

This kind of setup allows companies to keep more control over their data while still using modern digital tools.

You don’t have to change everything overnight. But each step toward more trusted infrastructure helps build a more independent and resilient digital environment.

Most organizations understand that people play a major role in cyber risk. Far fewer have built a security awareness training program or adopted a business password manager, which can genuinely change behavior.

Human-related security risk is rarely one dramatic incident. Realistically, it appears in ordinary moments: an employee clicks a convincing phishing email, reuses a password across business tools, shares a login in a chat, or ignores a two-factor authentication (2FA) request because it feels like an interruption rather than a protective step. 

Over time, those everyday decisions determine the organization’s exposure. In the UK, the broader threat picture makes that impossible to treat as a minor issue. The UK government’s report Cyber Security Breaches Survey 2025 found that half of businesses suffered a cyber security incident or breach in the previous 12 months, and phishing remained the most common type of cyber crime among affected businesses. 

For HR leaders, CISOs, COOs, IT managers and security teams, that makes security awareness training much more than just a compliance exercise. It’s how businesses reduce preventable risk. The challenge is that many programs are still built around just completing exercises rather than actually changing behavior. Team members watch an annual video, tick a box, and return to the same habits that created the risk in the first place.

A more effective approach treats awareness as part of workplace culture. It’s reinforced over time, shaped by role, backed by usable policies, and supported by tools that make the secure choice easier to follow.

We’ll explain what an effective security awareness program actually looks like, why so many organizations get it wrong, and how to build one that improves day-to-day behavior rather than simply documenting that training happened.

Why security awareness training fails in most organizations

Security awareness training often fails because it is treated as an event, instead of as a system. In many organizations, the program consists of an annual compliance module, a short quiz, and little else. Staff are expected to absorb generic advice once a year and then apply it consistently across hundreds of real world workflows, tools, and decisions. This just isn’t enough to change behavior in a lasting way.

The problem is not that awareness training lacks value. It is that many programs are outdated or too detached from how people actually work. They rely on abstract reminders, while the real risks appear in inboxes, shared drives, password resets, urgent requests from managers, and day-to-day access decisions. If the training does emulate what people actually see or do every day, they’re unlikely to retain or apply it.

Training programs should include induction and refresher training for all staff on data protection and information governance, while awareness raising should use regular communication methods to keep information governance, data protection, and information security visible over time.  That points to a continuous model rather than a single annual intervention.

Another reason programs fail is that they focus too narrowly on what employees should not do, while ignoring the root cause of bad habits. Telling staff not to reuse passwords helps in theory, but it does little if the business has not given them a secure, practical way to create, store, and share credentials. Telling them how to spot phishing is useful, but less effective if reporting suspicious messages is unclear or cumbersome.

What a real security awareness program looks like

A real security awareness program is not something employees complete once and forget. It is an ongoing set of habits, expectations, and safeguards that helps people make better security decisions over time.

This begins with continuity. Use training resources designed to complement existing policies and procedures. They should cover practical areas such as strong passwords, BYOD best practices, phishing, and incident reporting. That mix is useful because effective awareness does not stop at one topic. It should reflect the full set of routine actions that shape security in real workplaces.

But continuity alone is not enough. The program also needs to reflect the real differences in how teams encounter risk.

An effective program also needs to be role-specific. A finance team member handling payment requests does not face the same day-to-day risk as a marketing manager sharing social accounts, or an HR lead managing employee records. Generic advice has its place, but it works better when followed by training relevant to the systems, data, and attack patterns most relevant to each group.

The next component is practice. Employees do not develop better judgement only by reading rules. They improve through repeated exposure to realistic scenarios: phishing simulations, reporting exercises, access reviews, and short reminders tied to actual tools or workflows. Simulated attacks are particularly useful because they test whether the program is affecting behavior in the moments that matter, rather than only in a quiz environment.

Clear security and password policies are just as important. Staff need to know how credentials should be created, stored, shared, and removed when no longer needed, how suspicious messages should be reported, when 2FA is required, and what to do if they think they have made a mistake.

Finally, a real program treats security as a shared workplace norm rather than a specialized IT concern. That means managers reinforce it, leaders model it, and teams talk about it as part of how the organization operates day to day. Building that kind of culture takes more than a policy document, but it is one of the strongest ways to reduce repeated human error over time.

Proton’s guide on small business cyber security culture in the workplace is helpful here because it frames awareness not as a fear-based campaign, but as part of how a business works every day.

Why phishing and credential abuse belong at the center of the program

If a security awareness program tries to cover everything equally, it can lose focus. Most organizations are better served by starting with the risks most likely to produce real damage.

Phishing belongs near the top of that list. The UK government’s report Cyber Security Breaches Survey 2025 found that phishing remained the most prevalent type of attack vector among businesses that experienced cyber crime, affecting 93% of those businesses. That reflects a wider reality across UK businesses, where phishing remains one of the most common attack methods.

Phishing rarely ends with the message itself. In many organizations, the real damage begins once stolen credentials are used to access accounts, exploit password reuse, move into other systems, or take advantage of shared logins that were never tightly controlled.

Businesses need to use a layered approach. It needs to be harder for attackers to reach users and easier for users to identify and report suspected phishing messages. This protects organizations from the effects of undetected phishing emails and helps them respond quickly to incidents.

A strong security awareness program should reflect that same logic. Employees need to be able to recognize suspicious behavior, but they also need the surrounding controls that reduce the impact of one mistake.

That is where credential hygiene becomes central. Training staff to avoid weak or reused passwords is useful, but it becomes much more effective when supported by tools that reduce reliance on memory and make secure credential use easier in practice. We also cover this broader preventive mindset in our guide to data breach prevention for businesses, which emphasizes the role of practical controls in reducing avoidable exposure.

The role of tooling in reducing human risk

Security awareness is only part of the picture. People are far more likely to follow secure practices when those practices fit naturally into the way they work. If the safest option is also the easiest one to use, adoption is much more consistent. If it feels slow, awkward, or hard to use, even well-intentioned employees will start looking for shortcuts.

Password management is one of the clearest examples. Organizations often tell staff to create strong, unique passwords, use 2FA, and avoid sharing. But unless employees are given a practical way to do that, the instruction remains aspirational. They fall back on memorable, easy passwords, browser storage, spreadsheets, notes apps, or messaging tools because those options feel faster in the moment.

A business password manager helps close that gap. Proton Pass for Business is designed to make secure password creation, storage, and sharing easier across teams, while also giving organizations stronger control over credential practices. These capabilities help employees create and autofill strong, unique passwords, use 2FA across accounts, and protect stored credentials with end-to-end encryption.

That does not replace security awareness training. It reinforces it by making secure behavior easier to follow. Instead of asking staff to remember dozens of complex password rules, you give them a system that supports the behavior you want. That makes good security practice easier to sustain and policy enforcement more achievable.

The same applies to incident reporting, access control, and onboarding. In these areas, tools are often necessary to give employees a clear process to follow and to give the organization consistent oversight and control. Tooling cannot replace judgement, but it can make secure actions easier, faster, and more consistent in everyday work.

A practical 6 step framework for launching or improving your security awareness program

A security awareness program works best when it is designed as an operating rhythm rather than a single campaign. The framework below can help you get started.

Step 1: Define the specific behaviors you want to change

Begin with risk. Identify the behaviors most likely to expose your organization. That may include clicking suspicious links, reusing passwords, sharing credentials informally, failing to report incidents, weak offboarding workflows, or mishandling personal data such as customer or employee information.

Step 2: Prioritize the highest-risk scenarios

Not all training topics need equal weight. Focus first on the scenarios most relevant to your organization’s threat profile and operating model.

For many businesses, that means phishing, credential handling, access control, and incident reporting. The aim at this stage is to focus staff training on the behaviors and scenarios most likely to reduce day-to-day risk.

Step 3: Segment training by role

Security awareness is much more likely to change behavior when employees can recognize their own working reality in the training. Different roles create different types of exposure, whether that means handling sensitive records, approving high-risk requests, managing privileged access, or sharing information with external contacts. 

A more effective program reflects those differences instead of giving everyone the same abstract advice. The closer the training is to the decisions people actually face, the easier it becomes to apply in practice.

Step 4: Build a rhythm of reinforcement

A one-off annual training session is not enough to change behavior. Use induction, refresher training, short reminders, simulation exercises, and regular communications to keep key messages active. Reinforcement can be lightweight, but it needs to be ongoing.

Step 5: Support training with policy and tooling

Training becomes far more credible when employees can see how to apply it in practice. So, make sure policies are clear, easy to find, and written in language employees can actually use. Then support them with features that make secure behavior easier to follow in practice.

If your policy says staff must use strong, unique passwords and avoid informal sharing, give them a secure password manager that makes this easier. If your policy says suspicious emails should be reported immediately, make the reporting path obvious and low-friction.

Step 6: Review, measure, and improve

A security awareness program should evolve with your business. New tools, role changes, incidents, and types of attack all create new pressure points.

Review outcomes regularly, update training based on incidents and near misses, and adjust the program when you find recurring weak spots. The goal is not to finish the program, but to make it more effective over time.

How to measure impact

One of the easiest mistakes to make with security awareness training is to measure what is convenient instead of what is meaningful. Completion rates may tell you who watched the training or clicked through the module, but they say very little about whether the program is influencing behavior in the moments that actually carry risk.

A more useful approach is to look for changes in how people respond to real situations over time. Phishing simulation results can help you understand whether employees are becoming more cautious, more observant, and more likely to question and report suspicious messages. 

Credential-related incidents can show whether risky habits such as password reuse, insecure sharing, or poor account handling are becoming less common. Policy adherence can also reveal whether employees are actually applying the expectations set by the program, rather than simply being exposed to them.

It is equally important to watch for operational signals. How quickly are suspicious emails or unusual requests being reported? Is MFA being enabled consistently where it should be? Are access rights being revoked promptly during offboarding? Are teams with greater exposure showing stronger judgement in realistic scenarios as the program develops? 

These are often the indicators that show whether awareness is becoming part of how the organization works, rather than remaining confined to a training environment.

Ultimately, the real test is not whether employees completed the program. It is whether your organization sees fewer avoidable mistakes, better reporting habits, and stronger day-to-day security behavior as a result.

Proton Pass can help you enforce your organization’s security policies and monitor the results. Try it for free or get in touch with our team.

Many small business owners still think ransomware attacks only happen to hospitals, global brands, or public infrastructure. In reality, ransomware small business risk is one of the clearest examples of how attackers are consistently targeting organizations with valuable data, limited time, and weaker defenses. 

Recent findings from Proton’s Data Breach Observatory show that SMBs are frequently the victims of breaches. They’re also disproportionately represented in the most damaging incidents, including breaches involving high-risk data and large record exposures.

Ransomware is a business continuity, credential security, and data protection problem. The UK government’s Cyber Security Breaches Survey found that 1% of UK businesses identified ransomware incidents in the previous 12 months, up from less than 0.5% in 2024. At national scale, that equates to an estimated 19,000 businesses.

Despite the rise of ransomware, phishing is still the most common type of cyberattack. Attackers most frequently get access to business networks through people, credentials, and routine workflows rather than through large-scale cyberattacks. They can essentially use a phishing attack to then launch a larger ransomware attack if they sense a greater payday. 

For a small business, the damage from ransomware can cause significant disruptions to business continuity. Team members lose access to files and can’t continue their work, operations slow or stop, and customers or clients don’t get adequate services. If personal data is compromised, reporting obligations will follow. A practical ransomware strategy for SMBs has to cover both aspects of an attack: prevention and recovery.

How does ransomware work?

Ransomware is a type of malware that prevents you from accessing devices or data, usually by encrypting files, and then demands a payment in exchange for decryption. In many cases, attackers now do more than lock files. They also steal data and threaten to leak it if the ransom is not paid, which turns the incident into both an availability crisis and a potential data breach. 

Victims are often instructed to communicate through anonymous email or web pages and to pay in cryptocurrency. For small businesses, that distinction is important because cryptocurrency is anonymous, decentralized, and unregulated by traditional financial institutions: it’s almost impossible to trace payments.  

A ransomware event is not always limited to losing access to files. It may also mean that customer information, employee data, financial records, contracts, or login credentials have already been exfiltrated. Ransomware can lead to loss of timely access to personal data and, where backups are not appropriate or available, even permanent loss.

The attack chain is usually more ordinary than you might expect. The easy-to-miss incidents that can lead to a ransomware attack include: 

• Phishing links being followed.
• Reused passwords being exposed in a data breach.
• Remote access service left exposed. 
• Known vulnerabilities being left unpatched

Once an attacker gets access to a business network, they move laterally, escalate privileges, disable recovery paths where possible, and deploy encryption or extortion where it will hurt most. No single tool or solution can prevent ransomware attacks. Instead, organizations must focus on reducing the number of easy paths into their network. 

Why small businesses are disproportionately targeted

Small businesses are attractive ransomware targets for a simple reason: they hold valuable data that isn’t as well-protected as it should be. Proton’s latest observatory findings show that SMBs account for 63% of breaches tracked since January 2025 and more than 352 million leaked records.

They also account for 61% of breaches involving high-risk data, with small businesses alone representing 48% of those critical incidents. Among breaches exposing more than 100,000 records, SMBs account for 60%, and small businesses represent 42%.

Small businesses aren’t careless. In fact, Proton’s SMB Cybersecurity Report 2026 proves that small businesses are trying to improve their cybersecurity. The problem is that their defenses are breaking in real-world conditions. Inconsistent enforcement, human error, shared access habits, and limited internal security capacity are what make small businesses tempting targets. 

In Proton’s survey of 3,000 leaders at companies under 250 employees, 39% said incidents stemmed from human error, and 48% said they did not have a password manager in place. 

Larger companies may have dedicated response teams, segmented environments, tested backup plans, and external incident support already in place. Smaller ones often have one lean IT function, outsourced support, or no dedicated security expert. When the attack hits, the business is forced to make high-stakes decisions while under operational pressure. That pressure is exactly what ransomware operators count on.

The most common entry points for ransomware in SMBs

After examining the studies carried out in the UK, we know that phishing remains the dominant cybercrime vector for businesses. But why? It’s because phishing is often the first step toward credential theft, account compromise, malware delivery, or remote access abuse.

Weak or reused credentials are another major problem. Small businesses often have shared logins, passwords reused across multiple services, or old accounts that stay active after someone changes roles or leaves. Once attackers obtain one working login, they don’t need to hack into accounts. They can simply sign in. 

From there, a poorly protected admin account, an exposed cloud console, or a remote access point without two-factor authentication (2FA) can become the bridge into a broader ransomware incident. Realistically, organizations need to deploy 2FA, least privilege access, and regular permission reviews to reduce how easily stolen credentials can be reused and how far malware can spread.

Unpatched software is another recurring entry point. The NCSC notes that ransomware is increasingly deployed via exposed services such as RDP or unpatched remote access devices, and recommends patching vulnerabilities in remote access and internet-facing systems as soon as they become available. For SMBs, this is where a missed incident quietly becomes an attack surface.

How to protect against ransomware: a layered approach

There is no single control that can prevent ransomware. The most effective approach is layered and practical.

Start with identity management

The data in team members’ accounts needs thorough protection to repel ransomware attacks. Make two-factor authentication mandatory where possible across business-critical accounts, especially email, admin tools, cloud storage, finance platforms, remote access points, and any systems that store customer personal data or other sensitive personally identifiable information (PII).

Improve password hygiene

Attackers don’t always break into accounts. Often, they log in with stolen or reused credentials. Every business account must have a unique, strong password, and shared access should be replaced with managed, secure credential sharing through a business password manager rather than through spreadsheets, chats, or email.

Proton’s own SMB report highlights that even businesses with tools in place still often fall back on insecure password-sharing habits. This is exactly where a secure business password manager like Proton Pass for Business can reduce risk: it helps teams create strong and unique credentials, store them securely, and share access in a controlled, secure way.

Patch management has to be disciplined

Security updates for operating systems, apps, VPNs, remote access tools, and boundary devices should be treated as operational essentials, not optional maintenance. Install security updates as soon as possible and enable automatic updates where feasible.

Robust mail and web protection

Mail filtering, attachment controls, blocking known malicious sites, and safe browsing protections all reduce the likelihood that ransomware is delivered in the first place. Because phishing is so common, these controls are essential. 

Address human error

Even when you’ve implemented security measures and a password policy, Security awareness training is still necessary. Training helps staff spot suspicious emails and social engineering attempts, but people will still make mistakes. 

Stronger tools or features and access controls should assume that. The NCSC explicitly recommends awareness training, but Proton’s research also points out that training alone does not catch every slip. Good security design reduces the damage when someone does click by making one mistake less likely to become a full-scale incident, whether through 2FA, least-privilege access, stronger email protections, segmented access, or tested backups that support recovery.

Protect recovery before you need it

Backups need to be regular, isolated, and tested. The ICO recommends taking the 3-2-1 approach: three copies, on two different devices, with one stored off-site. The NCSC adds an important operational warning: ransomware may have infiltrated your environment before discovery, so backups should be scanned before restoration, and backup systems themselves should be protected. 

The credential connection: why passwords still matter in ransomware defense

It is easy to think of ransomware as malware and forget that passwords play a part in a successful attack. But many ransomware incidents begin with the theft, reuse, or abuse of logins. 

That might mean a staff member reusing a password from another service, a former contractor account remaining active, an admin credential being shared among several people, or an exposed remote access point being protected only by a password. Each of those shortcuts expands the attack surface. 

This is one reason strong credential management belongs inside any ransomware recovery plan and prevention framework. Unique passwords per service reduce the blast radius of one stolen login. MFA makes that stolen password less useful on its own, while centralized credential storage removes the need for insecure workarounds. 

Secure sharing means employees get the access they need through controlled, trackable methods rather than through informal password sharing. Regular review of who has access to what also supports least privilege, which the NCSC recommends as part of limiting lateral movement and spread.

We’ve written extensively about the ransomware threats that SMBs face. Over and over, we see the same thing: attackers are increasingly looking for the businesses that are easier to break, not just the businesses with the biggest names.

What to do if your small business gets hit

1. Contain the incident

If your business is hit, your first priority is containment. Disconnect infected devices from the network, disable compromised accounts if you can identify them, isolate remote access pathways, preserve evidence and avoid wiping systems too quickly if you may need forensic support later.

2. Report the incident

The NCSC advises UK organizations to report incidents and provides dedicated ransomware guidance for response and recovery. Proton’s guide to incident response is also a useful reference for structuring the broader decision-making process around containment, investigation, communications, and recovery.

3. Don’t pay the ransom

The NCSC and UK law enforcement do not encourage, endorse, or condone paying ransom demands. They note there is no guarantee you will regain access, your systems may still be infected, you will be funding criminal groups, and you may be more likely to be targeted again.

The ICO is similarly clear that paying a ransom does not reduce the risk to people and does not safeguard the information. Even if a decryption key is offered, there is no guarantee it will work or that stolen data will not still be leaked.

4. Start recovery 

Recovery should focus on slow and secure restoration. That means rebuilding from clean backups, validating that the attack path has been closed, rotating affected credentials, re-enabling access carefully, and documenting what happened. If backups are connected to live systems or have not been tested, this is often where businesses discover a second failure after the first one. A good ransomware recovery plan really starts long before an incident even occurs. 

UK reporting obligations: when the ICO may need to be involved

If a ransomware incident affects personal data, this may be a personal data breach under the UK GDPR. The ICO explains that loss of access to personal data can itself be a breach where it creates risk to individuals, and that you must notify the ICO without undue delay and, where feasible, within 72 hours if the breach is likely to result in a risk to people’s rights and freedoms. If the risk is high, affected individuals may also need to be informed without undue delay. 

Some organizations still assume that if they restore systems quickly or there is no obvious public leak, reporting is unnecessary. That is not a safe assumption. The ICO’s ransomware guidance explicitly addresses breach notification scenarios and makes clear that the assessment turns on risk to individuals, not just whether stolen files have already surfaced online.

Ransomware is a SMB problem now

Small businesses are being hit by ransom attacks more and more frequently, and when they are hit, the impact can be severe because attackers exploit their weaknesses. Proton’s latest breach data makes that visible: the threat is measurable, growing, and operationally disruptive.

The good news is that the fundamentals can do much of the heavy lifting for any SMB. Measures such as using a business password manager to deploy 2FA and create unique credentials, patching, mail filtering, staff awareness, permission review, tested backups, and incident response planning may not seem flashy on their own, but together they make a meaningful difference. They reduce the chances that a single stolen password, one phishing email, or one exposed remote service escalates into a business-wide outage.

Whether you’ve noticed suspicious activity in your email account or just want to improve your security, this guide shows you how to change your email password on some of the most popular services: Gmail, Outlook, and Proton Mail.

Your email is the master key to your online life. Anyone with access to it can reset the password on every other account tied to that address, such as your bank, social media, or shopping accounts. That’s why a leaked email password is far more dangerous than a leaked Netflix password, and why you should treat email security as the foundation everyone else sits on.

You should change your email password if:

• You’ve noticed suspicious sign-in activity, especially if no one else has access to your email account.
• A service you use has been involved in a data breach.
• You’ve been reusing the same password on multiple websites, which can expose you to credential stuffing attacks.
• You clicked a suspicious link or entered your email credentials on a website you later realized might be fake (phishing).
• Your account provider warned you that your password appeared in a known leak.
• You received password-reset emails or security alerts you did not request.

Changing your email password takes only a few minutes and can be done from your provider’s account settings, not from your mail app.

• How to change your email password on Gmail
• How to change your email password on Outlook, Hotmail, or Live
• How to change your email password on Proton Mail
• How to change email passwords on iPhone
• How to change email passwords on Android
• Tips for creating a strong email password
• Best practices for email password security
• What to do if you forgot your email password
• Keep your email accounts safe

How to change your email password on Gmail

To change your Gmail password, update it through your Google Account:

1. Log in to your Google Account at myaccount.google.com.
2. Click Security and sign-in from the left menu.

3. Under How you sign in to Google, click Password.

4. Enter your current password to verify your identity.
5. Type your New password, confirm it, and click Change Password.

Google will keep you signed in on the device you’re using. To sign out everywhere else, go to Security → Your devices and remove any sessions you don’t recognize.

How to change your email password on Outlook, Hotmail, or Live

If you use a Microsoft account for Outlook, Hotmail, or Live, you can change your password through the Microsoft security portal: 

1. Go to account.microsoft.com and Sign in.
2. Open the Security accordion and click Change password.

3. Enter your New password, then click Save.

To sign out of every other session, go to Security → Sign-in activity and click Sign out everywhere.

How to change your email password on Proton Mail

You can change your Proton Mail password directly in your account settings:

1. Open Proton Mail and go to Settings → All settings.
2. In the sidebar, click Account and password.
3. Click Change password.

4. Enter your Current password.
5. Enter and confirm your New password, then click Save.

Proton Mail uses end-to-end encryption, so changing your password also re-encrypts your data. Make sure you have your recovery method set up before you change it. Without one, you can lose access to old encrypted messages.

How to change email passwords on iPhone

1. Open Settings.
2. Select your account.
3. Go to Sign-In & Security.

4. Tap Change Password.

4. Authenticate with your current password or Face ID.
5. Enter the new password and confirm it.

How to change email passwords on Android

If you’re using Gmail, you can change your password in your Google Account settings. The exact steps may vary slightly depending on your device.

1. Open Settings.
2. Tap Passwords, passkeys and accounts.

3. Select your account.
4. Tap Google Account.

5. Go to the Security or Sign-in tab.

6. Under How you sign in to Google, tap Password.

7. Enter your new password and tap Change password.

Once you’ve updated your password, your device will usually ask you to sign in again. You may also see a message like “Account action required” if your email stops syncing. Enter your new password when prompted.

If you don’t see a prompt, remove the account and add it again:

1. Open Settings.
2. Tap Passwords, passkeys and accounts.

3. Select the account you want to update.
4. Tap Remove account.

5. Add the account again and sign in using your new password.

Tips for creating a strong email password

A password should be hard for a stranger or a computer to guess, but easy for you to manage.

Make it long: Aim for at least 12 characters. Longer passwords are harder to crack.

Make it unique: Don’t reuse passwords across different accounts.

Avoid personal information: Don’t use names, birthdays, or common words.

Make it random or memorable: A random password is more secure than a predictable one.

A password generator makes all of this easier to manage.

Best practices for email password security

Changing your password is a great start, but security is about more than just a secret word or phrase. You can make your inbox a much more difficult target by using tools that do the heavy lifting for you:

Use a password manager: Proton Pass can safely create, store, and autofill your passwords across your devices. It has a built-in password generator to help you create unique passwords for all your accounts.

Enable two-factor authentication (2FA): This adds a second layer of security, such as a one-time code sent to your authenticator app, so a password alone isn’t enough to access your account. Proton Pass provides 2FA for every account that supports it, along with a Pass Monitor feature that alerts you to repeated passwords and inactive 2FA.

Review active sessions regularly: Check where your account is signed in and revoke access from devices or locations you don’t recognize. All Proton Accounts come with a free account monitor to help you track active sessions.

Keep recovery options up to date: Make sure your recovery email address and phone number are current, secure, and belong only to you.

Be careful with third-party app access: Remove connected apps, browser extensions, or email clients you no longer use or don’t recognize.

Watch for phishing: Always check the sender, domain, and URL before entering your login details. Avoid signing in from links in unexpected emails. Proton Mail has built-in phishing protection that keeps you safe from known offenders.

Keep your devices updated: Install security updates for your operating system, browser, email app, and password manager.

Use account alerts: Turn on notifications for new sign-ins, password changes, recovery changes, and suspicious activity. On Proton paid plans, you can enable Proton Sentinel to prevent account takeovers.

Secure your password manager account: Use a strong master password and enable 2FA for the password manager itself. You can use Proton Authenticator to enable 2FA for your Proton Account.

What to do if you forgot your email password

If you can’t log in, look for the Forgot password link. Most websites place this link directly under the sign-in box on their login page. Clicking it will usually let you verify your identity using a backup email address or phone number.

For Proton Mail, you may also need your recovery phrase or recovery file to regain access to your encrypted messages. 

Keep your email accounts safe

A weak or exposed email password can quickly turn into a much bigger security problem. If you’ve received security alerts, reused passwords across websites, or suspect your account may have been exposed in a breach, you should change the affected passwords as soon as possible.

Changing your password is one of the fastest ways to reduce the risk of someone else accessing your information. Using a password manager like Proton Pass and an end-to-end encrypted email like Proton Mail can help you keep your inbox safe.

Most people use passwords every day, so it’s easy to forget that they can cause an extraordinary amount of damage if not managed properly. Most teams know they should use strong passwords, avoid reuse, enable two-factor authentication (2FA), and store credentials securely. But password-related breaches happen every day, not only in large enterprises but also in small teams managing a growing mix of SaaS tools, shared accounts, and fast-moving workflows.

The problem isn’t a lack of awareness. Many companies know about cybersecurity risks but believe they aren’t valuable targets for phishing attacks or ransomware, especially SMBs. Hence, they don’t look for solutions until it’s too late.

The gap between knowing the rules and having the right systems of password security in place to follow them is another common issue. When teams are expected to remember too much, move too quickly, and work across too many tools without secure ways to create, store, share, and review credentials, bad habits proliferate.

This is why breaches still happen. This article explains why passwords remain a common entry point for data breaches, which risks affect small teams most often, which tools and practices help reduce them, and where passkeys and biometric authentication fit into a stronger password security strategy.

Why are passwords still a leading cause of data breaches?

Compromised passwords are one of the easiest ways for attackers to gain access to accounts because they guard so many network entry points. In many modern organizations, employees log in to dozens of systems across email, storage, collaboration, finance, HR, development, and client-facing tools, all of them being a potential entry point for breaches.

Weak credentials create a wide attack surface, and the more passwords that team members have to manually manage, the more likely they are to use simple and weak passwords, reuse or store password insecurely, or fall for phishing scams.

There’s data that proves this: Proton’s 2026 SMB cybersecurity report found that nearly one in four SMBs experienced a cyberattack in the previous 12 months, despite many already investing in tools, policies, and training. In addition, Proton’s Data Breach Observatory shows that passwords are exposed in nearly half of reported data breaches, underscoring the scale of credential-related risk.

How one password becomes a broader security risk

Passwords are still an enormous vulnerability because they can be compromised in multiple ways. A password can be easily guessed using a dictionary attack if it is weak. Reused passwords can compromise multiple accounts across different services. Passwords are also easily exposed if stored in insecure locations such as spreadsheets or message threads. Once an attacker has one valid credential, they often don’t need to “hack” anything; they just log in.

With so many underlying risks, a compromised password is not only an access problem: it’s a visibility issue, a response problem, and often a governance matter. Teams need to know which systems are affected, who had access, whether 2FA was enabled, whether the credential was shared, and whether any secrets/credentials need to be rotated or reviewed.

Modern guidance reflects that reality. The 2025 NIST password guidelines explicitly note that passwords alone are not phishing-resistant, even though they are still widely used. The document also recommends stronger controls around password length, blocklists, and secure handling, rather than relying on outdated complexity composition rules alone.

So when we discuss password security, it’s not merely a hygiene issue: it’s one of the most common ways everyday work leads to a real breach.

What common risks do small teams face with passwords?

Usually, small teams experience difficulty with password security because they need to move fast with limited time, scarce IT resources, and a growing set of tools that do not naturally create secure habits.

Password reuse

One of the biggest security threats to organizations is password reuse. A team member might use the same or similar password across multiple work accounts simply because it feels memorable and manageable. But if one of those credentials is exposed in a third-party breach, attackers can try it elsewhere. It’s incredibly easy for one leaked password to turn into multiple compromised systems.

Insecure credential storage

Another common issue is insecure credential storage. Even teams that are more conscious about security can fall back on familiar habits: passwords saved in browsers, copied into notes, kept in spreadsheets, or dropped into message threads, all increasing the risk of unauthorized access.

Over time, poor credential storage leads to a loss of control and poor access management throughout an organization. When credentials are stored in scattered places, offboarding becomes inconsistent, audits get harder, and incident response slows down because nobody knows exactly where credentials live.

Lack of visibility

Without clear visibility into credential management, many teams don’t have a clear way to answer basic questions like:

• Who still has access to this account?
• Has this password been reused anywhere else?
• Was 2FA enabled?
• Has this credential appeared in a breach?
• How quickly can we identify and change it if something goes wrong?

Without these answers, password security can only be reactive. Teams only discover weaknesses after a phishing incident, a suspicious login, or even a breach.

Phishing

Strong awareness helps, but phishing remains one of the most common attack vectors. Passwords can still be entered into malicious sites, especially when attackers use convincing login pages or urgency-driven tactics. This is why passwords alone are not enough. Additional security layers like 2FA, passkeys, and secure credential workflows are essential.

Gaps in password and access policies 

Many small teams rely on informal practices rather than defined policies. People may know they should use strong passwords, but there are often no clear requirements for password length, reuse, rotation, or how credentials should be stored, shared, monitored, and revoked.

Without a defined  password policy, credential management becomes inconsistent. Over time, this leads to gaps in security, especially as teams grow and workflows become more complex.

Poor tooling and controls

Finally, controls around credential management and security are often inconsistent or nonexistent. As a result:

• 2FA is enabled in some systems but missing in others.
• Passwords are handled in an ad-hoc way instead of using approved business tools. 
• Lack of centralized monitoring for weak, reused, or compromised credentials

The result is an ineffective security approach that appears reassuring on the surface but leaves common real-world threats unaddressed. Password security follows the same pattern: awareness exists, but the approach is ineffective.

Which tools and best practices help prevent password-related breaches?

A single control is rarely effective to protect against password-related breaches. Risk is  reduced by combining practical measures that prevent weak habits and make secure practices easier to adopt.

Strong, unique passwords

Weak passwords are rarely chosen because people think they are ideal. They are used because they are easy to remember and quick to type in across multiple systems. 

Using long, random, and unique passwords for every account helps reduce the risk and impact of password-related breaches.

Free tools like password generators and password strength testers can help to create strong passwords and identify weak credentials. However, strength alone is not enough if passwords are reused across services.

Two-factor authentication (2FA)

2FA remains one of the most effective ways to prevent account compromise from stolen passwords, especially in phishing and credential stuffing scenarios, because it adds a second layer of protection in case a password is leaked, guessed, or reused.

The best password security programs enforce 2FA where possible, especially for email, admin accounts, finance tools, identity systems, and remote access.

Password manager

A business password manager like Proton Pass for Business addresses the core causes of password-related breaches: the need for people to create, remember, and manually type passwords across too many systems.

Instead of relying on memory, teams can generate strong, unique passwords for every account, store them in encrypted vaults, and autofill them when needed, removing much of the reason to create weak passwords or reuse credentials.

A business password manager also provides greater access control, an operational need for businesses. Teams will always need secure password sharing; the difference is whether that happens within governed, secure workflows or through chat, email, spreadsheets, and copied plain text. When access is managed through a secure system, it can be granted and revoked more reliably.

Strong and enforceable password policies

Teams need clear, documented standards that are consistently applied and enforced, including:

• Minimum password length
• Unique passwords for every account, with no reuse across systems
• Approved storage methods
• Secure sharing rules
• Event-based reset policies
• Clear MFA requirements

A strong password policy backed by efficient and user-friendly tools helps turn password security from a personal preference into an organizational standard everyone can adhere to with ease. With a password manager, these policies can be enforced in practice and applied consistently across teams.

Monitoring for compromised passwords

Following best credential security practices is only the starting point. Teams also need the ability to know if credentials have been exposed in a breach, or when weak and reused passwords are creating preventable risk across the organization.

Monitoring provides early visibility. Instead of reacting only after suspicious activity or account compromise happens, teams can quickly identify vulnerable credentials and rotate them before attackers have a chance to gain unauthorized access.

Access control and review

Secure access is not only about how strong credentials are. It also depends on who can access, which accounts are shared, whether access remains appropriate, and whether former employees or contractors retain credentials they no longer need.

That is why effective access control improves security in two ways: by strengthening credentials, and by establishing clear processes for how access is granted, reviewed, and revoked over time.

Ongoing security awareness and training 

Employees must understand how to identify phishing attempts, why password reuse creates risk, where credentials can and cannot be stored, what tools are approved to use, and how to report suspected activity quickly.

The key is to treat training and awareness as part of normal operations, not as a checkbox exercise. Password security is stronger when secure habits are built into everyday workflows and reinforced consistently over time.

Passkeys and biometric authentication

Alternative methods such as passkeys and biometric authentication are becoming increasingly important as part of a modern authentication strategy.

• Passkeys rely on device-bound authentication rather than shared secrets, addressing key weaknesses of passwords, such as phishing and reuse risks. 
• Biometric authentication can also improve usability, especially on devices, but is typically used locally to unlock an authentication secret or device rather than being transmitted as the primary secret itself. That makes them useful, but not a direct replacement for all password and access management needs. NIST’s guidance makes this distinction as well when discussing activation secrets and authenticators.

For most teams today, the question is not whether to use passwords, passkeys, or biometrics. In practice, a layered approach is the answer: 2FA should be used when possible, passkeys should be adopted where supported, and secure password management remains critical, as passwords are still widely used across many systems and are unlikely to disappear anytime soon.

How does effective password management improve security and compliance?

Password security is typically framed in terms of breach prevention, but that is only part of the picture. Effective password management also strengthens governance, improves audit readiness, and makes day-to-day operations more efficient by ensuring access can be reviewed, updated, and revoked as needed.

Stronger day-to-day security

Security benefits are immediate. Unique passwords limit lateral movement from reuse, encrypted vaults prevent accidental exposure, and easy, secure sharing eliminates the need to send secrets through unsafe channels. Monitoring helps identify exposed credentials early, while MFA makes it less likely that a stolen password leads to account takeover.

Better operational control

Effective credential management provides greater control across onboarding, offboarding, role changes, contractor access, and incident response. When teams know where credentials are stored, who can access them, and how to quickly rotate them, they can respond faster and more precisely when something goes wrong.

Improved support for compliance

Most frameworks and customer security reviews go beyond asking whether a company uses strong passwords. They require evidence that:

• Credentials are managed securely
• Access is consistently reviewed
• Sharing is secure and controlled
• Access can be revoked
• Risky behaviors can be addressed

A business password manager helps establish the repeatable controls that auditors and customers require, strengthening organizational compliance.

How does Proton Pass for Business help reduce password-related breach risk?

Password-related breaches usually happen when teams need to manage too many credentials without a secure, centralized system. This leads to the same familiar issues: password reuse, insecure storage, informal sharing, limited traceability, and inconsistent access control.

Proton Pass for Business reduces this risk by giving teams a secure way to create, store, and manage credentials. Instead of relying on browsers, spreadsheets, notes, or chat threads, teams can generate strong, unique passwords, store them in encrypted vaults, and share access using secure and controllable workflows.

Stronger passwords, used consistently

One of the most immediate benefits is reducing password reuse. When unique credentials are easy to generate and retrieve, teams are much less likely to fall back on repeated or slightly modified passwords across accounts.

Better visibility and control over access

Proton Pass for Business centralizes credentials in a managed environment, making access easier to review and control. Teams gain visibility into who has access, which credentials are shared, and what needs to be updated or revoked after a role change or suspected compromise.

Safer sharing for collaborative teams

Small teams often need to hand over access quickly, especially across operations, vendors, and shared tools. However, when this sharing occurs through insecure channels, risk arises. With secure and controlled sharing workflows, businesses can reduce that exposure while making access changes easier to manage and control.

Stronger support for policy enforcement

A password policy is much easier to implement when tools enforce the behavior they require. Proton Pass for Business helps teams put rules around password strength, sharing, 2FA adoption, and credential review into practice, rather than relying on memory or informal habits.

This is one of the benefits of a business password manager. It can’t eliminate all authentication risks, but it directly addresses many of the causes that lead to  password-related breaches.

Phishing remains one of the most common ways for attackers to gain access to business networks. It mimics legitimate day-to-day business communications, so it’s an ideal technique for collecting valuable business information unnoticed. In the UK government’s Cyber Security Breaches Survey 2025 report, phishing was the most common type of breach or attack reported by businesses that identified incidents, affecting 85% of them and the equivalent of 37% of all businesses overall. 

Awareness training must be a business mandate, not just a compliance task. One successful phishing attempt can expose credentials, grant access to internal systems, and create problems that spread well beyond a single employee inbox.

The issue is that many organizations still rely on one-off awareness efforts, even though phishing changes constantly. A more effective program can give employees repeated practice, clearer reporting habits, and supporting controls that reduce the impact of mistakes.

What phishing looks like in a business context 

Business phishing has evolved beyond obviously fake emails full of spelling mistakes. In practice, employees are far more likely to encounter realistic-looking attempts such as:

• Account-verification prompts
• Shared document notifications
• Sign-in pages for common business platforms
• Invoice approvals
• HR updates
• Messages from trusted suppliers or internal executives. 

If a team member responds, attackers can then use information they’ve collected about employees or companies to make messages more persuasive and realistic, especially in more targeted campaigns.

Spear phishing, executive impersonation, and credential harvesting

Phishing awareness training needs to prepare teams for several patterns at once. Spear phishing is one of the most common variations of phishing. Instead of sending a generic message to thousands of recipients, the attacker tailors the email to a specific role, project, colleague, or supplier relationship. 

The message feels plausible because it is built around something the employee would realistically expect to see. This kind of targeting is often made more convincing by information gathered from company websites, public profiles, or other online sources.

Another variation of phishing is executive impersonation, sometimes referred to as CEO fraud. Here, the attacker mimics a senior leader or important stakeholder to create urgency around a payment, a file, or a credential request, pressuring staff into transferring money or information unless normal verification processes are followed.

A third pattern is credential harvesting. In these attacks, the employee is pushed towards a fake login page designed to capture usernames, passwords, and sometimes even one-time password (OTP) codes. 

Phishing training has to reflect real business workflows rather than giving generic advice. Many phishing pages are built to resemble tools employees already use every day. 

Why routine business messages are so effective

Phishing remains effective in organizations because it often blends into everyday operations. A fake login prompt only needs to feel familiar long enough for someone to act on autopilot. The same is true of supplier messages, shared-document notifications, or urgent internal requests.

That is why training should not focus only on suspicious wording or poor grammar. Employees also need to understand how attackers exploit normal ways of working. Think about how your organization operates and how you can help staff recognize requests that fall outside normal processes, especially when money, credentials, or sensitive information are involved.

Recent breach examples 

Recent breach reporting reinforces the point that phishing inside businesses now goes far beyond simple inbox scams. 

According to Proton’s Data Breach Observatory, greeting card company Hallmark Cards was targeted by the criminal extortion hacker group known as ShinyHunters. The group obtained records belonging to Hallmark Cards from Salesforce and gave the business an extortion deadline to meet. Ultimately, the group leaked 2.8 million unique records.

ShinyHunters is prolific, targeting many high-profile businesses in recent months. In January 2026, apparel brand Canada Goose was linked to a breach of around 600,000 customer records. The data originated from a third party breach that occurred in August 2025.

These examples are useful because they show what phishing looks like in business settings now: not just inbox deception, but attacks aimed at contractors, identity systems, internal access, and the trust relationships organizations rely on every day.

Why awareness alone is not enough

Phishing awareness is important, but it isn’t enough on its own. Employees don’t make mistakes just because they lack information. They also make them because they’re busy, distracted, under pressure, or moving quickly through workflows where a phishing message can easily pass as legitimate at first glance.

That is why training shouldn’t be built around the idea that every employee can spot every phishing attempt. Organizations can’t rely on user detection alone. Some attacks will still get through, which means technical controls, clear processes, and user education need to work together.

A stronger phishing awareness training program is built around that reality. It helps employees recognize common warning signs, pause when something feels off, report quickly, and work within systems that make one mistake easier to contain. It also connects naturally to incident readiness.

If someone clicks a malicious link or shares credentials, the organization needs a fast and clear response path. Training becomes much more effective when employees know what happens after a report is made and what role they play. Proton’s guide to incident response can help your organization put a plan together. 

What does an effective phishing awareness training program look like?

An effective phishing awareness training program is not built around a single annual session and a few outdated examples. It is ongoing, practical, and designed around the way people actually work. This means regular reinforcement, realistic scenarios, and feedback that helps employees build better judgement over time.

In practice, phishing awareness should appear at more than one moment. It should be part of onboarding, refresher training, short scenario-based reminders, and incident reviews, not something employees see once and forget. It also needs to reflect real exposure. 

Someone dealing with invoices, executive support, supplier communication, privileged access, or sensitive records is likely to face different kinds of phishing pressure from someone in a lower-risk workflow. The NCSC’s phishing guidance reflects that reality by noting that staff with access to sensitive information, financial assets, or IT systems may be targeted more heavily.

Practice also needs to be used well. Simulated phishing can be useful, but not when it turns into a blame exercise. Poorly handled simulations can damage trust and discourage people from reporting mistakes if they feel they are being caught out rather than supported. 

A stronger program uses simulations carefully, gives immediate feedback, and increases difficulty gradually. It is not trying to prove that employees are easy to fool. It is helping them build pattern recognition, reporting habits, and more confidence in real situations.

The five phishing red flags employees still miss

Many employees know the classic warning signs, but they still miss the subtler cues that occur in real business attacks. Phishing awareness training is much more useful when it teaches people how to recognize the patterns that fit their day-to-day work.

1. A message that matches the workflow, but changes the channel or urgency

The most effective phishing emails don’t look random at all. They resemble invoice requests, shared documents, payroll updates, or sign-in notifications that employees expect to receive. 

What changes is the urgency, secrecy, or process. An attacker wants the target to skip normal checks. NCSC guidance specifically warns that attackers exploit business processes and requests, including requests for information or unauthorized payments.

2. A believable sender name hiding a bad domain or spoofed source

Employees often focus on the display name and not the full address, reply path, or domain. That is one reason anti-spoofing controls matter, but training still needs to teach people to slow down when a familiar brand or colleague appears slightly “off”. 

The NCSC advises organizations to make email spoofing harder through controls such as Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM). Together, these email authentication checks help receiving systems verify whether a message really comes from the domain it claims to come from.

3. A login page that looks normal enough

Credential harvesting pages don’t need to look perfect. They only need to feel familiar long enough for an employee to enter a username and password. In practice, the biggest clue may be context rather than design: why is this login request appearing now, and why through this route? 

4. A request that asks for speed over verification

Executive impersonation, invoice fraud, and supplier scams often lean on urgency. The message is crafted to make verification feel inconvenient or disloyal. Strong phishing training should teach that unexpected urgency is not just suspicious language; it is a signal to switch from email response mode into verification mode.

5. A situation where reporting feels embarrassing

One of the most overlooked warning signs is internal rather than technical: an employee notices something odd, but hesitates to report it because they’re unsure, too busy, or worried about looking careless.

The NCSC warns against reprimanding users who struggle to recognize phishing because fear of reprisals suppresses reporting. Healthy programs therefore teach employees that raising a concern early is useful even if the message turns out to be harmless.

What happens when training fails

When phishing training fails, the damage is often measured in credentials before it is measured anywhere else. A user enters a password into a fake portal, approves an unexpected prompt, or shares login details through a convincing internal-looking request. From that point on, the problem is no longer only about one inbox decision. It becomes an access-control problem.

This is where the connection between phishing and password hygiene becomes so critical. If the same password is reused across multiple services, one compromised credential can become a route into email, SaaS tools, cloud platforms, or admin systems. If shared logins are still being handled through informal or uncontrolled methods, accountability drops even further.

Proton’s Data Breach Observatory Report notes that names and emails appear in 9 out of 10 breaches, that 72% of breaches contain contact data, and that 49% include passwords. That means attackers often have exactly the raw material they need to make phishing more convincing and to exploit password reuse when they succeed.

Recent breach examples make the same point from another angle. In Proton’s breach reporting, phishing-related incidents in 2026 did not stop at a clicked link; they became network access, internal exposure, and broader business incidents. That is why phishing attack prevention can’t consist of employee recognition alone. It also has to reduce how far stolen credentials can travel once one account is compromised.

Unique passwords for every service are one of the simplest and highest-value controls here. They do not stop a phishing attempt from happening, but they do help contain the fallout. If one password is stolen, it should not unlock five other systems.

A secure business password manager supports a security culture strategy. Proton Pass for Business is designed to help teams generate and store strong, unique passwords for each service, reducing the chance that one successful phishing event cascades across the organization.

A practical model for phishing training for employees

The best place to start is not with generic training materials, but with the way your organization actually works.

Focus first on the phishing scenarios employees are most likely to face: sign-in prompts, supplier impersonation, payment approvals, shared-document notifications, executive requests, or identity-provider attacks. Training becomes much more useful when people can recognize their own working reality in it.

Reporting also needs to be simple and safe. The NCSC’s phishing guidance makes clear that organizations should help users identify and report suspected phishing messages, while the Reporting Fraud Website provides the UK’s official reporting route for phishing and cyber crime. Employees should know where to report internally, what to include, and what to do immediately if they clicked a link, entered credentials, or approved access.

Training should be backed by controls that reduce the cost of mistakes. That includes email filtering, anti-spoofing protections, secure sign-in flows, 2FA, and stronger password hygiene. Proton’s business guidance on phishing attack prevention also points to the value of clear reporting channels, repeated practice, and monitoring for exposed credentials.

Finally, measure more than clicks. Simulation click rates can be useful, but reporting rates, time to report, repeated failure patterns, and credential-related incidents often give a clearer picture of whether resilience is improving. The NCSC also recommends thinking carefully about phishing metrics so organizations do not end up discouraging safe reporting.

Perfect detection isn’t possible, but a stronger response is

Phishing awareness training is most effective when it moves beyond the idea that employees should be able to spot every attack perfectly. A more realistic goal is to build a team that can recognize familiar warning signs, report concerns quickly, and respond in ways that stop one mistake from escalating into a wider incident.

That takes more than information. It takes repeated practice, examples that reflect real roles and workflows, and clear processes employees can rely on when something feels wrong. It also takes controls that reduce the impact of credential theft when a phishing attempt succeeds. For that reason, phishing training for employees works best as part of a broader security culture, not as a standalone awareness exercise.

Organizations that reduce phishing risk well tend to combine the same elements: practical training, clear reporting habits, stronger incident readiness, and tighter credential hygiene. Proton’s resources on phishing attacks, and incident response all reinforce the same principle: awareness is far more effective when it is backed by systems that make a compromise easier to contain.

• The DuckDuckGo subscription includes our VPN, access to more advanced private AI when you want it, Personal Information Removal, and Identity Theft Restoration. It now comes in two plans: Plus, which includes all four protections, and Pro, which unlocks even more powerful AI functionality.
• The new Pro plan is for people who use AI for demanding tasks. On top of the VPN and other protections, it includes three Duck.ai upgrades: 2x higher usage limits than Plus, exclusive access to Claude Opus 4.6, and the highest reasoning available on Duck.ai. (Extended reasoning capabilities available on GPT-5.2 and Claude Opus 4.6.)
• Whether or not you’re a paid subscriber, everyone gets the same industry-leading privacy protections when you search and browse with DuckDuckGo, or chat privately with ChatGPT, Claude, and other popular AIs on Duck.ai.

What is the DuckDuckGo subscription?

The DuckDuckGo subscription is a four-in-one privacy service that gives you extra protection beyond what's available for free in our web browser, search engine, and private AI chat, Duck.ai. It includes our VPN to encrypt your Internet connection, access to more advanced private AI when you want it, Personal Information Removal to help combat identity theft and spam, and Identity Theft Restoration.

The original DuckDuckGo subscription is now called Plus. (If you’re a current subscriber, this is what you have!) It includes all four protections and costs $9.99 USD/month or $99.99 USD/year. Enhanced with more powerful AI tools, the new Pro plan is $19.99 USD/month or $199.99 USD/year. Subscriptions are available in the U.S., Canada, the E.U., and the U.K. See this help page for international pricing and feature availability.

What are the benefits of the Pro plan?

On Duck.ai, anyone can chat privately with ChatGPT, Claude, and other popular AIs, whether you have a subscription or not. Text chat, voice chat, and image generation are free to use within daily limits. DuckDuckGo subscribers on the Plus plan can do more, with higher usage limits and access to smarter AI models with extended reasoning. But the Pro plan is even more powerful. 

We designed Pro for people who use AI frequently throughout the day, or for more demanding tasks that require multi-step reasoning…or both! Subscribers to the Pro plan get three additional Duck.ai upgrades: 

• 2x higher usage limits, compared to Plus. This includes text chat, voice chat, and image generation limits across all the AIs available.
• One Pro-exclusive model, currently the newly launched Claude Opus 4.6. 
• Access to the highest reasoning available in Duck.ai. Extended reasoning capabilities on GPT-5.2 and Claude Opus 4.6 let the AI spend more time thinking through complex, multi-step problems before responding. 

 This new Pro plan gives you the freedom to dive deep and iterate back and forth for complicated tasks, whether you’re fine-tuning images, analyzing data, writing long-form content, or making an in-depth plan. Higher limits also mean you don’t have to pick and choose as much; you can use AI for a broad range of day-to-day tasks.  

When you take advantage of the extended reasoning on GPT-5.2 or Claude Opus 4.6, you’re more likely to get considered, relevant, and well-structured answers to even very complex prompts. And thanks to the Pro plan’s higher usage limits, you’re less likely to be disrupted in the middle of a complicated job. 

Which plan is right for me?

If you primarily use DuckDuckGo to search and browse, and you’re not interested in advanced AI chat or added protections…our free offerings may meet all your needs. If you want to expand your privacy protection with our VPN, or you’re getting more into AI productivity tools, consider Plus! Pro is most suited if you use AI for tasks that require deeper context and multi-step reasoning. 

The specific AI models included in each plan are upgraded regularly; at the time of publication, the lineup is as follows: 

• Free on Duck.ai: GPT-4o mini, GPT-5 mini, GPT-OSS 120B, Llama 4 Scout, Claude Haiku 4.5, Mistral Small 3.
• Plus: GPT-4o, GPT-5.2 (reasoning), Claude Sonnet 4.5, Llama 4 Maverick, free models.
• Pro: GPT-5.2 (extended reasoning), Claude Opus 4.6 (extended reasoning), Plus and free models.

Can I upgrade an existing subscription? 

Yes! As a subscriber, you can switch between the Plus and Pro plan at any time. In the DuckDuckGo browser, go to Settings > DuckDuckGo Subscription. Select View All Plans, pick the plan you'd like to switch to, and proceed to payment or confirm. In third-party browsers, start by navigating to Duck.ai. Just go to Settings & More > Manage Subscription and follow the same steps above. 

Ready to give it a try? Head to duckduckgo.com/subscribe to see if the Plus or Pro subscription is right for you!

2025 marks DuckDuckGo's 15th year of donations—our annual program to support organizations that share our vision of raising the standard of trust online. We are proud to donate to a diverse group of organizations around the world that promote privacy and security, digital competition, and a healthier online ecosystem.

This year, we’re donating $1,100,000, bringing DuckDuckGo's total donations since 2011 to $8,050,000. Everyone using the Internet deserves simple and accessible online protection; these organizations are all pushing to make that a reality. We encourage you to check out their valuable work below.

$100,000 to Public Knowledge

Public Knowledge promotes freedom of expression, an open internet, and access to affordable communications tools and creative works. We work to shape policy on behalf of the public interest.

$75,000 to ARTICLE 19

ARTICLE 19 is an international think-do organisation, that takes its name from the Universal Declaration of Human Rights, and works to propel the freedom of expression movement, fighting censorship, defending dissenting voices and advocating against laws and practices that silence.

$75,000 to the Digital Progress Institute

The Digital Progress Institute seeks to bridge the tech-telecom policy divide through incremental, bipartisan measures in line with its principles of bringing about ubiquitous broadband, 5G and beyond, privacy for every American, real competition in digital markets, and a full-stack framework for Internet policy issues.

$50,000 to the Electronic Frontier Foundation (EFF)

EFF's mission is to ensure that technology supports freedom, justice, and innovation for all people of the world.

$50,000 to European Digital Rights (EDRi)

With more than two decades of advocacy experience, European Digital Rights (EDRi) is the go-to, nongovernmental network working on EU and national laws and policies on privacy, freedom of expression, participation online, data protection and technology policy. EDRi unites over 50 organisations from across Europe (and beyond).

$50,000 to the Foundation for American Innovation

The Foundation for American Innovation, a think-and-do tank based in Washington, D.C. and San Francisco, CA, advances technology, talent, and ideas that support a better, freer, and more abundant future.

$50,000 to the Open Home Foundation

The Open Home Foundation fights for the fundamental principles of privacy, choice, and sustainability for smart homes - and for every person who lives in one. It is best known as the organization that owns and governs Home Assistant, among many other projects crucial to the open home.

$50,000 to Signal

Signal Technology Foundation protects free expression and enables secure global communication through open source privacy technology.

$50,000 to the Surveillance Technology Oversight Project (S.T.O.P.)

The Surveillance Technology Oversight Project (S.T.O.P.) advocates and litigates for privacy, working to abolish local governments’ systems of discriminatory mass surveillance that disproportionately impact vulnerable communities.

$50,000 to Tech Policy Press

Tech Policy Press publishes reporting, analysis, and perspective on events, issues, and ideas at the intersection of technology and democracy.

$50,000 to the Tech Oversight Project

Through engaging with lawmakers, exposing false narratives and bad actors, and pushing for landmark legislation, the Tech Oversight Project seeks to hold tech giants accountable for their anti-competitive, corrupting, and corrosive influence on our society and the levers of power.

$30,000 to the Internet Security Research Group

Our mission at ISRG is to reduce financial, technological, and educational barriers to secure communication over the Internet. We operate three projects (Let’s Encrypt, Prossimo, and Divvi Up) that improve the security and privacy of billions of people using the Internet.

$25,000 to Algorithmic Justice League (AJL)

The Algorithmic Justice League is on a global mission to prevent AI harm using research, advocacy, and art.

$25,000 to the British Institute of International and Comparative Law (BIICL)

The British Institute of International and Comparative Law (BIICL) hosts the Competition Law Forum, a centre of excellence for European competition and antitrust policy and law. 

$25,000 to Bull Moose Project

The Bull Moose Project Foundation develops and promotes policies that promote fair markets, support American innovation, and hold Big Tech accountable for anti-competitive and anti-consumer conduct.

$25,000 to Canadian Anti-Monopoly Project

The Canadian Anti-Monopoly Project (CAMP) is a think tank dedicated to addressing the issue of monopoly power in Canada and around the world. CAMP produces research, commentary, and policy to make our economies more fair, free, and democratic.

$25,000 to Consumers International

Consumers International is the global membership organisation for consumer rights groups. Founded in 1960, we bring together over 200 member organisations in more than 100 countries, with a mission to empower and champion the rights of consumers everywhere and to build a fair, safe and sustainable marketplace.

$25,000 to Demand Progress

DPEF empowers people to understand how our communications and governance systems should serve democracy — and how corporate power threatens our economy and our democratic future.

$25,000 to Digital Rights Watch

Digital Rights Watch is Australia's leading digital rights organisation. They defend and promote privacy, democracy, fairness and fundamental rights in the digital age.

$25,000 to Gesellschaft für Freiheitsrechte (GFF)

The Society for Civil Rights e.V. (Gesellschaft für Freiheitsrechte e.V. or "GFF") is a donor-funded organization from Germany that defends fundamental and human rights by legal means. The organization promotes democracy and civil society, protects against disproportionate surveillance and advocates for equal rights and social participation for everyone.

$25,000 to noyb

noyb is committed to the legal enforcement of European data protection laws and has filed more than 850 cases against numerous intentional infringements by Big Tech companies - to make online privacy a reality for everyone.

$25,000 to the Internet Archive

The Internet Archive's mission is to provide “Universal Access yo All Knowledge” by preserving and providing free access to digital materials and cultural heritage serving as a digital library for researchers, historians, scholars, and the public to read, learn, and explore for free.

$25,000 to the Open Rights Group (ORG)

Open Rights Group is the UK’s largest grassroots digital rights campaigning organisation, working to protect everyone’s rights to privacy and free speech online.

$25,000 to the Open Source Technology Improvement Fund (OSTIF)

In the past year, OSTIF collaborations led to the fixing of over 130 findings with security impact. Our security uplifts to open source projects wouldn't be possible without the continued support from DuckDuckGo. We are honored to be part of this program and contribute to a more secure Internet ecosystem.

$25,000 to Perl and Raku Foundation

The Perl and Raku Foundation is dedicated to the advancement of the Perl and Raku programming languages, through open discussion, collaboration, design, and code.

$25,000 to Privacy Rights Clearinghouse

Privacy Rights Clearinghouse focuses on increasing access to information, policy discussions, and meaningful rights so that data privacy can be a reality for everyone.

$25,000 to Restore the Fourth

Restore the Fourth advocates with federal, state and local elected officials, to defend privacy and freedom from unreasonable government surveillance.

$25,000 to the Tor Project

At the Tor Project, we believe everyone should be able to explore the internet with privacy. We advance human rights and defend your privacy online through free, open source software and the decentralized Tor network.

$20,000 to The Markup

The Markup challenges technology to serve the public good by producing investigative journalism, unique tools, and accessible resources to inspire action and agency.

• More advanced AI models from OpenAI, Anthropic, and other providers are now available in Duck.ai as part of the DuckDuckGo subscription, formerly known as Privacy Pro.
• Subscribers can now access OpenAI’s GPT-4o and GPT-5, Anthropic’s Claude Sonnet 4, and Meta’s Llama Maverick – and supercharge productivity at work, school, or home.
• The DuckDuckGo subscription is still the same price: $9.99 USD a month or $99 USD a year. On top of access to premium AI models on Duck.ai, it still includes our VPN, Personal Information Removal, and Identity Theft Restoration*. Sign up at duckduckgo.com/subscribe for a seven-day free trial.
• Keep an eye out for higher DuckDuckGo subscription tiers in the future with access to even more advanced AI models.

A layer of protection for everything you do online – including AI

We believe the best way to protect your personal information from hackers, scammers, and privacy-invasive companies is to stop it from being collected at all. To make that happen, we offer a layer of protection for everything you do online. Our browser, for example, is packed with a suite of built-in privacy protections, including our search engine that never tracks you. Our growing suite of private, useful, and optional AI tools is the next evolution.

AI tools have quickly become a significant part of people's online experience, but there’s a gap between how often we use AI, and how safe and in control we feel about it. According to recent Pew research, 27% of US adults use AI tools every day, but 59% feel no control over how AI shows up in their lives. That's why we created Duck.ai, which gives you access to popular AI models from OpenAI, Anthropic, Meta, and Mistral, with the following added protections built by us:

• Anonymized chats. We call model providers on your behalf, so personal information like your IP address is not exposed to them. 
• No AI training. Your data is never used to train the AI models. 
• Local chat storage. Chats and settings stay on your device to protect your privacy. 
• Instant deletion. Erase your chat history in a flash with our Fire Button.

Today, we're expanding Duck.ai by giving DuckDuckGo subscribers access to more advanced AI models, covered by the same strong protections. The base version of Duck.ai is not changing; it’s still free to use, with no account necessary. We’re just adding more models for subscribers. You can see which models are available with and without a subscription here.

Please note that Duck.ai is always optional, whether you’re a subscriber to DuckDuckGo or not. If AI is not for you, you can hide the AI buttons and features from your search settings and your desktop and mobile browser settings. If you use the VPN, for example, but you’re not interested in anonymized AI chat, that’s no problem. Just head to your browser’s Settings menu to turn off the AI features and continue using your VPN normally.

What does the DuckDuckGo subscription include?

Formerly known as Privacy Pro, the DuckDuckGo subscription expands the great protection you get from DuckDuckGo’s free offerings, covering even more of what you do online: 

• DuckDuckGo VPN. Built for speed and simplicity, the DuckDuckGo VPN secures your WiFi connection on your entire device, hiding your location and IP address from the sites you visit. Includes full-device coverage on up to five devices at once. Learn more.
• Personal Information Removal. Helps remove personal information like your name, address, and family connections from people search sites that store and sell it, helping to combat identity theft and spam. Available for Mac and Windows.* Learn more.
• Identity Theft Restoration. If your identity is stolen, get expert guidance as you get back on track. Brought to you by Iris (Iris Powered by Generali) — a world leader in identity theft restoration.* Learn more.
• NEW: More Advanced AI models. Subscribers can now access OpenAI’s GPT-4o and GPT-5, Anthropic’s Claude 4 Sonnet, and Meta’s Llama Maverick, in addition to all the free-tier chat models. Models are updated regularly. See the full list here.

The price is staying the same in all regions: $9.99 USD/month or $99 USD/year, with international pricing information available on this help page.

Achieve more with advanced models

More advanced AI models like OpenAI’s GPT-4o are built to handle more complicated tasks than their smaller counterparts like GPT-4o mini. These bigger models are better at following detailed instructions, maintaining context through extended chats, and delivering deeper, more nuanced responses. The DuckDuckGo subscription offers a way to use some of these models, but with more privacy. Even larger and more highly advanced models will be made available through higher subscription tiers in the future.

If you’re a frequent user of different advanced chatbots, the DuckDuckGo subscription is an easy one-stop solution. It lets you access multiple premium models in one place, rather than juggling multiple subscriptions and apps. Your subscription lets you visit Duck.ai and use those premium models in any browser you like. But it's especially convenient within the DuckDuckGo browser, where Duck.ai is seamlessly integrated on both desktop and mobile. Using the DuckDuckGo browser, you can access AI chat when and where you need it, getting support for specific tasks without switching platforms. And as always, it’s completely optional – you can adjust or turn off Duck.ai’s integrations from your browser’s settings menu. 

Whether you subscribe for premium models or stick with the free tier, you get the same strong privacy protections.

Is the DuckDuckGo subscription worth it?

When you get a DuckDuckGo subscription, you get instant, full access to any or all the features you want, without complex add-ons – at a price competitive with any of the individual features on their own. The $9.99 USD monthly price tag is more cost effective than maintaining multiple separate AI subscriptions – many of which are in the $20/month range. (See this help page for more international pricing information.)

Additional features like the DuckDuckGo VPN and Personal Information Removal service add value and convenience – and everything is available in one place, your DuckDuckGo browser.

Want to give it a try for free? You can get a 7-day trial of the subscription in the DuckDuckGo Browser's settings. In the US, you can also access the 7-day trial at DuckDuckGo.com/subscribe.

How to access Duck.ai and activate your subscription 

Duck.ai can be accessed from any browser. Just visit duck.ai or hit the Duck.ai button on any search engine results page on duckduckgo.com. From there, paid subscribers can head to Duck.ai Settings, click “I Have A Subscription”, and follow the prompts to access the premium models. 

If you are using the DuckDuckGo browser, you can use more subscription features, like the VPN and Personal Information Removal*. You also have even more ways to get to Duck.ai! You can click the optional Duck.ai buttons in our desktop and mobile browsers, use one of our iOS widgets, or press and hold the DuckDuckGo icon on iOS or Android. However you get there, the process for activating your subscription is the same.

Learn more about the DuckDuckGo subscription and sign up at duckduckgo.com/subscribe

*The DuckDuckGo subscription is available in the U.S., Canada, the E.U. and the U.K. All subscribers can use the VPN and access the same premium AI models, regardless of region. Personal Information Removal is available to U.S.-based subscribers. Identity Theft Restoration coverage varies by region. Learn more here.

Privacy Pro is our privacy-protecting subscription service that includes the DuckDuckGo VPN, Personal Information Removal to protect yourself from data brokers, and Identity Theft Restoration, which you can call if your identity is ever stolen.

In the year since we launched Privacy Pro, we’ve been working hard behind the scenes to make it more comprehensive, more powerful, and easier to use. Have you been waiting for the perfect moment to sign up? Good news: you can now try Privacy Pro free for 7 days. The free trial is available on all platforms – sign up here to redeem the offer. After your free trial, you can continue at $9.99 USD/month or $99.99 USD/year. (International pricing information here.)

Here’s a look at the major improvements we’ve made in the past year! To learn even more about Privacy Pro, you can visit our blog and Help Pages.

Overall Improvements

International Availability

Privacy Pro subscriptions are now available in the U.S., E.U., Canada, and the U.K. Features and coverage vary by region, but the DuckDuckGo VPN works the same in all regions. You can now use Privacy Pro in more languages including Dutch, French, German, Italian, Polish, Portuguese, Russian, and Spanish. Learn more about using Privacy Pro outside the U.S. here.

DuckDuckGo VPN Improvements

More Server Locations

DuckDuckGo VPN users can now choose from more than 40 locations in 30+ countries. Check out the full list here.

Independent Security Audit

We partnered with Securitum to conduct a comprehensive security audit of the DuckDuckGo VPN and supporting infrastructure. We're pleased to report that it found no critical vulnerabilities, underscoring the strong security measures we have in place for our VPN! Visit this help page for a summary of the key findings, remediations, and accepted risks, plus a link to the full report.

Block Risky Domains Automatically

The DuckDuckGo VPN now automatically blocks known phishing, malware, and scam sites – no matter what browser you're using. This new setting is on by default on all platforms.

Now On All Platforms: VPN Notifications

All users can now get notifications that display VPN status at a glance. These notifications are on by default but can be disabled in your VPN Settings.

Desktop: Automatic VPN Connection

All desktop users now have a setting that lets the VPN connect automatically when you log in to your computer.

Desktop: Introduced App and Website Exclusions

Because some apps and websites aren’t compatible with VPNs, we made sure you can exclude them from our VPN. This lets you use those incompatible apps and websites on desktop without disconnecting from the VPN. (App exclusions are also available on Android. Not compatible with iOS.) Manage website and app exclusions in your VPN settings; you can also manage website exclusions by clicking on the VPN icon in the toolbar.

IOS: VPN Widgets and Siri Shortcuts

We created VPN widgets for the iOS home screen and Control Center, so you can quickly connect or disconnect from the VPN and see your VPN connection status at a glance. We also added a Siri Shortcut.

 Mobile: VPN Snooze

Both iOS and Android users can now “snooze” the VPN for easier access to sites and apps incompatible with VPNs.

Android: Automatically Pause VPN During Wi-Fi Calls

To help avoid dropped calls on Android, we introduced a setting that temporarily snoozes the DuckDuckGo VPN during Wi-Fi calls. The best part? We automatically restore your VPN connection when you end your call.

Android: Implemented Auto-Excluded Apps

Our new auto-exclude feature on Android automatically detects apps that aren’t compatible with VPNs and bypasses them, so you won’t need to manually adjust settings. (If you would like to adjust this feature, you can! Just go to Settings > VPN > Manage Apps.)

Custom DNS for Windows, iOS, Mac, and Android

You can now switch between the default DuckDuckGo DNS resolvers and a custom DNS resolver of your choosing in VPN Settings > Advanced Settings.

Personal Information Removal Improvements

New Personal Information Removal Dashboard

We completely redesigned the Personal Information Removal dashboard to give Privacy Pro subscribers more insight into the data removal process. You can more easily see when a site was last scanned, how many records have been removed, which sites are clear of your personal information, and more.

Personal Information Removal Request Timeline

Monitor your data broker removal requests with our new Removal Request timeline. You can track the progress of each request, see when your data has been removed, and get help with next steps if any removals take longer than expected.

More Data Brokers Covered

Privacy Pro now covers over 80 data broker sites and counting, including FastPeopleSearch, MyLife, and OfficialUSA.com. Check out the full list here. Some competitors only re-scan data broker sites on a monthly or quarterly basis…or not at all! But we re-scan the sites every 10 days, submitting new removal requests if your data has reappeared.

Improved Scan Performance

Personal Information Removal now more reliably detects when your information has been removed from the data broker sites. Your first scan after signing up or updating your profile now happens 10x faster than before.

What’s Next for Privacy Pro?

Even more improvements are coming soon. We’re working on adding an upgraded AI chat experience to your subscription, with anonymized access to more advanced chat models than the free version on Duck.ai. We’re adding more data brokers to Personal Information Removal all the time, and we’re working on bringing the feature to mobile. Your feedback helps us catch and address bugs, too – so keep it coming!

Go here to redeem your free trial today. Follow us on social [Reddit/X/Facebook/Linkedin] for updates about all things DuckDuckGo, including more Privacy Pro improvements.

Have you been using the DuckDuckGo browser for a while? If so, you may have noticed a few changes around here! As you navigate through the browser, you’ll notice redesigned icons, a softer, rounder interface, and a fresh color palette. Moving between desktop and mobile is more seamless than ever. And new interactive elements show you exactly how DuckDuckGo is protecting you.  

Fresh Visuals, Seamless Protection 

We’ve updated our browser’s visual design with a new color palette and softer, rounder shapes, including new icons that we designed in-house. This new look reflects what we believe the internet should feel like with real privacy protection: calm instead of chaotic, streamlined instead of cluttered, secure instead of surveilled. 

Hit the green duck-foot shield in the redesigned address bar for real-time information about our tracking protections. Use the redesigned Fire Button to delete your browsing data with one click. Other changes you’ll notice include smoother, softer tab lines and a roomier address bar. 

Private, Useful, and Optional AI 

We’ve also made it easier than ever to access our private, useful, and optional AI features. Add a Duck.ai button to your URL bar for quick access to free, anonymized AI chats – available on both desktop and mobile. 

These new buttons join several other convenient access points. On iOS, get to Duck.ai via Siri shortcut or widgets for your Lock Screen and Control Center. On Android, you find a shortcut by pressing and holding the DuckDuckGo app icon. (There’s also a Duck.ai button on our search results page when you visit duckduckgo.com, which can be toggled on and off here.) 
 
Don’t use Duck.ai? You can disable the feature and hide the buttons in your browser’s Settings menu. 

Tell Us What You Think 

We love our browser’s new look – and we hope you do, too. If you have comments or questions, you can join our active community on Reddit or reach out on social media (Facebook | Linkedin | X).

• The DuckDuckGo browser’s built-in Scam Blocker guards against phishing sites, malware, and other common online scams. It’s on by default, so you’re protected as soon as you open the browser.
• NEW: Scam Blocker now also covers sham e-commerce sites, fake cryptocurrency exchanges, “scareware” that falsely claims your device has a virus, and other sites known to advertise  fake products or services.
• Most browsers use Google tools for their phishing and malware protections, sending browsing data to Google in real time. We don’t. We designed Scam Blocker ourselves, with data from Netcraft, an independent cybersecurity company. Our scam protections don’t require an account, and we don’t share your browsing data with third parties.
• Scam Blocker is available for free within the DuckDuckGo browser on desktop and mobile. DuckDuckGo subscribers get full-device coverage when logged into the DuckDuckGo VPN – even when using other browsers.

Scam Blocker: Multiple protections for multiple threats 

It’s not your imagination – online scams are getting more sophisticated. According to new reporting from the United States’ Federal Trade Commission, consumers lost $12.5 billion to fraud in 2024 alone. Scams related to investments, online shopping, and internet services were among the worst offenders. 

Around here, we believe the best way to protect your personal information from hackers, scammers, and privacy-invasive companies is to stop it from being collected at all.  Our browser and built-in search engine never track your searches, and our browsing protections help stop other companies from collecting your data, too. One of those protections is our Scam Blocker, designed and built by us for your security and your privacy. Scam Blocker guards against phishing sites, malware, and other common online scams without tracking your browsing data or sharing it with any third parties. It’s built into the DuckDuckGo browser and free to use, with no signup required.

Fake cryptocurrency offers, urgent messages about "viruses," and high-paying surveys – like the hypothetical examples above – are some of the common scam sites covered by DuckDuckGo’s Scam Blocker.

Scammers and cybercriminals have constantly evolving tactics, so it’s important to stay protected on multiple fronts. Thanks to Scam Blocker, the DuckDuckGo browser can help you spot and avoid some of the most common types:

• NEW PROTECTION: Scam investment sites, storefronts, surveys and more. Designed to trick you into giving away personal information or making bad financial transactions under false pretenses. These scam sites can include investment offers, cryptocurrency trading schemes, discounted pharmaceutical products, affiliate surveys with cash rewards, and more; the sites can look legitimate, but the offers are often “too good to be true.”
• NEW PROTECTION: Scareware. These alarming sites claim that your computer or phone is infected with spyware or viruses. Scareware creates a false sense of urgency to trick people into engaging with fake “tech support” and buying unwanted – or completely fake – antivirus software.
• Phishing sites. Phishing generally uses impersonation to get your login credentials or sensitive personal information. Cybercriminals’ phishing techniques include creating sham websites that look like a familiar legitimate business and using link redirects to get unsuspecting users there. 
• Malware sites. If you download a harmless-looking file from one of these sites, malware can infect your phone or computer, causing damage or extracting personal information for later use. Some malware sites start an automatic download before you even click or enter anything.
• Tracker-powered malicious ads. “Malvertising” typically involves injecting malware-laden advertisements into legitimate websites and online ad networks. Some malicious ads can compromise your system even if you don’t click on them.

The scam tactics vary, but the end goals are usually the same: to commit financial fraud using your personal information or to trick you into paying for products or services that don’t exist. If you accidentally click a link that would take you to one of these scammy sites, DuckDuckGo’s built-in Scam Blocker will stop the page from loading and show you a warning message that allows you to navigate safely away. The DuckDuckGo browser also reduces your malicious ad risk while you browse, blocking tracker-powered ads while before they load.

Other browsers like Chrome, Firefox, and Safari rely on Google’s Safe Browsing Service to provide warnings about phishing sites, which involves sending information to Google. We don’t. We built our own anonymous solution that doesn’t send data to any third parties. No sign in, no tracking, and it’s on by default, so you're protected from the moment you open the browser. DuckDuckGo subscribers can connect to the DuckDuckGo VPN to get these protections for your whole device – including in other browsers!

How Scam Blocker works 

When you land on a potentially dangerous website, Scam Blocker will display a warning message before loading the site.

New scam sites pop up all the time, but the DuckDuckGo browser stays on top of it. We get a feed of malicious site URLs from Netcraft, an independent cybersecurity company that’s always scanning for new threats. We store that constantly refreshing list on our servers and pass any updates to your browser every 20 minutes.

The way Scam Blocker works is always anonymous. Once your browser downloads the latest dangerous site list from DuckDuckGo, it’s available locally on your device. When you navigate to a site, your browser first checks the site against the list stored on your device. If the site is on the list, your browser shows a warning message that gives you the option to navigate away safely or to continue to the site at your own risk.

Most of the potentially dangerous URLs flagged by Scam Blocker can be found on common sites like Google Drive or GitHub. Uncommon threats – which we encounter less than 0.1% of the time! – require an extra verification step that checks websites against a larger and more comprehensive database on DuckDuckGo servers. But this process is also anonymous; at no time during the threat verification process does your device communicate with any third parties. For a deeper dive on the cryptography we use to maintain anonymity  when handling uncommon threats, visit this Help Page.

All this means that your searches and browsing history are still completely anonymous.

Note: This blog post has been edited since initial publication to stay up to date with our evolving product offerings.

• DuckDuckGo’s approach to AI is to provide private, useful, and optional AI features – including chat and search instant answers – to people who want the productivity benefits of AI without the privacy risks.
• Now out of beta: Get free, anonymized access to popular chatbots at Duck.ai. Easily move traditional search results – which now include more AI-assisted answers from web sources – to Duck.ai to continue your conversation.
• Both Duck.ai and AI-assisted answers are free to use, with no account required. We now serve millions of AI-assisted answers daily. If you opt to show them "often" in your settings, they should appear in our traditional search results over 20% of the time.
• Recent updates to AI-assisted answers include expanding sources across the web, beyond just Wikipedia; answering English-language queries outside the U.S.; and adding customization that lets you decide how often you want
  answers to appear: often, sometimes (default), on-demand, or never.
• Recent Duck.ai chat updates include upgraded models (GPT-4o mini and o3-mini from OpenAI, Meta Llama 3.3, Mistral Small 3, and Claude 3 Haiku from Anthropic) and a “Recent Chats” feature that stores conversations locally on your device – not on DuckDuckGo or other remote servers.

Our approach to AI: private, useful, and optional.

At DuckDuckGo, we believe the best way to protect your personal information from hackers, scammers, and privacy-invasive companies is to stop it from being collected at all. We started with a search engine that doesn’t collect your search history; our flagship experience is now a browser with a suite of built-in protections that includes our search engine, ad and cookie blocking, and many more protections.

Our approach to AI extends this strategy by integrating protected AI features that offer the productivity benefits of AI without privacy risks like tracking your prompts and training on your data.  

We’re not making AI features just for the sake of making AI features. They have to be actually useful in everyday use, starting with helping people get faster, high-quality answers to their questions. However, we recognize not everyone wants AI in their lives right now, and that’s OK with us. That’s why all our AI features are optional and can be turned off or tuned down. 

To chat or not to chat. 

Head to Duck.ai for free, proxied access to popular chatbots from OpenAI, Anthropic, Meta, and Mistral.

A search engine’s core job is to get you the high-quality information you want fast. AI can help with that job, including a new mode of information-seeking through chat. We’re finding that some people prefer to start in chat mode and then jump into more traditional search results when needed, while others prefer the opposite. (Some questions just lend themselves more naturally to one mode or the other, too.) So, we thought the best thing to do was offer both. We made it easy to move between them, and we included an off switch for those who’d like to avoid AI altogether. 

If you want to start with chat, try Duck.ai (previously called DuckDuckGo AI Chat), a free and account-less way to access popular AI chatbots, privately. Models are periodically updated and currently feature GPT-4o mini and o3-mini from OpenAI, open-source models Meta Llama 3.3 and Mistral Small 3, and Claude 3 Haiku from Anthropic. Chats are anonymized via proxying and never used for AI model training.

You can navigate directly to https://duck.ai/ or via the optional chat icons within our search engine or browsers. (There's also a widget - on iOS for now.) You can also use the !ai or !chat bang search commands from any browser where you have DuckDuckGo search set as the default search engine. 

One way to access Duck.ai is via the Chat icons in our desktop and mobile browsers.

If you’d rather start with traditional search results, simply use DuckDuckGo search as usual. AI-assisted answers – previously called DuckAssist – will automatically appear on the search results page for relevant English language queries. You can also manually trigger an AI-assisted answer on demand by pressing the “Assist” button under the search box, which appears on most queries. The answers source information from across the web, and like Duck.ai, they are completely free and private, with no sign-up required.  

 The “Assist” button lets you generate AI-assisted answers on demand. 

We’ve continuously heard from users that they want more quick, at-a-glance answers, for a broad range of topics. For years, we’ve been doing that by working on search modules to provide instant answers for things like sports scores, local business information, where to watch movies and TV shows, and much more. Now, we are finding that we can significantly expand the scale of high-quality instant answers we can show with AI as we’re now serving millions of AI-assisted answers daily. Since we’ve introduced AI-assisted answers on our search results, overall user satisfaction with our search results has improved.   

If you were unsatisfied after trying DuckDuckGo search in the past, now is a great time to try us again. We’re always improving. If you do try us or try us again, please set DuckDuckGo search as your default search engine or download our browser and make it the device default. It can take a moment to get used to something different, and setting the default is the best way to get over that hump. 

How can I customize my search experience? 

Navigate to the AI Features section of your search settings. If you really like our AI-assisted answers, change Assist to Often, which will make them appear over 20% of time. On the other hand, if you never want to see any AI features, turn Chat to Off and Assist to Never. 

On DuckDuckGo browsers, you can choose whether the chat icon appears on the toolbar from within the ‘Duck.ai’ section in your browser settings. 

Control how often you see AI-assisted answers from your search settings. 

In addition to respecting our users’ choices, we respect publishers’ wishes to opt out of AI-assisted answers on DuckDuckGo and don’t penalize publishers for that choice. Even if they opt out as a source for our AI-assisted answers, they can stay opted into our other search results. 

How am I protected? 

When we generate AI-assisted answers, we anonymously call the underlying AI models used to summarize web sources on your behalf, so your personal information is never exposed to third parties. This method is called proxying. Duck.ai chats work similarly.  To accomplish this technically, we remove your IP address completely and use our own IP address instead. This way, the proxied requests are coming from us, not you. For more information, please see the DuckDuckGo General Privacy Policy.  

Duck.ai's "Recent Chats" let you pick up where you left off. Chats are saved locally on your device – not on DuckDuckGo or any other outside servers.

Within Duck.ai, recent chats are only stored locally on your device, not on DuckDuckGo servers. Not interested in storing your chats? You can disable the option altogether, or use the Fire Button to clear all your recent chats at once. Duck.ai chats are not used for any AI training, either by us or the underlying model providers. To respond with answers and ensure all systems are working, these providers may store chats temporarily, but we remove all the metadata so there’s no way for them to tie chats back to you personally. On top of that, we have agreements in place with all providers to ensure that any saved chats are completely deleted within 30 days. For more information, please see the DuckDuckGo AI Chat Privacy Policy and Terms of Use. 

Clear your recent Duck.ai chats with the click of a button.

Are AI-assisted answers reliable? 

When you search on DuckDuckGo, our AI-assisted answers are based on real-time web crawling, so they’re as reliable as the sources from which they are drawn.  But even the most reliable sources can have errors, and mistakes can occasionally happen in the summarization process, too. That’s why we prominently display our cited sources: you can easily check them out and use your own judgment to make the final call.

Want to know where your AI-assisted answer came from? Check the sources below the answer and click through for a deeper dive into complex topics. 

We also have a number of precautions in place. Out of the countless websites we could draw from, we try to weed out ultra-low-quality sources like spammy content farms and invasive people search sites, and we try to avoid satirical sites and opinion pieces. 

You are a critical part of the process as well. “Was this helpful? 👍 👎” is displayed next to every AI-assisted answer. So, if you see a bad answer – or a great answer! – please let us know. We review it all as part of our quality control process. 

Is this really free? 

Yes! AI-assisted answers are integrated into DuckDuckGo search, which is always free to use, with no log-in required. (We make money from private search ads.) Chatting on Duck.ai is also free within a daily limit, which we implement while maintaining strict user anonymity, just like we do for our search engine. We plan to keep the current level of access free; we’re exploring a paid plan for access to higher limits and more advanced (and costly) chat models. 

What’s next? 

We are largely driving our AI roadmap based on your feedback, so please keep it coming—we appreciate it. Within Duck.ai, this includes adding newer models, voice and image support, and granting models web access. For AI-assisted answers on our traditional search engine, we’re making them faster and more interactive, answering more queries, and improving when they appear automatically, including for less straightforward queries. 

In the meantime, give Duck.ai a try and keep an eye out for AI-assisted in your traditional search results. Head to your search settings if you want to see them more or less often. 

2024 marks DuckDuckGo's 14th year of donations—our annual program to support organizations that share our vision of raising the standard of trust online. We are proud to donate to diverse group of organizations around the world that promote privacy, digital rights, access to information online, and a healthier online ecosystem.

This year, we’re donating $1,100,000, bringing DuckDuckGo's total donations since 2011 to $6,950,000. Everyone using the Internet deserves simple and accessible online protection; these organizations are all pushing to make that a reality. We encourage you to check out their valuable work below, alongside details about how our funds were allocated this year.

$100,000 to the Electronic Frontier Foundation (EFF)

“EFF's mission is to ensure that technology supports freedom, justice, and innovation for all people of the world.”

$75,000 to Public Knowledge

"Public Knowledge promotes freedom of expression, an open internet, and access to affordable communications tools and creative works. We work to shape policy on behalf of the public interest."

$50,000 to ARTICLE 19

"Established in 1987, ARTICLE 19 is an international non-profit organization that defends freedom of expression, fights against censorship, protects dissenting voices, and advocates against laws and practices that silence individuals, both online and offline."

$50,000 to Demand Progress

"DPEF educates our members and the general public about matters pertaining to the democratic nature of our nation’s communications infrastructure and governance structures, and the impacts of corporate power over our economy and democracy."

$50,000 to European Digital Rights (EDRi)

"The EDRi network is a dynamic and resilient collective of 50+ NGOs, as well as experts, advocates and academics working to defend and advance digital rights across Europe and beyond. For over two decades, it has served as the backbone of the digital rights movement and has achieved landmark successes in digital rights in Europe."

$50,000 to Fight for the Future

"Known for organizing some of the largest and most effective online campaigns in history, Fight for the Future’s mission is to ensure a just Internet and technology that is a force for empowerment and liberation, free of surveillance, censorship, and abuse of personal data."

$50,000 to The Markup

"The Markup challenges technology to serve the public good by producing investigative journalism, unique tools, and accessible resources to inspire action and agency."

$50,000 to OpenMedia

"OpenMedia is a community-driven organization that works to keep the Internet open, affordable, and surveillance-free. We operate as a civic engagement platform to educate, engage, and empower Internet users to advance digital rights around the world."

$50,000 to Restore the Fourth

“Restore the Fourth opposes mass government surveillance, and organizes locally and nationally to defend privacy and the Fourth Amendment.”

$50,000 to Signal

“Signal Technology Foundation protects free expression and enables secure global communication through open source privacy technology.”

$50,000 to the Surveillance Technology Oversight Project (S.T.O.P.)

“The Surveillance Technology Oversight Project (S.T.O.P.) advocates and litigates for privacy, working to abolish local governments’ systems of discriminatory mass surveillance."

$50,000 to Tech Policy Press

“Tech Policy Press promotes discussion, debate, and analysis of issues and ideas at the critical intersection of technology and democracy.”

$50,000 to the Tech Oversight Project

"Through engaging with lawmakers, exposing false narratives and bad actors, and pushing for landmark legislation, the Tech Oversight Project seeks to hold tech giants accountable for their anti-competitive, corrupting, and corrosive influence on our society and the levers of power."

$25,000 to Algorithmic Justice League (AJL)

“AJL’s harms reporting platform aims to capture people's lived experiences with AI harms, connect them with resources, and identify areas where there are no or few resources.”

$25,000 to Bits of Freedom

“Bits of Freedom shapes tech policy in order to facilitate an open and just society, in which people can hold power accountable and effectively question the status quo.”

$25,000 to the British Institute of International and Comparative Law (BIICL)

"The Competition Law Forum is a centre of excellence for European competition and antitrust policy and law at the British Institute of International and Comparative Law (BIICL)."

$25,000 to the Center for Critical Internet Inquiry (C2i2)

“UCLA Center for Critical Internet Inquiry (C2i2), housed in the UCLA Division of Social Sciences, is a critical internet studies community committed to reimagining technology, championing social justice, and strengthening human rights through research, culture, and public policy.”

$25,000 to Creative Commons (CC)

“Creative Commons (CC) is an international nonprofit organization dedicated to building and sustaining a thriving commons of shared knowledge and culture that serves the public interest.”

$25,000 to Digital Rights Watch

"Digital Rights Watch is Australia's leading digital rights organisation. They defend and promote privacy, democracy, fairness and fundamental rights in the digital age."

$25,000 to Gesellschaft für Freiheitsrechte (GFF)

"The Society for Civil Rights e.V. (Gesellschaft für Freiheitsrechte e.V. or "GFF") is a donor-funded organization from Germany that defends fundamental and human rights by legal means. The organization promotes democracy and civil society, protects against disproportionate surveillance and advocates for equal rights and social participation for everyone."

$25,000 to noyb

"noyb is committed to the legal enforcement of European data protection laws and has filed more than 850 cases against numerous intentional infringements by Big Tech companies - to make online privacy a reality for everyone."

$25,000 to the Open Home Foundation

“The Open Home Foundation fights for the fundamental principles of privacy, choice, and sustainability for smart homes - and for every person who lives in one. It is best known as the organization that owns and governs Home Assistant, among many other projects crucial to the open home."

$25,000 to the Open Rights Group (ORG)

"Open Rights Group is the UK’s largest grassroots digital rights campaigning organisation, working to protect everyone’s rights to privacy and free speech online."

$25,000 to the Open Source Technology Improvement Fund (OSTIF)

"Open Source Technology Improvement Fund helps critical open source projects with their security needs and is grateful for the continued support from DuckDuckGo. This funding is pivotal to ongoing operations, as it is one of our only donation sources that is not tied to any deliverable or project. Over the past year, OSTIF has been able to sustainably help critical open source projects improve their security posture, and in the process have found and fixed over 150 bugs and vulnerabilities."

$25,000 to Perl and Raku Foundation

"The Perl and Raku Foundation is a non-profit, 501(c)(3) which fulfills a range of activities including the collection and distribution of development grants, sponsorship and organization of community-led local and international Perl conferences, and support for community resources and user groups."

$25,000 to Privacy Rights Clearinghouse

"Privacy Rights Clearinghouse focuses on increasing access to information, policy discussions, and meaningful rights so that data privacy can be a reality for everyone."

$25,000 to Proof

"Proof is a new nonprofit journalism studio that is working to redefine and reimagine trustworthiness in news and investigative reporting."

$25,000 to the Tor Project

"At the Tor Project, we believe everyone should be able to explore the internet with privacy. We advance human rights and defend your privacy online through free, open source software and the decentralized Tor network."

Today, we are calling on the European Commission to launch three non-compliance investigations around Google’s obligations under the EU’s Digital Markets Act (DMA): 

1. On Google’s non-compliance with Article 6(11), which requires Google to share anonymized click and query data.
2. On Google’s non-compliance with Article 6(3), which requires Google to implement choice screens and enable end users to easily change default search settings. 
3. On Google’s non-compliance with Article 6(4), which requires any downloaded search or browser app to have the ability to prompt users to set search defaults easily. 

The DMA created these obligations to address Google’s scale and distribution advantages, which the judge in the United States v. Google search case found to be illegal. The judge specifically highlighted that 70% of queries flow through search engine access points preloaded with Google, which creates a “perpetual scale and quality deficit” for rivals that locks in Google’s position. 

Unfortunately, Google is using a malicious compliance playbook to undercut the DMA. Google has selectively adhered to certain obligations – often due to pressure from the Commission – while totally disregarding others or making farcical compliance proposals that could never have the desired impact.  As a result, the DMA has yet to achieve its full potential, the search market in the EU has seen little movement, and we believe launching formal investigations is the only way to force Google into compliance. The Commission has already demonstrated its ability to use such investigations effectively under the DMA. 

While Google’s bad faith approach is not surprising, it should not go unnoticed. Any regulator looking to create enduring competition in the search market should take note of the tactics Google is using to thwart and circumvent its legal obligations.

We project Google’s Click-and-Query data sharing proposal eliminates ~99% of search queries.

Google’s exclusive default distribution deals mean they see many times more search queries than any competitor can, which gives them what’s called a “scale advantage.” In Article 6(11), the DMA directly addresses this scale advantage by mandating Google share anonymized click, query, ranking, and view data. This data would help search engines improve results quality, especially for less frequent (so-called “long-tail”) queries. 

Google’s Click-and-Query obligation under the DMA, Article 6(11), reads: 

“The gatekeeper shall provide to any third-party undertaking providing online search engines, at its request, with access on fair, reasonable and non-discriminatory [FRAND] terms to ranking, query, click and view data in relation to free and paid search generated by end users on its online search engines. Any such query, click and view data that constitutes personal data shall be anonymised.”

To comply with this requirement, Google announced the “Google European Search Dataset Licensing Program.” However, this data set has little to no utility to competing search engines due, in large part, to Google’s proposed anonymization method, which only includes data from queries that have been searched more than 30 times in the last 13 months by 30 separate signed in users. This method is conveniently overbroad: we extrapolate that Google’s dataset would omit a staggering ~99% of search queries including “longtail” queries that are the most valuable to competitors. Google is trying to avoid its legal obligation in the name of privacy, which is ironic coming from the Internet’s biggest tracker. 

Part of our goal at DuckDuckGo has always been to prove that tech can make great products without exploiting people’s data or using mass surveillance.  Our Privacy Policy explains how we go about doing this, for example, “we have no way to create a history of your search queries.” We do this by stripping out any metadata that can tie searches together made by the same individual, so re-identification cannot happen like in the memorable AOL case. For example, we may know that we got a lot of searches for "cute cat pictures" today, but we don’t know - and have no way to figure out - who actually performed those searches.

The fact is that most "rare" queries are actually just common words put in an order that isn’t searched very often. These queries are not inherently problematic since they cannot be traced back to any individual. So, instead of attempting to filter all of these relatively unique queries, we should instead focus on removing the subset of those queries that contain personal identifiers, like addresses and phone numbers or accidental pastes like user ids and passwords. Fortunately, there are relatively straightforward approaches to remove these types of queries that will result in much of the long tail data remaining available to improve search results.

This isn’t even the only part of the proposal that severely hampers the usefulness of the data:

• The proposal averages ranking data, which eliminates critical nuances. It also doesn’t provide anonymous ranking signals like dwell time or bounce rate. 
• The proposal shares at best three-month old data, meaning the data is already stale when received because many results would no longer reflect current search trends.
• The proposal contains hardly any information on search modules, such as knowledge panel content, meaning information on much of the content on the search result page is not being shared.

We recognize that fine-tuning the right approach requires further considerations and, most importantly, testing and good faith cooperation from Google. Faced with Google’s continued obstruction, we believe that opening an official investigation is the only way to arrive at a workable proposal. We would like to help in that effort and believe there are ways for Google to provide a data set that is both privacy respecting and useful to competitors. 

Google has so far completely ignored “easy switching” requirements.

The DMA includes provisions designed to facilitate easy switching of search engines and browsers, targeting Google’s entrenched hold over search and browser access points. Google’s obligation under Article 6(3) of the DMA reads: 

“The gatekeeper shall allow and technically enable end users to easily change default settings on the operating system, virtual assistant and web browser of the gatekeeper.” 

Despite this obligation, switching search engines on Android devices (which make up more than 60% of the mobile market in the EU) is still not “easy.” Before the DMA came into effect, it took more than 15 steps to switch your default search engine on Android and today that is still the case. 

Zero changes have been made. What should happen is that users should be able to change their default search engine across every search access point in one click, similar to how a choice screen works, but currently choice screens are only shown on device onboarding. Users should be able to get back to a similar screen via a top-level device setting for default search, which we should be also able to guide users to directly from our app.

Similarly on Chrome, switching the default search engine has not been made any easier either. For example, there’s still no way to guide a user directly to the default search engine setting from the DuckDuckGo search homepage. And Google’s persistent dark pattern for search extensions on Chrome remains.

Google has completely ignored its easy switching obligations under the DMA. As a result, we believe the Commission must launch a non-compliance investigation to get Google to fulfill its requirements under the law. “Easy switching” should mean competition is actually one click away.

Google still hasn’t rolled out its updated Android choice screens to 250+ million EU Android users.

Article 6(3) DMA requires Google to show choice screens to end users “at the moment of the end users’ first use of an online search engine or web browser.” 

Google’s search engine DMA choice screen is explicitly different from the choice screen Google implemented following the Android case. Key improvements have been made to its design, such as automatically showing taglines. But Google has not rolled out this updated DMA choice screen to all Android users, in breach of Article 6(3). Apple, for example, rolled out its DMA browser choice screen to its entire EEA user base and is planning to do so again after an investigation from the Commission – this time to Safari default users only. 

A non-compliance investigation must therefore be opened to ensure that Google will fulfill its obligation and roll out both the DMA search engine and browser choice screens to all Android devices at once like they did on Chrome for desktop and iOS. When those Chrome choice screens rolled out, the positive competitive impact was evident: DuckDuckGo search queries on Chrome have increased by around 75% across the EEA. This rapid and stable growth in query volume shows pent-up demand by Chrome users for privacy-respecting search alternatives.  

What can regulators learn from this?  

Regulators around the world should be looking at what’s happening with the DMA, learn from how Google has been able to exploit its loopholes and circumvent it, and then take steps to make sure Google cannot continue to put up roadblocks in the way of progress and fair competition.  

In the EU, Google chose to roll out self-serving compliance proposals around these obligations without engaging in meaningful consultations, leading to significant delays in achieving contestability and fairness, the objectives of the DMA. Given the opportunity, it should not come as a surprise that Google is taking advantage.  

Instead, regulators and market participants should be able to review, test, and validate remedies before they are implemented to ensure they actually accomplish their intended purpose, while maintaining the regulatory authority to launch investigations and make changes after implementation, if necessary. Regulators can set additional criteria to make sure these interventions have the desired impact. For example, dominant firms could be required to demonstrate that consumers understand how to switch and that switching to a competitor is equivalently easy to sticking with the services from the dominant firm.

In addition, we believe the DMA doesn’t properly address Google’s scale advantage. Sharing click-and-query data is a critical intervention to address Google’s scale advantage, but alone, it isn’t sufficient to create a competitive search engine. As we’ve previously written, we believe the best and fastest way to level the playing field on search quality is for Google to provide access to its search results via real-time APIs (Application Programming Interfaces), also on FRAND (Fair, Reasonable, and Non-Discriminatory) terms. That means for any query that could go in a search engine, a competitor would have access to the same search results. 

If Google is required to license its search results in this manner, this would allow existing search engines and potential market entrants to build on top of Google’s various modules and indexes, and offer consumers more competitive and innovative alternatives. In addition, while choice screens are an excellent mechanism to provide consumers access to competitors, they need to be shown periodically, at least yearly, to give competing search engines a chance to build awareness over time. We are happy to work with regulators to craft remedies that will create enduring search competition. 

At DuckDuckGo, we know what it's like to turn a vision into a successful company. Our founder and CEO, Gabriel Weinberg, began DuckDuckGo’s journey to “raise the standard of trust online” from his basement in Pennsylvania and turned it into a browser and search engine used by millions of people around the world. 

Today, this vision still inspires us.  Each year, we donate to non-profit organizations that align with this vision, and now we're investing in companies that align with it as well.

As more and more consumers seek privacy-conscious technologies, we want to partner with other like-minded entrepreneurs and help turn their visions into reality. With the core objective of supporting consumer privacy technologies, DuckDuckGo is actively investing in early-stage companies as well as pursuing acquisitions and partnerships. We've actually already been doing this quietly for the last couple years, and we’re energized to do more. So, we'd love to hear from you and find ways to work together.  

 We are focused primarily on three domains:  

• Search and browse: It's the core of our product and where we continue to invest most heavily. 
• Consumer privacy technologies: This spring, we launched  Privacy Pro, a 3-in-1 subscription service with VPN, Personal Information Removal, and Identity Theft Restoration. Our acquisition of Removaly was key to accelerating the development of our Personal Information Removal solution. We continue to look for other complementary technologies that could extend our offerings.  
• Emerging technologies: We recently announced  DuckDuckGo AI Chat,  which offers private access to popular AI chatbots. We’re committed to investing in this emerging technology space and others, but only in ways that are privacy-respecting.  

For early-stage investments, we are flexible on deal structure, aim to move quickly and are happy to co-invest with other companies, funds, and individuals. For acquisitions, we are open to a range of companies that share a commitment to protecting user privacy.  

You can reach Mike Marino, SVP of Finance and Diana Chiu, Director of Corporate & Business Development directly at  investments@duckduckgo.com.

Since the ruling in the U.S. v. Google search case was announced, there has been discussion about how to remedy Google’s dominance. As a company that operates a search engine that directly competes with Google, we have several ideas about how to craft a set of legal and technical interventions that can, in combination, effectively curb the advantages Google has gained through illegal use of their search monopoly. DuckDuckGo believes it is possible to put remedies in place that will establish enduring search competition, encourage innovation and new market entrants, and result in significant market share among multiple competitors. 

However, there is no silver bullet remedy that, alone, will adequately address both Google’s scale and distribution advantage as well as ensure that Google cannot circumvent its obligations. Instead, the “remedy” must be a package of remedies that work together to effectively counteract the unlawful competitive imbalance. 

Counteracting Google’s Scale Advantage with Access to Search Results 

Many ideas on the table aim to counteract Google’s distribution advantage, but we believe it’s equally important to address Google’s scale advantage. Google’s exclusive default distribution deals mean they see way more queries than everyone else, a.k.a. their scale advantage. The court’s opinion quantifies this disparity:  

More users mean more advertisers, and more advertisers mean more revenues…. Google’s scale means that it not only sees more queries than its rivals, but also more unique queries, known as “long-tail queries.” To illustrate the point, Dr. Whinston analyzed 3.7 million unique query phrases on Google and Bing, showing that 93% of unique phrases were only seen by Google versus 4.8% seen only by Bing. 

Google uses this stream of information to continuously improve their results by running large-scale experiments in ways that no rival can because we’re effectively blinded. Google infers the best results based on queries it has seen before. If a search engine sees fewer – or often zero – similar queries, these inferences are less effective.  

As the court describes the situation, Google’s scale advantage fuels a powerful feedback loop of different network effects that ensure a “perpetual scale and quality deficit” for rivals that locks in Google’s advantage.  

Google’s exclusive defaults are part of a reinforcing feedback loop that gives them an insurmountable scale advantage and makes it difficult for rivals to compete. 

The best and fastest way to level this playing field is for Google to provide access to its search results via real-time APIs (Application Programming Interfaces) on fair, reasonable, and non-discriminatory (FRAND) terms. That means for any query that could go in a search engine, a competitor would have access to the same search results: everything that Google would serve on their own search results page in response to that query. If Google is forced to license its search results in this manner, this would allow existing search engines and potential market entrants to build on top of Google’s various modules and indexes and offer consumers more competitive and innovative alternatives. 

Today, we believe that we already offer a compelling search alternative with more privacy and fewer ads, relative to Google. We’ve also been working for fifteen years to make our search results on par in terms of feature set and quality by combining our own search indexes with those of partners like Apple, Microsoft, TripAdvisor, Wikipedia, and Yelp. However, we know that many consumers still prefer Google’s results due to the benefits of scale discussed above, and this intervention would erase that advantage, instantly making us and others much more competitive. 

We’ve already seen some concerns about this remedy direction that we’d like to quickly address. First, licensing Google’s search results does not involve accessing any user data. This remedy will not invade user’s privacy, which is aligned with our vision as a company. We know from experience that this remedy can be implemented anonymously, and we can advise on that implementation. We can open up Google without opening up user data. 

A second potential concern is that long-tail results on leading search engines could be similar in some cases, but that’s a feature not a bug. Google’s scale advantage gives them insights into which obscure links should be ranked higher, and so we should expect that when smaller search engines incorporate this information that some results would become more similar. However, licensing on FRAND terms should also allow competitor search engines to re-rank and mix results with other content, which will enable competitor search engines to produce different ranking algorithms based on the same underlying high-quality search results.  

Additionally, FRAND licensing will allow other search engines to more competitively differentiate on things like privacy, design, and customization of the user interface and results page, while still providing high-quality results. For example, we can envision a universe of differentiated and innovative experiences, such as features that allow users to tweak ranking algorithms, features that bring more transparency to ranking algorithms, and other AI capabilities, all leveraging Google’s search result APIs. Future-looking use cases like these must be kept in mind, and FRAND API access is what is needed to power these types of search innovations.  

A third concern is that competitor indexes could become too reliant on Google; however, if all the results that come through the APIs can also be used as an input into building search indexes, this would ensure that there is also a path to long term viability and independence for competitors. We, for one, would go further down this path. This could be accelerated if the APIs also provide access to Google’s anonymous ranking signals (for example, how often and quickly people in aggregate click back after visiting a link), which will help tune competitor indexes even faster as well as improve real-time reranking algorithms. That said, we recognize that licensing Google’s search results needs to be a long-term intervention because their scale advantage will persist as long as Google has much more significant market share than competitors. 

There are historical precedents for this type of remedy as well. AT&T’s 1956 antitrust agreement required the company to license its patents on FRAND terms, which allowed existing and new companies to build on top of AT&T’s innovations. Similarly, the Telecommunications Act of 1996 encouraged competition in communications markets by requiring large telecommunications providers to interconnect their networks with new competitors on FRAND terms. 

This is not a new technical challenge for Google either: Google already licenses their search results, including their ads, via real-time APIs to some competitors. It’s also not novel in antitrust, as API access was at stake in Microsoft’s antitrust settlement two decades ago. An API-based remedy also means that startups could immediately enter the search market rather than be forced to invest tens or hundreds of millions of dollars upfront to get started by acquiring and consuming massive data sets. It also protects nascent competition in AI-driven search by allowing them to use the APIs to ground answers in real-time. 

Finally, we should note that the EU’s Digital Markets Act attempts to solve Google’s scale advantage by requiring Google to provide FRAND access to its “click and query data.” To date, this has been ineffective because Google has undermined the requirement by limiting the data they share to the point of being useless. However, while we believe that click and query data is not a substitute for FRAND access to search result APIs, we also believe that if implemented correctly it can complement and further accelerate the path to competitor independence. That’s because API access will be limited to queries a competitor search engine actually sees, whereas click and query data can be much broader, covering almost all the queries Google sees. Therefore, access to this data in a privacy-protective manner should also be given on FRAND terms.  

Counteracting Google’s Distribution Advantage with a Ban on Self-Preferencing in Chrome and Android 

Google likes to claim everyone chooses Google, but most consumers don’t: they just go with the default. The court outlines how staggering this default advantage is: 

50% of all queries in the United States are run through the default search access points covered by the challenged distribution agreements…. An additional 20% of all searches nationwide are derived from user-downloaded Chrome, a market reality that compounds the effect of the default search agreements. That means only 30% of all [general search engine] queries in the United States come through a search access point that is not preloaded with Google. Additionally, default placements drive significant traffic to Google. Over 65% of searches on all Apple devices go through the Safari default. On Android, 80% of all queries flow through a search access point that defaults to Google. 

The court also consolidates evidence highlighting that large percentages of consumers don’t even realize they are using Google because of these defaults: 

• An internal Google email in 2016 acknowledged that “users on Edge don’t even realize they aren’t using Google.” 
• A 2018 Google study revealed there was “substantial user confusion regarding which browser and [general search engine] was in use.” 
• A 2020 Google study found that over 50% of U.S. iPhone users were “unsure” what search engine powered Safari, concluding users are “often unaware they’re using Google.”  

Users are confused and competition is crushed. As a result, Google shouldn’t be able to self-preference its search engine on Chrome and Android, which were developed to expand the reach of Google Search. Within these products, there should be no preset search default. Instead, these platforms need user-friendly settings based on sound principles that provide for:  

• Regular access to well-designed choice screens that put users in charge of choosing their search engine default when setting up Android or Chrome, and periodically thereafter. Choice screens should set the search engine across all search access points on Android and Chrome. 
• An easy way for users to navigate back to these settings. 
• A one-click mechanism for any rival search engine to switch these settings and offer itself as a default search engine when users visit their website or app. 

Image of the search engine choice screen on Android in the EU.  

Banning self-preferencing must also include a prohibition on dark patterns, and all remedies must be subject to anti-circumvention provisions. For example, these restrictions should prohibit Google from discouraging users from installing rival apps or search extensions, or encouraging them to switch back to Google. 

Unfortunately, a self-preferencing ban won’t create enduring competition by itself. However, as rivals can innovate on top of Google’s search results, and consumers become aware of rival brands and their increased quality, this increased access to consumers will accelerate competition in the search market. 

Counteracting Google’s Distribution Advantage by Restricting Exclusionary Contracts 

The court has already declared Google’s exclusionary contracts unlawful. While there are methods outside of these exclusive defaults to access search engines, the court recognizes that these “channels are far less effective at reaching users. That is due in part to users’ lack of awareness of these options and the ‘choice friction’ required to reach these alternatives.”  

Restricting these exclusive agreements is therefore essential to help open up access to the search market. However, just restructuring these contracts by itself won’t do much because it won’t directly counteract Google’s entrenched advantage. For that, we need to look to the remedies discussed above. 

On Accountability  

Even the most well-crafted remedies will ultimately fail if Google is in charge of designing and implementing them, as has been the case in the EU. We’ve seen firsthand how Google has easily and repeatedly avoided complying with both the letter and the spirit of the law. Consequently, an independent monitoring body made up of technical experts and affected market participants must be fully empowered to keep Google honest. We should expect that this monitoring entity will need to be in place for as long as the remedies are in place. We cannot let the fox guard the henhouse.  

On Structural Remedies 

We are not opposed to structural remedies, but they would need to be paired with the additional interventions outlined in this post. In other words, structural changes to Google could theoretically be an accelerant in some circumstances, but regardless are not a replacement for FRAND access to search results and click and query data together with a ban on Google-self preferencing and a restriction on exclusive contracts. And we can envision some scenarios where a particular structural remedy could be more harmful to us than helpful. 

A Long Road Ahead 

Counteracting the entrenched competitive imbalance that Google’s default advantage has afforded them will not happen overnight. Realistically, it will take years for competition to take hold, and a fully-funded and motivated Department of Justice will need to be involved for the long haul. However, we are confident that a package of well-implemented and carefully monitored remedies, each designed to address a specific choke point, can work to create enduring competition in the search market.    

DuckDuckGo AI Chat is an anonymous way to access popular AI chatbots – currently, Open AI's GPT 3.5 Turbo, Anthropic's Claude 3 Haiku, and two open-source models (Meta Llama 3 and Mistral's Mixtral 8x7B), with more to come. This optional feature is free to use within a daily limit, and can easily be switched off.

• Chats are private, anonymized by us, and not used for any AI model training.
• Find DuckDuckGo AI Chat at duck.ai, duckduckgo.com/chat, on your search results page under the Chat tab, or via the !ai and !chat bang shortcuts. They all take you to the same place.
• Improvements are already on the way. Our roadmap includes adding more chat models and browser entry points. We’re also exploring a paid plan for access to higher daily usage limits and more advanced models.

Why did you make AI Chat?

Find AI Chat on your search results page for easy switching between the two.

Our mission is to show the world that protecting your privacy online can be easy. We believe people should be able to use the Internet and other digital tools without feeling like they need to sacrifice their privacy in the process. So, we meet people where they are, developing products that add a layer of privacy to the everyday things they do online. That’s been our approach across the board – first with search, then browsing, email, and now with generative AI via AI Chat.

DuckDuckGo AI Chat is a free, anonymous way to access popular AI chatbots. According to recent Pew reporting, adults in the U.S. have a negative view of AI's impact on privacy, even as they're feeling more positive about AI's potential impact in other areas. "About eight-in-ten of those familiar with AI say its use by companies will lead to people’s personal information being used in ways they won’t be comfortable with (81%) or that weren’t originally intended (80%)." Even so, another recent report shows a steady uptick in the share of U.S. adults who are using chatbots for work, education, and entertainment. If you're interested in AI chatbots but share those privacy concerns, DuckDuckGo AI Chat is for you.

In the industry-wide race to integrate generative AI, there’s a lot of pressure to add AI features just for the sake of saying you have them. We’re taking a different approach. Before adding any AI-assisted features to our products – first DuckAssist, our AI-enhanced Instant Answer, and now AI Chat – we think carefully about how to make them additive to the search and browse experience, and we roll them out cautiously to ensure this is the case. We also recognize these features aren’t for everyone, so we’ve made our AI-assisted features totally optional; if you’re not interested, you can easily switch them all off.

We view AI Chat and search as two different but powerful tools to help you find what you’re looking for – especially when you’re exploring a new topic. You might be shopping or doing research for a project and are unsure how to get started. In situations like these, either AI Chat or Search could be good starting points. If you start by asking a few questions in AI Chat, the answers may inspire traditional searches to track down reviews, prices, or other primary sources. If you start with Search, you may want to switch to AI Chat for follow-up queries to help make sense of what you’ve read, or for quick, direct answers to new questions that weren’t covered in the web pages you saw. It’s all down to your personal preference. That’s on top of AI Chat’s unique generative capabilities, like drafting emails, writing code, creating travel itineraries, and much more.

Since it can be useful to switch back and forth, we’ve made AI Chat accessible through DuckDuckGo Private Search for quick access: after you make a search, just click on the Chat tab underneath the search bar to keep exploring the topic. You can also get to AI Chat directly by navigating to duck.ai or duckduckgo.com/chat; from there, it’s easy to jump back into traditional search using the top navigation.

How does it work … and how is it private?

AI Chat is always anonymous. Want to start over? Hit the Fire Button to delete your current conversation.

When you land on the AI Chat page, you can pick your chat model – currently, OpenAI’s GPT 3.5 Turbo, Anthropic’s latest generation Claude 3 Haiku, and open-source options Mixtral 8x7B and Meta Llama 3 – and start using it just like any other chat interface. Just like searches on DuckDuckGo, all chats are completely anonymous: they cannot be traced back to any one individual. To accomplish that technically, we call the underlying chat models on your behalf, removing your IP address completely and using our IP address instead. This way it looks like the requests are coming from us and not you. Within AI Chat, you can use the Fire Button to clear the chat and start over.

In addition, DuckDuckGo does not save or store any chats. To respond with answers and ensure all systems are working, the underlying model providers may store chats temporarily, but there’s no way for them to tie chats back to you, personally, since all metadata is removed. (Even if you enter your name or other personal information into the chat, the model providers have no way of knowing who typed it in – you, or someone else.) We have agreements in place with all model providers to ensure that any saved chats are completely deleted by the providers within 30 days, and that none of the chats made on our platform can be used to train or improve the models. For more information, please see the DuckDuckGo AI Chat Privacy Policy and Terms of Use.

Is it really free?

Yes! AI Chat is free to use, within a daily limit – which we implement while still maintaining strict user anonymity, just like we do for our search engine. We are planning to keep the current level of access free and exploring a paid plan for access to higher limits and more advanced (and costly) chat models.

What’s next?

We’re excited to spread the word about AI Chat, but there are already improvements on the way. Keep an eye out for new capabilities, like custom system prompts, and general improvements to the AI Chat user experience. We’re also planning to add more chat models – potentially including either DuckDuckGo- or user-hosted options. If you’re interested in seeing a particular chat model or feature added in the future, please let us know via the Share Feedback button in the AI Chat screen.

Ready to give it a spin? Head to duck.ai or duckduckgo.com/chat. You can also find it on your search results page – the Chat tab is just under the search box, on the right side, alongside Images and Videos on the left. If you’re a fan of our bangs, you can also initiate an AI chat by starting your search query with !ai or !chat. Not for you? Head to the Search settings menu to disable AI Chat, DuckAssist, or both.

Happy chatting!

Privacy Pro bundles three new protections from DuckDuckGo into one easy subscription. Subscribers get:

• An anonymous VPN built for speed, security, and simplicity. Secure your connection anytime, anywhere, on up to five devices simultaneously.
  
• Personal Information Removal, which finds and removes personal details – like your name and home address – from data broker sites that store and sell them, helping to combat identity theft and spam. (U.S. only.)
  
• Identity Theft Restoration. If your identity is stolen, a dedicated advisor will help restore stolen accounts, assist in recovering resulting financial losses, and help correct your credit report.

Getting these services separately from other companies could cost upwards of $30/month in the U.S.; our users can subscribe to Privacy Pro for $9.99/month or $99.99/year. Privacy Pro is currently available in the United States, Canada, the European Union, and United Kingdom; see this list for the latest availability.  Sign up at duckduckgo.com/pro and make sure you're using the most up-to-date version of the DuckDuckGo browser on all your devices. Features and coverage vary by country.

What is Privacy Pro?

Every day, tens of millions of people rely on DuckDuckGo to add a layer of privacy to their online activities. The centerpiece of our product offering is now the DuckDuckGo browser, which offers the most comprehensive set of free privacy protections by default. (One immediate benefit? Fewer ads and popups than you’d see on other browsers.) Our browser bundles our private search engine, tracker blocking, Email Protection, and more than a dozen other free privacy features in one convenient package.  However, there’s only so much protection we can provide for free. For example, some protections, like securing our users’ network connections with a VPN, require significantly more bandwidth and other resources.

Enter Privacy Pro: a three-in-one subscription service that offers even more seamless privacy protection. Privacy Pro subscribers get a fast, secure, and easy-to-use VPN that doesn’t log your activity; Personal Information Removal, which helps U.S.-based users remove your information from “people search” data broker sites that store and sell it; and Identity Theft Restoration, which helps to fix credit report mistakes and recover any resulting financial losses. (Please note: Setting up and managing Personal Information Removal requires a Mac or Windows computer.)

On its own, the DuckDuckGo browser lets you search and browse privately. By adding Privacy Pro, you can also limit data brokers’ access to your personal information and secure your Internet connection across your whole device, which hides your location and device IP address from sites you visit — all in one place.

Adding a Privacy Pro subscription makes the DuckDuckGo browser's best-in-class protections even stronger.

More protections, same privacy promise.

At DuckDuckGo, we don’t track you; that’s our privacy policy in a nutshell, and this new subscription service is no exception. Guided by the principle of data minimization, we designed Privacy Pro to maximize your privacy:

• We don’t keep logs of your VPN activity. This means we have no way to tie what you do while connected to the DuckDuckGo VPN to you as an individual — or to anything else you do on DuckDuckGo, like searching.
• Personal Information Removal is the first service of its kind that works directly from your device to keep your sensitive information safe. The details you provide during setup are stored on your device, not on remote servers, and removal requests are initiated directly from that device.
• Unlike other data removal services, which take a more scattershot approach, Personal Information Removal only starts opt-out processes with data brokers once we’ve confirmed that they have you in their databases.
• Unless you become a victim of identity theft and need help, you don’t need to provide any information for Identity Theft Restoration. It’s waiting for you when you need it.
• Payment information is securely handled by Stripe (U.S. only), Google Play, or the Apple App Store, depending on how you sign up. We do not hold or process any of your payment information ourselves.
• Instead of a traditional account, we assign you a random ID when you sign up for Privacy Pro. We have no way to connect this random ID back to your payment information.

We’re here to seamlessly protect your privacy — not compromise it. 

Read the Privacy Policy and Terms of Service for Privacy Pro.

VPN

Our non-logging VPN secures your Internet connection on up to five devices at once.

Get an extra layer of online protection with the VPN made for speed, security, and simplicity — built and operated by DuckDuckGo, not an outside provider. Our VPN encrypts your Internet connection for all your browsers and apps across your entire device, hiding your location and IP address from the sites you visit. Because connections are encrypted, your Internet service provider (ISP) can’t see your online traffic either. And we have a strict no-logging policy; we don’t log or store data that can connect you to your online activity, or to any other DuckDuckGo services, such as search.

No need to install a separate VPN app. Once you sign up for Privacy Pro, you can install our VPN right in your DuckDuckGo browser. After that, you can secure your connection in just one click and check its status at a glance. It offers full-device coverage on up to five devices at once. 

Our VPN is simple to use. If your VPN connection gets interrupted for any reason, it attempts to reconnect automatically and prevents data leaks until the reconnection is successful. And it works perfectly with DuckDuckGo’s other protections; if you’re an Android user, you should know our VPN is the only one compatible with App Tracking Protection. 

We have VPN servers worldwide, and we’ll be adding more over time. To maximize speed and stability, you’ll connect to the closest available VPN server by default, but you can manually choose whichever location you prefer.

To encrypt your traffic and route it through a VPN server, we use the open-source WireGuard protocol, which is fast and secure. We also route your DNS queries automatically through the VPN connection to our own DNS resolvers, which further hides your browsing history from your ISP.

Learn more about the VPN on our Help Pages.

Personal Information Removal

Personal Information Removal helps get your name, address, and more off of people search sites.

Ever tried looking yourself up online? Where our other web tracking protections help defend against trackers that gather your personal information while you browse, Personal Information Removal goes one step further: It works to actually remove personal information, such as your name and home address, from people search sites that store and sell it, helping to combat identity theft and spam. 

How does it work? People search sites, like Spokeo and Verecor, are a common type of data broker. They collect your personal information from local and federal records, public forums like social media, and even other data brokers, and make it available online. (If you’re in the U.S., where people search sites can operate freely, you’ve probably seen them in search results when you look up your name.) We scan dozens of these sites for your info and, if found, request its removal, even handling back-and-forth confirmation emails for you automatically behind the scenes. Unlike other similar services, we only contact the data brokers once we confirm that you’re in their databases, and the info you enter for scanning is stored on your device — not on remote servers. 

To help us build Personal Information Removal from the ground up while maintaining our strict privacy standards, DuckDuckGo acquired data removal service Removaly in 2022. Removaly was a pioneer in the data removal space, developing a way to navigate data brokers’ confusing opt-out process automatically without compromising users’ privacy in the process.

Personal Information Removal re-scans sites regularly to minimize the risk of your info reappearing, using the data stored on your device. Your device also initiates any removal requests. You can keep tabs on the progress of ongoing removals — and see the personal information we’ve already removed! — on your personal dashboard within the DuckDuckGo browser. Once it’s set up, simply select Personal Information Removal from the browser’s three-dot menu in the upper right. 

You'll need to set up Personal Information Removal on one primary Mac or Windows computer. Right now, the dashboard can only be accessed from that device, but we are planning to add the ability to view it from your other devices.

Learn more about Personal Information Removal on our Help Pages. This feature is only available to U.S. subscribers.

Identity Theft Restoration

Get some peace of mind: if your identity is ever compromised, Identity Theft Restoration is standing by to help.

With more than 1 million cases a year reported in the U.S., identity theft is more common than you might think. And Personal Information Removal helps reduce the chance of identity theft, but unfortunately, nothing can totally prevent it. So, let us give you some peace of mind: If your identity is stolen or compromised, Identity Theft Restoration will help you handle the stress and expense. 

Identity Theft Restoration is brought to our users in partnership with Iris® Powered by Generali, one of the oldest firms specializing in identity theft in the U.S. Iris’s identity theft advisors are available 24/7, every day of the year, and answer calls within 11 seconds on average. This responsiveness has earned them 18 customer service awards over the last 10 years. 

If your identity is stolen, Iris will collect some details about your situation in order to provide assistance; no personal information is shared between Iris and DuckDuckGo. Once a case is established, Iris has several ways to help get you back on track:

• Repairing your credit after fraudulent activity: Iris can help freeze your credit report until your identity is restored and help fix any errors that result from fraudulent activity. They’ll also work with you or your financial institutions to help reverse any fraudulent transactions.   
• Document replacement: Iris can help you cancel and replace your driver’s license, bank cards, passport, and social security card. In the U.S., case managers can connect with financial institutions directly; elsewhere, they’ll offer guidance as you replace your documents.
• Travel assistance: In some cases, if you’re 100+ miles from home, Iris can provide a cash advance of up to $500 to assist U.S. subscribers with emergency travel. If you’re abroad when your identity is stolen, they can help you report fraudulent activity to police and legal authorities.
• Untangling fraudulent medical claims: Iris can help inform your healthcare and insurance providers of any fraudulent claims, as well as ensuring medical records are corrected — with help from their in-house medical staff if needed. 
• Covering out-of-pocket costs: For U.S. subscribers, Iris reimburses certain out-of-pocket expenses associated with identity theft restoration in some cases The reimbursement benefit is underwritten by an authorized insurance company under insurance policies issued to Iris. Please review the Summary of Benefits to understand the full coverage terms, conditions, and exclusions.

Learn more about Identity Theft Restoration in our Help Pages. Features vary by region.

Getting started and managing your subscription.

Ready to give Privacy Pro a try? Make sure you’ve got the latest version of the DuckDuckGo browser (iOS / Android / macOS / Windows) and head to duckduckgo.com/pro.  

Privacy Pro is available for $9.99 USD/month or $99.99 USD/year in the U.S., and can be purchased through the Apple App Store, Google Play Store, or on the web via Stripe. Subscribers in the U.K., E.U., and Canada can sign up via the Apple App Store and Google Play Store only; international pricing details here. Your subscription will auto-renew monthly or annually, depending on the payment terms selected, until canceled. If you subscribed via the Apple App Store or Google Play Store, you can manage your subscription and payment methods there. If you subscribed via our website, you’ll manage your account from the DuckDuckGo browser’s Settings instead.

Note: This blog post has been edited since initial publication to stay up to date with our evolving product offerings.

• Now live: Sync bookmarks, passwords, and Email Protection settings between DuckDuckGo browsers on phones, tablets, and computers, privately and securely.
• Our new Sync & Backup feature is designed with your privacy and security in mind. You don’t need to create an account or sign in to use it, and DuckDuckGo never sees your bookmarks or passwords.
• The DuckDuckGo browser is our privacy-respecting alternative to Chrome and other browsers – use it every day to visit websites and search the web. Get it here for Windows, Mac, iPhone, and Android devices.

Ditching Chrome for the DuckDuckGo browser is easier than ever.

Have you been waiting to try the DuckDuckGo browser? Maybe you’re using our browser on your phone but haven’t tried the Windows or Mac version?  Now is the perfect time to make DuckDuckGo the default browser on all your devices, thanks to our latest improvement: Sync & Backup. You could already import bookmarks and passwords from other browsers into DuckDuckGo, but now you can privately sync those bookmarks and passwords between DuckDuckGo browsers on multiple devices.

Bring your passwords and bookmarks with you – without compromising your privacy.

When you use Chrome, there’s a good chance you’re signed in with your Google account – because they’re constantly pressuring you to do so! There is a convenience in that; all your bookmarks, passwords, and favorites follow you wherever you browse, whether you’re using your computer, phone, or tablet. But there’s a problem. This also gives Google implicit permission to collect even more data about your browsing activity than they would otherwise have and use it for targeted advertising that can follow you around.

At DuckDuckGo, we don’t track you; that’s our privacy policy in a nutshell. We’ve developed our privacy-respecting import and sync functions without requiring a DuckDuckGo account – and without compromising your personal data.

Our built-in password manager stores and encrypts your passwords locally on your device. Our private sync is end-to-end encrypted. (When you use private sync, your data stays securely encrypted throughout the syncing process, because the unique key needed to decrypt it is stored only on your devices.) Your passwords are completely inaccessible to anyone but you. That includes us: DuckDuckGo cannot access your data at any time.

What can Sync & Backup do?

• Privately sync and access the bookmarks and passwords saved in your DuckDuckGo browsers – including any you’ve imported from other browsers – across multiple devices.
• Back up passwords, bookmarks, and favorites in case your device is lost or damaged.
• Migrate your bookmarks and passwords to a new device.
• Sync your Email Protection account between devices.

Ready to give it a try? Here’s where to start…

The first step is to download our free browser on one or more devices. (The feature works across most Windows, Mac, Android, and iPhone devices – if you’ve got our browser, you can use Sync & Backup!) If you’re already using the browser, check that it’s up to date. Next, head to the browser’s Settings, choose Sync & Backup > Sync With Another Device and follow the instructions under Begin Syncing.

If you’re on a mobile phone or tablet, you can link devices with a QR code; on desktop computers, you’ll manually enter an alphanumeric code.

Sync passwords and bookmarks between devices by scanning a QR code or manually entering a unique alphanumeric code – no signing in necessary.

Only working with one device? Choose Sync and Back Up This Device from the “Single-Device Setup” section. Once your sync is complete, you can see a list of all your synced devices, edit device nicknames, and fine-tune your settings.

See a list of your synced devices – and add new ones! – under your browser’s Settings > Sync & Back Up.

Once you’re set up, you’ll want to save your Recovery PDF in a secure place. This document contains your Recovery Code, a unique code that will let you access your synced data if your devices are lost or damaged. This is especially important because of our secure end-to-end encryption; your Recovery Code contains the unique, locally generated encryption key that keeps your data private from everyone – including us! If you lose your devices, your Recovery Code is the only way to access your data from a new phone or computer.

With your Recovery Code, you can restore bookmarks, favorites, and other DuckDuckGo settings on a replacement device if yours is lost or damaged.

What else can the DuckDuckGo browser do?

The DuckDuckGo browser comes with the features you expect from a go-to browser – it even banishes any ads we find that run on creepy trackers, without the need for an outside ad blocker. It also handles cookie pop-ups for you where we can. Plus, over a dozen powerful privacy protections not offered in most popular browsers by default. This uniquely comprehensive set of privacy protections helps protect your online activities, from searching to browsing, emailing, and more.‌‌‌‌

Our privacy protections work without you having to know anything about the technical details or deal with complicated settings. Just switch your browser to DuckDuckGo across all your devices, and you’ll get privacy by default.

For more detailed instructions on how to use the new sync function – or to peek under the hood of any of DuckDuckGo’s privacy protections! – you can find more information on our Help Pages.

• DuckDuckGo is now carbon negative dating back to our founding in 2008 through 2020, and is committed to being carbon negative in perpetuity.
• We've pioneered new estimation techniques, given our distributed team and non-physical product.
• We're accounting for our full-scope emissions, including upstream and downstream suppliers.
• We're donating the equivalent of 125% of our calculated net emissions to projects vetted by carbon-offset startup CNaught yearly, ranging from emissions reductions to conservation and long-lived removal.
• We're giving that same dollar amount yearly to advance carbon removal technology, currently via Carbonfuture.

At DuckDuckGo, our vision is to raise the standard of trust online. We also care about our impact offline, so we've stepped up to do our part in the climate crisis. We have already been doing what we can to minimize our carbon footprint, including using sustainable energy to power our servers and being a fully distributed company. We’re proud that, as of 2020, DuckDuckGo is carbon negative dating back to our founding in 2008.

When we set out to do this, we quickly realized there wasn’t much guidance for companies like ours that have 100% distributed teams and provide non-physical goods and services. We hope our experience figuring this out can be a reference guide for similar organizations. Here’s the summary:

• Redefining the Scope. We defined our carbon footprint in the broadest possible sense, including all of our suppliers, and vendors (In carbon language, that means Scopes 1, 2, and 3, as well as any other upstream/downstream activities we could pinpoint). We estimated the total impact of all search queries using our search engine, all our marketing activities (including the carbon used when viewing our online display ads), and – given we are a fully distributed company – the impact of all our local working environments.
• Estimating Emissions. During our initial estimate in 2020, we back-estimated to our founding in 2008.
• Net Zero Emissions. In 2020, we funded Gold Standard projects to achieve net zero emissions. Today, we work with CNaught, a carbon-offset firm that relies on leading science to build a rigorously vetted portfolio of projects from around the world, designed from the ground up to maximize climate impact.
• Going Carbon Negative. To go carbon negative in 2020, we first funded an additional 25% of reduction, for a total of 125% of our emissions. We then doubled this dollar amount and spent the second half on Stripe Climate to help build a much-needed market for carbon removal. We’re continuing this work with Carbonfuture, with a global portfolio of expertly vetted carbon removal projects backed by a cutting-edge, data-powered monitoring, reporting, and verification (MRV) solution that brings trust to every stage of the carbon removal process.

Redefining the Scope

We set out to calculate our carbon footprint using the commonly used Greenhouse Gas Protocol. The Protocol groups emissions into three “scopes” and additional activities:

• Scope 1: Direct emissions, e.g., emitted by factories or vehicles you own.
• Scope 2: Indirect emissions from purchasing energy, e.g., buying electricity for or heating and cooling your buildings.
• Scope 3: Other indirect emissions from making products and services, e.g., from purchased materials, business travel, etc.
• Full Upstream/Downstream Activities: Other emissions not covered so far in the full lifecycle of your products and services, e.g., distribution, storage, and disposal, sometimes covered in Scope 3 definitions and sometimes not.

Many companies who claim they are “carbon neutral” are often only looking at their Scope 1 or Scope 1 and 2 emissions, even though Scope 3 and Full Upstream/Downstream Activities are often where the vast majority of emissions take place—especially for organizations not producing or processing physical goods.

In addition, many organizations only look at activities where clear guidelines have been defined (e.g., air travel), but ignore areas where there are no guidelines (e.g., impact of marketing, home offices, etc.), even if much of the organization’s carbon emissions are the result of these activities.

At DuckDuckGo, we didn't think the standard went far enough, so we redefined our approach to make us responsible for all emissions we cause that are not already net zero, regardless of their categorization (or lack thereof).

Estimating Emissions

To estimate our emissions, we pulled together leading source material from environmental agencies around the world including the UK DEFRA / DEEC 2012 GHG Conversion Factors for Company Reporting, the EPA's 2018 Emission Factors for Greenhouse Gas Inventories Report, the BEIS' 2019 Government Greenhouse Gas Conversion Factors for Company Reporting Methodology Paper, and the Environmental Commission of Ontario's 2019 Climate Pollution Report. From here, we mapped out the carbon footprint of every single transaction on our books for the entire 2019 calendar year (since we started working on this in mid-2020) and used that to build a model to estimate category emissions per accounting transaction. That means every vendor bill and credit card purchase by a team member.

While some transactions fit into standard models developed by government agencies (e.g., air travel), it turned out that to our knowledge, no one in government had ever calculated the carbon emissions of an online display advertisement. So, in cases where there was no standard model—or where we felt a standard model clearly under-estimated the actual carbon footprint—we developed our own formulas.

We then surveyed our team to better understand their home-office/co-working situations, including the hardware and software they use, their work-related transit, and recorded all this usage as if it were regular direct Scope 1 emissions.

This led to us estimating some currently unorthodox emissions including:

• The hardware and software our staff use in their home offices.
• A proportional amount of heating/cooling used in each home office during the workday.
• The fuel used in the vehicles staff take to partner meetings.
• The emissions that stem from our marketing (both online and offline), such as showing a display ad on a user's computer.
• The amount of emissions generated from each DuckDuckGo Private Search query.

Lastly, we checked the sustainability programs of every single vendor we used in any capacity. Where one couldn't be identified, or where the program clearly failed to account for 100% of their carbon emissions, we recorded the full CO2e emissions from those transactions as our own.

In the end, our estimate for our 2019 emissions — including Scope 1, 2, 3, and Full Upstream/Downstream Activities — totaled 1,075T of CO2e. That works out to an average of 14.33T of CO2e/per year/per full-time team member.  We used that figure to calculate a total of 5,875T of CO2e for the entire existence of DuckDuckGo, from our 2008 founding through 2020.

Net Zero Emissions

Once we felt our carbon emissions were properly estimated, we set out to understand how we could properly achieve net zero emissions in a way that would:

• Directly reduce carbon.
• Not come at other environmental costs.
• Respect and improve human life.

After an extensive review of our options, we first partnered with GoldStandard.org, an international non-profit foundation that is focused on reducing carbon emissions through sustainable investment in carbon reduction projects that also help improve the lives of those involved. Those projects included:

• Funding biomass generators in India, Malawi, Kenya, and biodigesters in Cambodia to bring safe, clean, self-reliant energy to small rural farming villages.
• Funding new wind farms in India and Indonesia, to provide clean energy to regions currently dependent on coal burning electricity.
• Providing solar cooking stoves in Chad, and improved clean efficiency stoves in Guinea and Rwanda, to end coal burning pollution and help protect families from inhaling toxic fumes when cooking in the home.
• Funding hydroelectric power in Honduras, and renewable energy in Brazil.
• Supporting biomass conservation and local biodiversity reforestation in Nicaragua and Ethiopia to help local farmers and conservationists rebuild soil that is suffering from desertification due to deforestation.

Current partner CNaught’s projects are similarly distributed across five categories ranging from emissions reductions to conservation and long-lived removal. You can learn more about each category, including example projects, on the CNaught website.

We're proud that DuckDuckGo is not only achieving net zero emissions, but doing so in a way that we hope will have a transformative and on-going impact around the world, creating jobs and improving the health and quality of life for many.

Going Carbon Negative

Addressing the climate crisis requires us to collectively get to net zero global emissions. We believe doing so will require the use of new technologies at scale, such as physically removing carbon from the atmosphere and sequestering it permanently. Unfortunately, this technology is too expensive right now to make an impact at scale.

In 2020, we were one of the first companies to join Stripe's Climate Program to bring down the cost of this technology by making commitments to fund this new type of carbon reduction. Unlike other carbon reduction methods, Stripe's program required that all carbon removal has a permanence of greater than a thousand years, is directly measured and verifiable, and has a net-negative lifecycle ratio of less than one.

Today, DuckDuckGo is pleased to contribute to carbon removal with Carbonfuture. We have committed that every year, whatever amount of money we spend on CNaught projects, we will make an equal dollar contribution to Carbonfuture to help directly remove carbon from the air – and more importantly, to help pull this technology forward. Visit Carbonfuture’s website to learn more about their rigorous, data-driven approach to carbon removal.

Sustainability at DuckDuckGo

We're committed to doing our part, both online and off. As a DuckDuckGo user, we hope you can rest assured that we are doing our part in the climate crisis. We're now achieving net zero emissions through rigorously measured programs that continue to have a positive environmental and societal impact year after year. We're going carbon negative by funding projects to account for 125% of our emissions, and then doubling that total amount to invest in physically removing carbon from the air to advance this important technology for our future.

Note: This blog post has been edited since initial publication with additional information about our sustainability commitments.

For more privacy advice follow us on Twitter, and stay protected and informed with our privacy newsletter.

Brute-force attempts against SMB services can be early signs of an attack

Categories: Threat Research

Tags: Ransomware, WantToCry, SMB

<p>Sophos X-Ops looks at the Atomic macOS Stealer and its capabilities</p>

Categories: Threat Research

Tags: MacOS, AMOS, infostealer

With advisories, this month’s count approaches 300 – though many are already in place

Categories: Threat Research, X-ops

Tags: Patch Tuesday, MICROSOFT PATCH TUESDAY

<p>Seven things security teams can start doing today to reduce risk</p>

Categories: Threat Research

Tags: AI, CISO, risk

<p>A malicious imitation of&nbsp;Anthropic’s&nbsp;Claude&nbsp;site leads to&nbsp;DLL sideloading&nbsp;– and&nbsp;a backdoor</p>

Categories: Threat Research

Tags: Claude, Beagle, Backdoor, malvertising, AI, DONUT, DLL sideloading, Sophos X-Ops

Categories: Threat Research

Tags: advisory, Linux, Copy Fail

Categories: Threat Research

Tags: advisory, NPM, SAP

<p>Two supply chain attacks, same day, same command-and-control domain</p>

Categories: Threat Research

Tags: Supply chain, Sophos X-Ops, pipeline, Bitwarden, Checkmarx

Following a long-established pattern, the fourth month of the year is one of the cruelest

Categories: X-ops, Threat Research

Tags: Patch Tuesday

The use of hidden virtual machines (VMs) enables long-term access, credential harvesting, data exfiltration, and PayoutsKing ransomware deployment

Categories: Threat Research

Tags: virtual machine, QEMU, PayoutsKing, GOLD ENCOUNTER, CitrixBleed2

Categories: Threat Research

Tags: advisory, vulnerability, Adobe Reader

<p>Following our article on the challenges posed by agentic AI, we gave OpenClaw access to one of our legacy networks</p>

Categories: Threat Research

Tags: OpenClaw, LLM, AI, penetration testing, Red Team, CISO, Sophos X-Ops

Categories: Threat Research

Tags: advisory, NPM, Axios

<p>A phishing campaign targeting multiple organizations led to RMM installations – but not much else (yet). A threat actor experimenting, or an access-as-a-service attack underway?</p>

Categories: Threat Research

Tags: STAC6405, infostealer, RMM, Phishing

Victimizing software developers via fake companies, jobs, and code repositories to steal cryptocurrency

Categories: Threat Research

Tags: NICKEL ALLEY, Contagious Interview, North Korea, clickfix

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

A redacted screenshot of the now-defunct “Private CISA” repository maintained by a CISA contractor.

The GitHub repository that Valadon flagged was named “Private-CISA,” and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets.

Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”

One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those systems included one called “LZ-DSO,” which appears short for “Landing Zone DevSecOps,” the agency’s secure code development environment.

Philippe Caturegli, founder of the security consultancy Seralys, said he tested the AWS keys only to see whether they were still valid and to determine which internal systems the exposed accounts could access. Caturegli said the GitHub account that exposed the CISA secrets exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.

“The use of both a CISA-associated email address and a personal email address suggests the repository may have been used across differently configured environments,” Caturegli observed. “The available Git metadata alone does not prove which endpoint or device was used.”

The Private CISA GitHub repo exposed dozens of plaintext credentials for important CISA GovCloud resources.

Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He said the archive also includes plain text credentials to CISA’s internal “artifactory” — essentially a repository of all the code packages they are using to build software — and that this would represent a juicy target for malicious attackers looking for ways to maintain a persistent foothold in CISA systems.

“That would be a prime place to move laterally,” he said. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”

In response to questions, a spokesperson for CISA said the agency is aware of the reported exposure and is continuing to investigate the situation.

“Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the CISA spokesperson wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”

A review of the GitHub account and its exposed passwords show the “Private CISA” repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Va. Nightwing declined to comment, directing inquiries to CISA.

CISA has not responded to questions about the potential duration of the data exposure, but Caturegli said the Private CISA repository was created on November 13, 2025. The contractor’s GitHub account was created back in September 2018.

The GitHub account that included the Private CISA repo was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours.

CISA is currently operating with only a fraction of its normal budget and staffing levels. The agency has lost nearly a third of its workforce since the beginning of the second Trump administration, which forced a series of early retirements, buyouts, and resignations across the agency’s various divisions.

The now-defunct Private CISA repo showed the contractor also used easily-guessed passwords for a number of internal resources; for example, many of the credentials used a password consisting of each platform’s name followed by the current year. Caturegli said such practices would constitute a serious security threat for any organization even if those credentials were never exposed externally, noting that threat actors often use key credentials exposed on the internal network to expand their reach after establishing initial access to a targeted system.

“What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025,” Caturegli said. “This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”

Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers — including Apple, Google, Microsoft, Mozilla and Oracle — fixing near record volumes of security bugs, and/or quickening the tempo of their patch releases.

As it does on the second Tuesday of every month, Microsoft today released software updates to address at least 118 security vulnerabilities in its various Windows operating systems and other products. Remarkably, this is the first Patch Tuesday in nearly two years that Microsoft is not shipping any fixes to deal with emergency zero-day flaws that are already being exploited. Nor have any of the flaws fixed today been previously disclosed (potentially giving attackers a heads up in how to exploit the weakness).

Sixteen of the vulnerabilities earned Microsoft’s most-dire “critical” label, meaning malware or miscreants could abuse these bugs to seize remote control over a vulnerable Windows device with little or no help from the user. Rapid7 has done much of the heavy lifting in identifying some of the more concerning critical weaknesses this month, including:

• CVE-2026-41089: A critical stack-based buffer overflow in Windows Netlogon that offers an attacker SYSTEM privileges on the domain controller. No privileges or user interaction are required, and attack complexity is low. Patches are available for all versions of Windows Server from 2012 onwards.
• CVE-2026-41096: A critical RCE in the Windows DNS client implementation worthy of attention despite Microsoft assessing exploitation as less likely.
• CVE-2026-41103: A critical elevation of privilege vulnerability that allows an unauthorized attacker to impersonate an existing user by presenting forged credentials, thus bypassing Entra ID. Microsoft expects that exploitation is more likely.

May’s Patch Tuesday is a welcome respite from April, which saw Microsoft fix a near-record 167 security flaws. Microsoft was among a few dozen tech giants given access to a “Project Glasswing,” a much-hyped AI capability developed by Anthropic that appears quite effective at unearthing security vulnerabilities in code.

Apple, another early participant in Project Glasswing, typically fixes an average of 20 vulnerabilities each time it ships a security update for iOS devices, said Chris Goettl, vice president of product management at Ivanti. On May 11, Apple shipped updates to address at least 52 vulnerabilities and backported the changes all the way to iPhone 6s and iOS 15.

Last month, Mozilla released Firefox 150, which resolved a whopping 271 vulnerabilities that were reportedly discovered during the Glasswing evaluation.

“Since Firefox 150.0.0 released, they have been on a more aggressive weekly cadence for security updates including the release of Firefox 150.0.3 on May Patch Tuesday resolving between three to five CVEs in each release,” Goettl said.

The software giant Oracle likewise recently increased its patch pace in response to their work with Glasswing. In its most recent quarterly patch update, Oracle addressed at least 450 flaws, including more than 300 fixes for remotely exploitable, unauthenticated flaws. But at the end of April, Oracle announced it was switching to a monthly update cycle for critical security issues.

On May 8, Google started rolling out updates to its Chrome browser that fixed an astonishing 127 security flaws (up from just 30 the previous month). Chrome automagically downloads available security updates, but installing them requires fully restarting the browser.

If you encounter any weirdness applying the updates from Microsoft or any other vendor mentioned here, feel free to sound off in the comments below. Meantime, if you haven’t backed up your data and/or drive lately, doing that before updating is generally sound advice. For a more granular look at the Microsoft updates released today, checkout this inventory by the SANS Internet Storm Center.

An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions.

A screenshot shared by a reader showing the extortion message that was shown on the Canvas login page today.

Canvas parent firm Instructure responded to today’s defacement attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage coursework and assignments, and to communicate with students.

Instructure acknowledged a data breach earlier this week, after the cybercrime group ShinyHunters claimed responsibility and said they would leak data on tens of millions of students and faculty unless paid a ransom. The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12.

In a statement on May 6, Instructure said the investigation so far shows the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as as messages among users.” The company said it found no evidence the breached data included more sensitive information, such as passwords, dates of birth, government identifiers or financial information.

The May 6 update stated that Canvas was fully operational, and that Instructure was not seeing any ongoing unauthorized activity on their platform. “At this stage, we believe the incident has been contained,” Instructure wrote.

However, by mid-day on Thursday, May 7, students and faculty at dozens of schools and universities were flooding social media sites with comments saying that a ransom demand from ShinyHunters had replaced the usual Canvas login page. Instructure responded by pulling Canvas offline and replacing the portal with the message, “Canvas is currently undergoing scheduled maintenance. Check back soon.”

“We anticipate being up soon, and will provide updates as soon as possible,” reads the current message on Instructure’s status page.

While the data stolen by ShinyHunters may or may not contain particularly sensitive information (ShinyHunters claims it includes several billion private messages among students and teachers, as well as names, phone numbers and email addresses), this attack could hardly have come at a worse time for Instructure: Many of the affected schools and universities are in the middle of final exams, and a prolonged outage could be highly damaging for the company.

The extortion message that greeted countless Canvas users today advised the affected schools to negotiate their own ransom payments to prevent the publication of their data — regardless of whether Instructure decides to pay.

“ShinyHunters has breached Instructure (again),” the extortion message read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.'”

A source close to the investigation who was not authorized to speak to the press told KrebsOnSecurity that a number of universities have already approached the cybercrime group about paying. The same source also pointed out that the ShinyHunters data leak blog no longer lists Instructure among its current extortion victims, and that the samples of data stolen from Canvas customers were removed as well. Data extortion groups like ShinyHunters will typically only remove victims from their leak sites after receiving an extortion payment or after a victim agrees to negotiate.

Dipan Mann, founder and CEO of the security firm Cloudskope, slammed Instructure for referring to today’s outage as a “scheduled maintenance” event on its status page. Mann said Shiny Hunters first demonstrated they’d breached Instructure on May 1, prompting Instructure’s Chief Information Security Officer Steve Proud to declare the following day that the incident had been contained. But Mann said today’s attack is at least the third time in the past eight months that Instructure has been breached by ShinyHunters.

In a blog post today, Mann noted that in September 2025, ShinyHunters released thousands of internal University of Pennsylvania files — donor records, internal memos, and other confidential materials — through what the Daily Pennsylvanian and other outlets later determined was, in part, a Canvas/Instructure-mediated access path.

“Penn was the named victim,” Mann wrote. “Instructure was the mechanism. The incident was treated as a Penn-specific story by most of the national press and quietly handled by Instructure as a customer-specific matter. That framing was wrong then. It is dramatically more wrong in light of the May 2026 events, which now look like the planned escalation of an attack pattern that ShinyHunters had been working against Instructure’s environment for at least eight months prior. The September 2025 Penn breach was the proof of concept. The May 1, 2026 incident was the production run. The May 7, 2026 recompromise was ShinyHunters demonstrating publicly that the May 2 ‘containment’ did not happen.”

In February, a ShinyHunters spokesperson told The Daily Pennsylvanian that Penn failed to pay a $1 million ransom demand. On March 5, ShinyHunters published 461 megabytes worth of data stolen from Penn, including thousands of files such as donor records and internal memos.

ShinyHunters is a prolific and fluid cybercriminal group that specializes in data theft and extortion. They typically gain access to companies through voice phishing and social engineering attacks that often involve impersonating IT personnel or other trusted members of a targeted organization.

Last month, ShinyHunters relieved the home security giant ADT of personal information on 5.5 million customers. The extortion group told BleepingComputer they breached the company by compromising an employee’s Okta single sign-on account in a voice phishing attack that enabled access to ADT’s Salesforce instance. BleepingComputer says ShinyHunters recently has taken credit for a number of extortion attacks against high-profile organizations, including Medtronic, Rockstar Games, McGraw Hill, 7-Eleven and the cruise line operator Carnival.

The attack on Canvas customers is just one of several major cybercrime campaigns being launched by ShinyHunters at the moment, said Charles Carmakal, chief technology officer at the Google-owned Mandiant Consulting. Carmakal declined to comment specifically on the Canvas breach, but said “there are multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns happening right now.”

Cloudskope’s Mann said what happens next depends largely on whether Instructure’s customers — the universities, K-12 districts, and education ministries paying for Canvas — choose to apply pressure or absorb the breach quietly.

“The history of education-vendor incidents suggests the path of least resistance is the second one,” he concluded.

Update, May 8, 11:05 a.m. ET: Instructure has published an incident update page that includes more information about the breach. Instructure said its Canvas portal is functioning normally again, and that the hackers exploited an issue related to Free-for-Teacher accounts.

“This is the same issue that led to the unauthorized access the prior week,” Instructure wrote. “As a result, we have made the difficult decision to temporarily shut down Free-for-Teacher accounts. These accounts have been a core part of our platform, and we’re committed to resolving the issues with these accounts.”

Instructure said affected organizations were notified on May 6.

“If your organization is affected, Instructure will contact your organization’s primary contacts directly,” the update states. “Please don’t rely on third-party lists or social media posts naming potentially affected organizations as those lists aren’t verified. Instructure will confirm validated information through direct outreach to all affected organizations.”

Update, May 11, 10:16 p.m. ET: Instructure posted an update saying they paid their extortionists in exchange for a promise to destroy the stolen data. “The data was returned to us,” the update reads. “We received digital confirmation of data destruction (shred logs). We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.”

A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm’s chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company’s public image.

An Archer AX21 router from TP-Link. Image: tp-link.com.

For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs. Until recently, it was less than clear who or what was behind these digital sieges. That changed earlier this month when a trusted source who asked to remain anonymous shared a curious file archive that was exposed in an open directory online.

The exposed archive contained several Portuguese-language malicious programs written in Python. It also included the private SSH authentication keys belonging to the CEO of Huge Networks, a Brazilian ISP that primarily offers DDoS protection to other Brazilian network operators.

Founded in Miami, Fla. in 2014, Huge Networks’s operations are centered in Brazil. The company originated from protecting game servers against DDoS attacks and evolved into an ISP-focused DDoS mitigation provider. It does not appear in any public abuse complaints and is not associated with any known DDoS-for-hire services.

Nevertheless, the exposed archive shows that a Brazil-based threat actor maintained root access to Huge Networks infrastructure and built a powerful DDoS botnet by routinely mass-scanning the Internet for insecure Internet routers and unmanaged domain name system (DNS) servers on the Web that could be enlisted in attacks.

DNS is what allows Internet users to reach websites by typing familiar domain names instead of the associated IP addresses. Ideally, DNS servers only provide answers to machines within a trusted domain. But so-called “DNS reflection” attacks rely on DNS servers that are (mis)configured to accept queries from anywhere on the Web. Attackers can send spoofed DNS queries to these servers so that the request appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (targeted) address.

By taking advantage of an extension to the DNS protocol that enables large DNS messages, botmasters can dramatically boost the size and impact of a reflection attack — crafting DNS queries so that the responses are much bigger than the requests. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This amplification effect is especially pronounced when the perpetrators can query many DNS servers with these spoofed requests from tens of thousands of compromised devices simultaneously.

A DNS amplification and reflection attack, illustrated. Image: veracara.digicert.com.

The exposed file archive includes a command-line history showing exactly how this attacker built and maintained a powerful botnet by scouring the Internet for TP-Link Archer AX21 routers. Specifically, the botnet seeks out TP-Link devices that remain vulnerable to CVE-2023-1389, an unauthenticated command injection vulnerability that was patched back in April 2023.

Malicious domains in the exposed Python attack scripts included DNS lookups for hikylover[.]st, and c.loyaltyservices[.]lol, both domains that have been flagged in the past year as control servers for an Internet of Things (IoT) botnet powered by a Mirai malware variant.

The leaked archive shows the botmaster coordinated their scanning from a Digital Ocean server that has been flagged for abusive activity hundreds of times in the past year. The Python scripts invoke multiple Internet addresses assigned to Huge Networks that were used to identify targets and execute DDoS campaigns. The attacks were strictly limited to Brazilian IP address ranges, and the scripts show that each selected IP address prefix was attacked for 10-60 seconds with four parallel processes per host before the botnet moved on to the next target.

The archive also shows these malicious Python scripts relied on private SSH keys belonging to Huge Networks’s CEO, Erick Nascimento. Reached for comment about the files, Mr. Nascimento said he did not write the attack programs and that he didn’t realize the extent of the DDoS campaigns until contacted by KrebsOnSecurity.

“We received and notified many Tier 1 upstreams regarding very very large DDoS attacks against small ISPs,” Nascimento said. “We didn’t dig deep enough at the time, and what you sent makes that clear.”

Nascimento said the unauthorized activity is likely related to a digital intrusion first detected in January 2026 that compromised two of the company’s development servers, as well as his personal SSH keys. But he said there’s no evidence those keys were used after January.

“We notified the team in writing the same day, wiped the boxes, and rotated keys,” Nascimento said, sharing a screenshot of a January 11 notification from Digital Ocean. “All documented internally.”

Mr. Nascimento said Huge Networks has since engaged a third-party network forensics firm to investigate further.

“Our working assessment so far is that this all started with a single internal compromise — one pivot point that gave the attacker downstream access to some resources, including a legacy personal droplet of mine,” he wrote.

“The compromise happened through a bastion/jump server that several people had access to,” Nascimento continued. “Digital Ocean flagged the droplet on January 11 — compromised due to a leaked SSH key, in their wording — I was traveling at the time and addressed it on return. That droplet was deprecated and destroyed, and it was never part of Huge Networks infrastructure.”

The malicious software that powers the botnet of TP-Link devices used in the DDoS attacks on Brazilian ISPs is based on Mirai, a malware strain that made its public debut in September 2016 by launching a then record-smashing DDoS attack that kept this website offline for four days. In January 2017, KrebsOnSecurity identified the Mirai authors as the co-owners of a DDoS mitigation firm that was using the botnet to attack gaming servers and scare up new clients.

In May 2025, KrebsOnSecurity was hit by another Mirai-based DDoS that Google called the largest attack it had ever mitigated. That report implicated a 20-something Brazilian man who was running a DDoS mitigation company as well as several DDoS-for-hire services that have since been seized by the FBI.

Nascimento flatly denied being involved in DDoS attacks against Brazilian operators to generate business for his company’s services.

“We don’t run DDoS attacks against Brazilian operators to sell protection,” Nascimento wrote in response to questions. “Our sales model is mostly inbound and through channel integrator, distributors, partners — not active prospecting based on market incidents. The targets in the scripts you received are small regional providers, the vast majority of which are neither in our customer base nor in our commercial pipeline — a fact verifiable through public sources like QRator.”

Nascimento maintains he has “strong evidence stored on the blockchain” that this was all done by a competitor. As for who that competitor might be, the CEO wouldn’t say.

“I would love to share this with you, but it could not be published as it would lose the surprise factor against my dishonest competitor,” he explained. “Coincidentally or not, your contact happened a week before an important event – ​​one that this competitor has NEVER participated in (and it’s a traditional event in the sector). And this year, they will be participating. Strange, isn’t it?”

Strange indeed.

A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

Buchanan’s hacker handle “Tylerb” once graced a leaderboard in the English-language criminal hacking scene that tracked the most accomplished cyber thieves. Now in U.S. custody and awaiting sentencing, the Dundee, Scotland native is facing the possibility of more than 20 years in prison.

Two photos published in a Daily Mail story dated May 3, 2025 show Buchanan as a child (left) and as an adult being detained by airport authorities in Spain. “M&S” in this screenshot refers to Marks & Spencer, a major U.K. retail chain that suffered a ransomware attack last year at the hands of Scattered Spider.

Scattered Spider is the name given to a prolific English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access.

As part of his guilty plea, Buchanan admitted conspiring with other Scattered Spider members to launch tens of thousands of SMS-based phishing attacks in 2022 that led to intrusions at a number of technology companies, including Twilio, LastPass, DoorDash, and Mailchimp.

The group then used data stolen in those breaches to carry out SIM-swapping attacks that siphoned funds from individual cryptocurrency investors. In an unauthorized SIM-swap, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls to the victim’s device — such as one-time passcodes for authentication and password reset links sent via SMS. The U.S. Justice Department said Buchanan admitted to stealing at least $8 million in virtual currency from individual victims throughout the United States.

FBI investigators tied Buchanan to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous phishing domains seen in the campaign. The domain registrar NameCheap found that less than a month before the phishing spree, the account that registered those domains logged in from an Internet address in the U.K. FBI investigators said the Scottish police told them the address was leased to Buchanan throughout 2022.

As first reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023, after a rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten to burn him with a blowtorch unless he gave up the keys to his cryptocurrency wallet. That same year, U.K. investigators found a device at Buchanan’s Scotland residence that included data stolen from SMS phishing victims and seed phrases from cryptocurrency theft victims.

Buchanan was arrested by Spanish authorities in June 2024 while trying to board a flight to Italy. He was extradited to the United States and has remained in U.S. federal custody since April 2025.

Buchanan is the second known Scattered Spider member to plead guilty. Noah Michael Urban, 21, of Palm Coast, Fla., was sentenced to 10 years in federal prison last year and ordered to pay $13 million in restitution. Three other alleged co-conspirators — Ahmed Hossam Eldin Elbadawy, 24, a.k.a. “AD,” of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas, Texas; and Joel Martin Evans, 26, a.k.a. “joeleoli,” of Jacksonville, North Carolina – still face criminal charges.

Two other alleged Scattered Spider members will soon be tried in the United Kingdom. Owen Flowers, 18, and Thalha Jubair, 20, are facing charges related to the hacking and extortion of several large U.K. retailers, the London transit system, and healthcare providers in the United States. Both have pleaded not guilty, and their trial is slated to begin in June.

Investigators say the Scattered Spider suspects are part of a sprawling cybercriminal community online known as “The Com,” wherein hackers from different cliques boast publicly on Telegram and Discord about high-profile cyber thefts that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate internal networks.

One of the more popular SIM-swapping channels on Telegram has long maintained a leaderboard of the most rapacious SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That leaderboard previously listed Buchanan’s hacker alias Tylerb at #65 (out of 100 hackers), with Urban’s moniker “Sosa” coming in at #24.

Buchanan’s sentencing hearing is scheduled for August 21, 2026. According to the Justice Department, he faces a statutory maximum sentence of 22 years in federal prison. However, any sentence the judge hands down in this case may be significantly tempered by a number of mitigating factors in the U.S. Sentencing Guidelines, including the defendant’s age, criminal history, time already served in U.S. custody, and the degree to which they cooperated with federal authorities.

Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “BlueHammer.” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited flaw that can lead to remote code execution.

Redmond warns that attackers are already targeting CVE-2026-32201, a vulnerability in Microsoft SharePoint Server that allows attackers to spoof trusted content or interfaces over a network.

Mike Walters, president and co-founder of Action1, said CVE-2026-32201 can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments.

“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said. “The presence of active exploitation significantly increases organizational risk.”

Microsoft also addressed BlueHammer (CVE-2026-33825), a privilege escalation bug in Windows Defender. According to BleepingComputer, the researcher who discovered the flaw published exploit code for it after notifying Microsoft and growing exasperated with their response. Will Dormann, senior principal vulnerability analyst at Tharros, says he confirmed that the public BlueHammer exploit code no longer works after installing today’s patches.

Satnam Narang, senior staff research engineer at Tenable, said April marks the second-biggest Patch Tuesday ever for Microsoft. Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025.

Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft today “a new record in that category” because it includes nearly 60 browser vulnerabilities. Barnett said it might be tempting to imagine that this sudden spike was tied to the buzz around the announcement a week ago today of Project Glasswing — a much-hyped but still unreleased new AI capability from Anthropic that is reportedly quite good at finding bugs in a vast array of software.

But he notes that Microsoft Edge is based on the Chromium engine, and the Chromium maintainers acknowledge a wide range of researchers for the vulnerabilities which Microsoft republished last Friday.

“A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities,” Barnett said. “We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.”

Finally, no matter what browser you use to surf the web, it’s important to completely close out and restart the browser periodically. This is really easy to put off (especially if you have a bajillion tabs open at any time) but it’s the only way to ensure that any available updates get installed. For example, a Google Chrome update released earlier this month fixed 21 security holes, including the high-severity zero-day flaw CVE-2026-5281.

For a clickable, per-patch breakdown, check out the SANS Internet Storm Center Patch Tuesday roundup. Running into problems applying any of these updates? Leave a note about it in the comments below and there’s a decent chance someone here will pipe in with a solution.

Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

Microsoft said in a blog post today it identified more than 200 organizations and 5,000 consumer devices that were caught up in a stealthy but remarkably simple spying network built by a Russia-backed threat actor known as “Forest Blizzard.”

How targeted DNS requests were redirected at the router. Image: Black Lotus Labs.

Also known as APT28 and Fancy Bear, Forest Blizzard is attributed to the military intelligence units within Russia’s General Staff Main Intelligence Directorate (GRU). APT 28 famously compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.

Researchers at Black Lotus Labs, a security division of the Internet backbone provider Lumen, found that at the peak of its activity in December 2025, Forest Blizzard’s surveillance dragnet ensnared more than 18,000 Internet routers that were mostly unsupported, end-of-life routers, or else far behind on security updates. A new report from Lumen says the hackers primarily targeted government agencies—including ministries of foreign affairs, law enforcement, and third-party email providers.

Black Lotus Security Engineer Ryan English said the GRU hackers did not need to install malware on the targeted routers, which were mainly older Mikrotik and TP-Link devices marketed to the Small Office/Home Office (SOHO) market. Instead, they used known vulnerabilities to modify the Domain Name System (DNS) settings of the routers to include DNS servers controlled by the hackers.

As the U.K.’s National Cyber Security Centre (NCSC) notes in a new advisory detailing how Russian cyber actors have been compromising routers, DNS is what allows individuals to reach websites by typing familiar addresses, instead of associated IP addresses. In a DNS hijacking attack, bad actors interfere with this process to covertly send users to malicious websites designed to steal login details or other sensitive information.

English said the routers attacked by Forest Blizzard were reconfigured to use DNS servers that pointed to a handful of virtual private servers controlled by the attackers. Importantly, the attackers could then propagate their malicious DNS settings to all users on the local network, and from that point forward intercept any OAuth authentication tokens transmitted by those users.

DNS hijacking through router compromise. Image: Microsoft.

Because those tokens are typically transmitted only after the user has successfully logged in and gone through multi-factor authentication, the attackers could gain direct access to victim accounts without ever having to phish each user’s credentials and/or one-time codes.

“Everyone is looking for some sophisticated malware to drop something on your mobile devices or something,” English said. “These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done.”

Microsoft refers to the Forest Blizzard activity as using DNS hijacking “to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains.” The software giant said while targeting SOHO devices isn’t a new tactic, this is the first time Microsoft has seen Forest Blizzard using “DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.”

Black Lotus Labs engineer Danny Adamitis said it will be interesting to see how Forest Blizzard reacts to today’s flurry of attention to their espionage operation, noting that the group immediately switched up its tactics in response to a similar NCSC report (PDF) in August 2025. At the time, Forest Blizzard was using malware to control a far more targeted and smaller group of compromised routers. But Adamitis said the day after the NCSC report, the group quickly ditched the malware approach in favor of mass-altering the DNS settings on thousands of vulnerable routers.

“Before the last NCSC report came out they used this capability in very limited instances,” Adamitis told KrebsOnSecurity. “After the report was released they implemented the capability in a more systemic fashion and used it to target everything that was vulnerable.”

TP-Link was among the router makers facing a complete ban in the United States. But on March 23, the U.S. Federal Communications Commission (FCC) took a much broader approach, announcing it would no longer certify consumer-grade Internet routers that are produced outside of the United States.

The FCC warned that foreign-made routers had become an untenable national security threat, and that poorly-secured routers present “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”

Experts have countered that few new consumer-grade routers would be available for purchase under this new FCC policy (besides maybe Musk’s Starlink satellite Internet routers, which are produced in Texas). The FCC says router makers can apply for a special “conditional approval” from the Department of War or Department of Homeland Security, and that the new policy does not affect any previously-purchased consumer-grade routers.

An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021.

Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short). The BKA said Shchukin and another Russian — 43-year-old Anatoly Sergeevitsch Kravchuk — extorted nearly $2 million euros across two dozen cyberattacks that caused more than 35 million euros in total economic damage.

Daniil Maksimovich SHCHUKIN, a.k.a. UNKN, and Anatoly Sergeevitsch Karvchuk, alleged leaders of the GandCrab and REvil ransomware groups.

Germany’s BKA said Shchukin acted as the head of one of the largest worldwide operating ransomware groups GandCrab and REvil, which pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data.

Shchukin’s name appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Department seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities. The government said the digital wallet tied to Shchukin contained more than $317,000 in ill-gotten cryptocurrency.

The GandCrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations. The GandCrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process. The malware’s curators shipped five major revisions to the GandCrab code, each corresponding with sneaky new features and bug fixes aimed at thwarting the efforts of computer security firms to stymie the spread of the malware.

On May 31, 2019, the GandCrab team announced the group was shutting down after extorting more than $2 billion from victims. “We are a living proof that you can do evil and get off scot-free,” GandCrab’s farewell address famously quipped. “We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”

The REvil ransomware affiliate program materialized around the same as GandCrab’s demise, fronted by a user named UNKNOWN who announced on a Russian cybercrime forum that he’d deposited $1 million in the forum’s escrow to show he meant business. By this time, many cybersecurity experts had concluded REvil was little more than a reorganization of GandCrab.

UNKNOWN also gave an interview to Dmitry Smilyanets, a former malicious hacker hired by Recorded Future, wherein UNKNOWN described a rags-to-riches tale unencumbered by ethics and morals.

“As a child, I scrounged through the trash heaps and smoked cigarette butts,” UNKNOWN told Recorded Future. “I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.”

As described in The Ransomware Hunting Team by Renee Dudley and Daniel Golden, UNKNOWN and REvil reinvested significant earnings into improving their success and mirroring practices of legitimate businesses. The authors wrote:

“Just as a real-world manufacturer might hire other companies to handle logistics or web design, ransomware developers increasingly outsourced tasks beyond their purview, focusing instead on improving the quality of their ransomware. The higher quality ransomware—which, in many cases, the Hunting Team could not break—resulted in more and higher pay-outs from victims. The monumental payments enabled gangs to reinvest in their enterprises. They hired more specialists, and their success accelerated.”

“Criminals raced to join the booming ransomware economy. Underworld ancillary service providers sprouted or pivoted from other criminal work to meet developers’ demand for customized support. Partnering with gangs like GandCrab, ‘cryptor’ providers ensured ransomware could not be detected by standard anti-malware scanners. ‘Initial access brokerages’ specialized in stealing credentials and finding vulnerabilities in target networks, selling that access to ransomware operators and affiliates. Bitcoin “tumblers” offered discounts to gangs that used them as a preferred vendor for laundering ransom payments. Some contractors were open to working with any gang, while others entered exclusive partnerships.”

REvil would evolve into a feared “big-game-hunting” machine capable of extracting hefty extortion payments from victims, largely going after organizations with more than $100 million in annual revenues and fat new cyber insurance policies that were known to pay out.

Over the July 4, 2021 weekend in the United States, REvil hacked into and extorted Kaseya, a company that handled IT operations for more than 1,500 businesses, nonprofits and government agencies. The FBI would later announce they’d infiltrated the ransomware group’s servers prior to the Kaseya hack but couldn’t tip their hand at the time. REvil never recovered from that core compromise, or from the FBI’s release of a free decryption key for REvil victims who couldn’t or didn’t pay.

Shchukin is from Krasnodar, Russia and is thought to reside there, the BKA said.

“Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia,” the BKA advised. “Travel behaviour cannot be ruled out.”

There is little that connects Shchukin to UNKNOWN’s various accounts on the Russian crime forums. But a review of the Russian crime forums indexed by the cyber intelligence firm Intel 471 shows there is plenty connecting Shchukin to a hacker identity called “Ger0in” who operated large botnets and sold “installs” — allowing other cybercriminals to rapidly deploy malware of their choice to thousands of PCs in one go. However, Ger0in was only active between 2010 and 2011, well before UNKNOWN’s appearance as the REvil front man.

A review of the mugshots released by the BKA at the image comparison site Pimeyes found a match on this birthday celebration from 2023, which features a young man named Daniel wearing the same fancy watch as in the BKA photos.

Images from Daniil Shchukin’s birthday party celebration in Krasnodar in 2023.

Update, April 6, 12:06 p.m. ET: A reader forwarded this English-dubbed audio recording from a ccc.de (37C3) conference talk in Germany from 2023 that previously outed Shchukin as the REvil leader (Shchuckin is mentioned at around 24:25).

A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language.

Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP. In December 2025, the group began compromising corporate cloud environments using a self-propagating worm that went after exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. TeamPCP then attempted to move laterally through victim networks, siphoning authentication credentials and extorting victims over Telegram.

A snippet of the malicious CanisterWorm that seeks out and destroys data on systems that match Iran’s timezone or have Farsi as the default language. Image: Aikido.dev.

In a profile of TeamPCP published in January, the security firm Flare said the group weaponizes exposed control planes rather than exploiting endpoints, predominantly targeting cloud infrastructure over end-user devices, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers.

“TeamPCP’s strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques,” Flare’s Assaf Morag wrote. “The group industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem.”

On March 19, TeamPCP executed a supply chain attack against the vulnerability scanner Trivy from Aqua Security, injecting credential-stealing malware into official releases on GitHub actions. Aqua Security said it has since removed the harmful files, but the security firm Wiz notes the attackers were able to publish malicious versions that snarfed SSH keys, cloud credentials, Kubernetes tokens and cryptocurrency wallets from users.

Over the weekend, the same technical infrastructure TeamPCP used in the Trivy attack was leveraged to deploy a new malicious payload which executes a wiper attack if the user’s timezone and locale are determined to correspond to Iran, said Charlie Eriksen, a security researcher at Aikido. In a blog post published on Sunday, Eriksen said if the wiper component detects that the victim is in Iran and has access to a Kubernetes cluster, it will destroy data on every node in that cluster.

“If it doesn’t it will just wipe the local machine,” Eriksen told KrebsOnSecurity.

Image: Aikido.dev.

Aikido refers to TeamPCP’s infrastructure as “CanisterWorm” because the group orchestrates their campaigns using an Internet Computer Protocol (ICP) canister — a system of tamperproof, blockchain-based “smart contracts” that combine both code and data. ICP canisters can serve Web content directly to visitors, and their distributed architecture makes them resistant to takedown attempts. These canisters will remain reachable so long as their operators continue to pay virtual currency fees to keep them online.

Eriksen said the people behind TeamPCP are bragging about their exploits in a group on Telegram and claim to have used the worm to steal vast amounts of sensitive data from major companies, including a large multinational pharmaceutical firm.

“When they compromised Aqua a second time, they took a lot of GitHub accounts and started spamming these with junk messages,” Eriksen said. “It was almost like they were just showing off how much access they had. Clearly, they have an entire stash of these credentials, and what we’ve seen so far is probably a small sample of what they have.”

Security experts say the spammed GitHub messages could be a way for TeamPCP to ensure that any code packages tainted with their malware will remain prominent in GitHub searches. In a newsletter published today titled GitHub is Starting to Have a Real Malware Problem, Risky Business reporter Catalin Cimpanu writes that attackers often are seen pushing meaningless commits to their repos or using online services that sell GitHub stars and “likes” to keep malicious packages at the top of the GitHub search page.

This weekend’s outbreak is the second major supply chain attack involving Trivy in as many months. At the end of February, Trivy was hit as part of an automated threat called HackerBot-Claw, which mass exploited misconfigured workflows in GitHub Actions to steal authentication tokens.

Eriksen said it appears TeamPCP used access gained in the first attack on Aqua Security to perpetrate this weekend’s mischief. But he said there is no reliable way to tell whether TeamPCP’s wiper actually succeeded in trashing any data from victim systems, and that the malicious payload was only active for a short time over the weekend.

“They’ve been taking [the malicious code] up and down, rapidly changing it adding new features,” Eriksen said, noting that when the malicious canister wasn’t serving up malware downloads it was pointing visitors to a Rick Roll video on YouTube.

“It’s a little all over the place, and there’s a chance this whole Iran thing is just their way of getting attention,” Eriksen said. “I feel like these people are really playing this Chaotic Evil role here.”

Cimpanu observed that supply chain attacks have increased in frequency of late as threat actors begin to grasp just how efficient they can be, and his post documents an alarming number of these incidents since 2024.

“While security firms appear to be doing a good job spotting this, we’re also gonna need GitHub’s security team to step up,” Cimpanu wrote. “Unfortunately, on a platform designed to copy (fork) a project and create new versions of it (clones), spotting malicious additions to clones of legitimate repos might be quite the engineering problem to fix.”

Update, 2:40 p.m. ET: Wiz is reporting that TeamPCP also pushed credential stealing malware to the KICS vulnerability scanner from Checkmarx, and that the scanner’s GitHub Action was compromised between 12:58 and 16:50 UTC today (March 23rd).

The U.S. Justice Department joined authorities in Canada and Germany in dismantling the online infrastructure behind four highly disruptive botnets that compromised more than three million Internet of Things (IoT) devices, such as routers and web cameras. The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.

Image: Shutterstock, @Elzicon.

The Justice Department said the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple U.S.-registered domains, virtual servers, and other infrastructure involved in DDoS attacks against Internet addresses owned by the DoD.

The government alleges the unnamed people in control of the four botnets used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims. Some victims reported tens of thousands of dollars in losses and remediation expenses.

The oldest of the botnets — Aisuru — issued more than 200,000 attacks commands, while JackSkid hurled at least 90,000 attacks. Kimwolf issued more than 25,000 attack commands, the government said, while Mossad was blamed for roughy 1,000 digital sieges.

The DOJ said the law enforcement action was designed to prevent further infection to victim devices and to limit or eliminate the ability of the botnets to launch future attacks. The case is being investigated by the DCIS with help from the FBI’s field office in Anchorage, Alaska, and the DOJ’s statement credits nearly two dozen technology companies with assisting in the operation.

“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.

Aisuru emerged in late 2024, and by mid-2025 it was launching record-breaking DDoS attacks as it rapidly infected new IoT devices. In October 2025, Aisuru was used to seed Kimwolf, an Aisuru variant which introduced a novel spreading mechanism that allowed the botnet to infect devices hidden behind the protection of the user’s internal network.

On January 2, 2026, the security firm Synthient publicly disclosed the vulnerability Kimwolf was using to propagate so quickly. That disclosure helped curtail Kimwolf’s spread somewhat, but since then several other IoT botnets have emerged that effectively copy Kimwolf’s spreading methods while competing for the same pool of vulnerable devices. According to the DOJ, the JackSkid botnet also sought out systems on internal networks just like Kimwolf.

The DOJ said its disruption of the four botnets coincided with “law enforcement actions” conducted in Canada and Germany targeting individuals who allegedly operated those botnets, although no further details were available on the suspected operators.

In late February, KrebsOnSecurity identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet. Multiple sources familiar with the investigation told KrebsOnSecurity the other prime suspect is a 15-year-old living in Germany.

Having receive a ransom payment for its attack on Canvas, ShinyHunters and other extortion gangs are only likely to be further incentivised to launch similar attacks in future. Read more in my article on the Hot for Security blog.

Lesson one for aspiring dark web kingpins: don't have your laundered gold bars shipped to your home address. Read more in my article on the Hot for Security blog.

Pay up, or we'll pay someone to pay you a visit. Cybercrime gangs are increasingly turning to real-world threats - and even hiring local muscle to deliver the message. Read more in my article on the Hot for Security blog.

Welcome to the largest educational data breach in history - affecting nearly 9,000 institutions, every Ivy League university, and 30 million students mid-finals. When Canvas's parent company refused to pay and announced they had deployed "security patches" instead, the hackers were less than impressed. So they came back through the cat flap. Meanwhile, a famous finance expert's face has been showing up on Facebook adverts promising hot stock tips and exclusive WhatsApp investment groups. Spoiler: it isn't him, the tips aren't real, and you're about to be scammed. Plus we chat to Mike Nichols of Elastic, about how the SOC isn't dying, attackers and defenders are both deploying AI agents, and how the real security crisis is no longer human users - it's the bots acting on their behalf. All this and more in episode 467 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Danny Palmer.

One in eight UK workers admits to selling their company login credentials - or knowing someone who has - in the past 12 months. The really alarming bit? Their bosses are even more relaxed about it. Read more in my article on the Fortra blog.

Most universities have a careers fair. At Bauman Moscow State Technical University, however, an elite group of students appear to have something rather more unusual: a direct pipeline into some of the world's most notorious state-sponsored hacking groups. Read more in my article on the Hot for Security blog.

You don't need to live near a scam compound for it to wreck your life. Americans lost $5.8 billion to crypto investment scams last year alone - and a raid in Sri Lanka this month shows exactly how the operations behind them keep finding new places to hide. Read more in my article on the Hot for Security blog.

Meta's smart glasses promise privacy "designed for you" - but everything they record was being beamed off to workers in Nairobi to label by hand. When those workers blew the whistle, Meta sacked all 1,108 of them. Meanwhile, the IT press is in a frenzy over a new Linux bug called "Copy Fail" - complete with logo, dedicated website, and a marketing-friendly name. But is it really the disaster everyone's making it out to be? And in our featured interview, Jake Moore of ESET explains how he tricked a company into offering his deepfake clone a job - after a perfectly normal-looking video interview. All this and more in episode 466 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest Paul Ducklin.

Here's a tip for you all. Unless you want to draw attention to yourself as a cybercriminal, don't flaunt your diamond-encrusted "HACK THE PLANET" necklace on Snapchat, or pose as a Sopranos crime boss while the FBI is reportedly closing in. Read more in my article on the Hot for Security blog.

US Marines stationed around the Persian Gulf have been receiving WhatsApp messages from strangers suggesting they call home and make their final goodbyes. Read more in my article on the Hot for Security blog.

A developer at an AI startup wanted to cheat at Roblox. They downloaded a dodgy script on their work laptop. That one decision triggered a cascade of failures that ended with a $2 million data breach affecting hundreds of thousands of organisations. All for some free in-game currency. Meanwhile, there's a 1980s phone protocol called SS7 that lets shadowy surveillance companies track anyone, anywhere, via their mobile phone. Governments know about it. Telecoms know about it. Nobody's fixing it. All this and more in episode 465 of the "Smashing Security" podcast with cybersecurity keynote speaker and industry veteran Graham Cluley, joined this week by special guest James Ball. Plus! Don't miss our featured interview with Rob Edmondson of CoreView, discussing how to lock down Microsoft 365 before it's too late.

A man accused of working as a hacker for China's Ministry of State Security has been extradited to the USA from Italy, and faces - if found guilty - the prospect of decades behind bars. Read more in my article on the Hot for Security blog.

A 21-year-old man suspected of conducting approximately 100 data breaches since late 2025 - including a hack of the French Ministry of National Education that exposed records on almost a quarter of a million employees - has been arrested at his home in western France. Read more in my article on the Hot for Security blog.

A company that ran anonymous tip lines for 35,000 American schools - handling reports of bullying, weapons, and self-harm - boasted on its website that it had suffered zero security breaches in over 20 years. A hacker called Internet Yiff Machine thought that sounded like a challenge, with predictable results... Meanwhile, Rockstar Games gets hacked again - and the stolen data turns out to be less embarrassing than the financial secrets it accidentally revealed. GTA Online is still making half a billion dollars a year. Red Dead Redemption is not. All this and more in episode 464 of the "Smashing Security" podcast with cybersecurity keynote speaker and industry veteran Graham Cluley, joined this week by special guest BBC cybersecurity correspondent Joe Tidy. Plus! Don't miss our featured interview with Ryan Benson of Meter.

If you hold cryptocurrency, there's a very simple golden rule that you should always follow. Never hand over your seed phrase. Garrett Dutton, better known as G. Love - the front man of blues-hip-hop outfit G. Love & Special Sauce - has learnt that lesson the hard way. Read more in my article on the Hot for Security blog.

Have you ever taken a look at your Microsoft 365 mailbox rules? If not, it might be worth a few minutes of your time. Because newly released research reveals that hackers may already have beaten you to it. Read more in my article on the Fortra blog.

A hacking group claims to have broken into the flood defence system protecting Venice's Piazza San Marco - and is offering to sell access to whoever wants it. The asking price? A frankly insulting $600. Meanwhile, Anthropic accidentally leaked the source code for Claude Code via a basic packaging mistake. Oh, and by the way, they've also just revealed they've built an AI model called Mythos that can find and chain together software vulnerabilities faster than any human. Sleep well. All this and more in episode 463 of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest Tanya Janca.

Cybersecurity researchers have revealed that 108 malicious Google Chrome extensions have been quietly stealing user credentials, hijacking Telegram sessions, and injecting unwanted ads and scripts into browsers - all reporting back to the same central point. Read more in my article on the Hot for Security blog.

The fraud landscape has been changed by AI and cryptocurrency in a way that should concern organisations and individuals alike. Read more in my article on the Fortra blog.

LinkedIn has been secretly scanning your browser for over 6,000 installed extensions — on every single click you make. It can tell if you're job hunting, what religion you are, and whether you have ADHD. And none of this is mentioned anywhere in their privacy policy. Meanwhile, California's crypto millionaires are learning that no amount of encryption can protect you from someone who knocks on your door pretending to deliver a pizza. All this and more in episode 462 of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest Dave Bittner.

The Ukrainian cyberpolice, working in conjunction with U.S. law enforcement, has identified an 18-year-old man from Odesa suspected of running an infostealer malware operation targeting users of an online store in California. [...]

Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. [...]

The Grafana data breach was caused by a single GitHub workflow token that slipped through the rotation process following the TanStack npm supply-chain attack last week. [...]

Identity checks alone can't stop attackers using stolen session tokens and compromised devices. Specops Software outlines why Zero Trust strategies increasingly depend on continuous device verification. [...]

Drupal has announced a "core security release" scheduled for later today, warning that threat actors might develop exploits within hours of the update disclosure. [...]

PinTheft, a recently patched Linux privilege escalation vulnerability, now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems. [...]

GitHub has confirmed that roughly 3,800 internal repositories were breached after one of its employees installed a malicious VS Code extension. [...]

Microsoft has shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day vulnerability that grants access to protected drives. [...]

GitHub is investigating a breach of its internal repositories after the TeamPCP hacker group claimed to have accessed approximately 4,000 repositories containing private code. [...]

A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers. [...]

Microsoft says it has disrupted a malware-signing-as-a-service (MSaaS) operation that abused the company's Artifact Signing service to generate fraudulent code-signing certificates used by ransomware gangs and other cybercriminals. [...]

Discord announced that all voice and video calls through the communication platform are now protected by default with end-to-end encryption (E2EE). [...]

The FBI says Americans have lost over $388 million last year to scams using cryptocurrency kiosks, also known as crypto ATMs or Bitcoin ATMs. [...]

A threat actor targeting Microsoft 365 and Azure production environments is stealing data in attacks that abuse legitimate applications and administration features. [...]

Microsoft plans to raise the quality bar of Windows 11 drivers, as drivers "sit at the heart of every Windows experience" and connect the OS to the "silicon, components, and peripherals." [...]

Signal, the privacy-focused messaging app, has announced new features to enhance its calling experience, making it easier for users to initiate and manage group calls. The primary addition, “Call Links,” allows users to share a link to initiate a call with any contact on Signal without the need to create a group chat. This feature …

The post Signal Introduces Call Links for Simplified Private Group Calls appeared first on RestorePrivacy.

The Tor Project is currently facing an unusual, ongoing attack aimed at its infrastructure. For several weeks, an unknown threat actor has been spoofing the IP addresses of Tor relays and directory authorities, sending fake TCP SYN packets over SSH’s port 22. This technique has led to a flood of abuse complaints directed at Tor …

The post Tor Relays Targeted in IP Spoofing Campaign Causing Widespread Disruptions appeared first on RestorePrivacy.

Proton has launched its much-anticipated Black Friday sale for 2024, offering incredible discounts on services like Proton VPN, Proton Mail, Drive, and Pass. These Proton deals all include a 30-day money-back guarantee, allowing you to assess the service risk-free. This sale is the perfect chance to boost your online privacy and access premium features at …

The post Proton Black Friday Deals Go Live: VPN, Mail, Drive, Pass appeared first on RestorePrivacy.

Session, the encrypted messaging app known for its commitment to privacy and decentralization, announced a change of base from Australia to Switzerland. The app will now be overseen by the newly formed Session Technology Foundation (STF), based in central Europe. This move follows increasing regulatory pressure on privacy technologies in Australia, where the app was …

The post Encrypted Messenger Session Moves to Switzerland Amid Privacy Concerns appeared first on RestorePrivacy.

Mullvad VPN announced that macOS users may experience traffic leaks after applying recent system updates due to a firewall malfunction. According to a bulletin published earlier today on Mullvad’s blog, the macOS firewall fails to enforce certain routing rules properly, allowing some applications to bypass the VPN tunnel and send traffic outside of it. Mullvad …

The post Mullvad VPN Warns About Traffic Leaks on Latest macOS Sequoia appeared first on RestorePrivacy.

Discord, a popular communication platform, has been blocked in both Russia and Turkey, sparking widespread backlash from users in both countries. In Russia, the block took place yesterday, with the government citing concerns over illegal content, while Turkey implemented blocks a day prior, on October 7, 2024, claiming the platform was being used for criminal …

The post Discord Blocked in Russia and Turkey Amid Government Crackdowns appeared first on RestorePrivacy.

NordVPN, one of the world’s leading VPN service providers, has launched its first application featuring quantum-resilient encryption. Post-quantum cryptography support is currently available on NordVPN’s Linux client, with plans to extend this security to all applications by the first quarter of 2025. The move represents a significant step toward preparing for potential future threats posed …

The post NordVPN Adds NIST-Approved Quantum Encryption on the Linux Client appeared first on RestorePrivacy.

The European privacy rights organization noyb has filed a formal complaint against Mozilla for enabling a new feature in its Firefox browser that allegedly tracks users without their consent. The feature in question, called Privacy-Preserving Attribution (PPA), is designed to measure the effectiveness of online advertisements while minimizing data collection, but noyb claims it violates …

The post Mozilla Faces GDPR Complaint Over Firefox Tracking Users Without Consent appeared first on RestorePrivacy.

Telegram CEO Pavel Durov announced significant updates to the app’s Terms of Service and Privacy Policy, aimed at bringing the popular communications platform in alignment with the request of authorities to bring criminal activity under control. Most notably, Telegram will now share user IP addresses and phone numbers when responding to valid legal requests. Putting …

The post Telegram to Share User Data with Authorities on Legal Requests appeared first on RestorePrivacy.

The Tor Project has issued a statement in response to recent claims of a targeted de-anonymization attack on a Tor user. The attack, reportedly a “timing analysis” method, involved the long-retired Ricochet application. Although the incident raises concerns about the security of Tor’s Onion Services, the project maintains that its network remains healthy and that …

The post Tor Project Reassures Users Amid Claims of De-Anonymization Attack appeared first on RestorePrivacy.

In April 2026, data allegedly obtained from CTT, Portugal's national postal service, was posted to a public hacking forum. The data included 468k unique email addresses along with names, phone numbers and parcel tracking numbers which can be used to retrieve the tracking history of the parcel.

In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised". The "pay or leak" extortion group ShinyHunters subsequently claimed responsibility and published a large trove of personal data allegedly obtained from Addi. The data included 34M unique email addresses from credit scoring requests, credit bureau records, customer identity records and email validation logs. It also contained government issued IDs (Cédula de Ciudadanía), estimated income, socioeconomic levels, purchases and other credit-related data points.

In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group. Shortly after, data allegedly taken from the company's Salesforce instance was published publicly and contained over 700k unique email addresses belonging to both Abrigo staff and external contacts. Whilst separate from Abrigo's Salesforce compromise via the Drift application connector the previous year, the data fields described in that incident are consistent with the ShinyHunters data, namely that it was "business contact information" including "institution name, employee name, email addresses, and phone numbers".

In April 2026, Canada Life was the victim of a "pay or leak" extortion campaign by the ShinyHunters group. The group subsequently published the data which contained over 200k unique email addresses along with names, phone numbers, physical addresses and, in some cases, customer support tickets. In their disclosure notice, Canada Life advised that "it is a small proportion of our customers who may have been impacted". In the wake of the incident, Canada Life also published an alert cautioning customers to be wary of phishing attacks, a pattern often seen after the public release of breached data.

In May 2026, the real estate services firm Cushman & Wakefield was the target of a "pay or leak" extortion campaign by the ShinyHunters group. Following the threat, the group publicly published data they alleged had been obtained from the firm, consisting mostly of C&W email addresses along with tens of thousands of external email addresses and corporate contact records. The exposed data was primarily business information, including names, job titles, company addresses and phone numbers.

In April 2026, the fashion brand Zara was among a number of organisations targeted by the ShinyHunters extortion group as part of their "pay or leak" campaign. The group claimed the breach was related to a compromise of the Anodot analytics platform and subsequently published a terabyte of data allegedly including 95M support ticket records. The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in. Zara's parent company Inditex advised that the incident didn't affect passwords or payment information.

In March 2026, the AI-driven merchant data platform Woflow was named as a victim by the ShinyHunters data extortion group. The group subsequently published tens of thousands of files allegedly obtained from the company, comprising more than 2TB of data. The trove included hundreds of thousands of email addresses, names, phone numbers and physical addresses, with the data indicating it related to Woflow customers and, in turn, the customers of merchants using their platform.

In April 2026, the commercial residential and ISP proxy network LegionProxy suffered a data breach. The incident exposed 10k email addresses, bcrypt password hashes, names and purchases.

In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata. The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include "Vimeo video content, valid user login credentials, or payment card information".

In April 2026, the gaming community Reborn Gaming suffered a data breach due to a vulnerability in cPanel and WebHost Manager (WHM). The breach exposed 126 unique email addresses along with IP addresses and Steam IDs. Reborn Gaming self-submitted the data to Have I Been Pwned.

In April 2026, the commercial real estate brokerage firm Marcus & Millichap was named as one of multiple alleged victims of the ShinyHunters hacking and extortion group. Data alleged to have been obtained from the company was subsequently released publicly and included 1.8M unique email addresses, along with names, phone numbers and employment-related information including employer, job title and physical company address. In their disclosure notice, Marcus & Millichap advised that data which may have been accessed appeared limited to "company forms, templates, marketing materials, and general contact information".

In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform. The group claimed the data had been exfiltrated from platforms including Snowflake, Mixpanel and Salesforce, and threatened to publish it if a ransom was not paid. The following month, after claiming payment had not been made, ShinyHunters publicly released the data. The collection amounted to many terabytes across thousands of files that appeared to originate from multiple systems and business functions, including leads, support records and other CRM-related data. The data contained approximately 5M unique email addresses, often accompanied by name and phone number depending on the source file.

In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses. Whilst not present on all records, the data also included genders, physical addresses, phone numbers, nationalities, dates of birth, spouse names and VIP status codes.

In April 2026, the hacking collective ShinyHunters claimed to have obtained data from Pitney Bowes as part of a broader extortion campaign that also named several other organisations. After negotiations allegedly failed, the group publicly released the data which included 8.2M unique email addresses, along with names, phone numbers and physical addresses. A subset of the data also included Pitney Bowes employee records with job titles.

In April 2026, home security firm ADT confirmed a data breach by ShinyHunters, which listed the company on its website as part of a "pay or leak" extortion attempt. The breach impacted 5.5M unique email addresses along with names, phone numbers and physical addresses. ADT also advised that "in a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included" and that it had contacted all affected people.

In April 2026, online training company Udemy was the victim of a “pay or leak” extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors. The data also included names, physical addresses, phone numbers, employer information and instructor payout methods including PayPal, cheque and bank transfer.

In April 2026, the notorious hacking collective ShinyHunters claimed they had obtained a substantial volume of data belonging to the Carnival cruise operator and attempted to extort the organisation to prevent the data from being leaked. The following week, the group published the data publicly, which contained 8.7M records with 7.5M unique email addresses. The data contained fields indicating it related to the Mariner Society loyalty program run by Holland America, a cruise line brand under Carnival, and included names, dates of birth, genders and data relating to status within the loyalty program. Carnival acknowledged a phishing incident involving a single user account and advised they were working to better understand the scope of the unauthorised activity.

In April 2026, the hacking group ShinyHunters claimed they had breached Amtrak. The group typically compromises organisations' Salesforce instances before demanding a ransom and later, if not paid, dumping the data publicly. They subsequently published the alleged data which contained over 2M unique email addresses along with names, physical addresses and customer support records.

In April 2026, education company McGraw Hill confirmed a data breach following an extortion attempt. Attributed to a Salesforce misconfiguration, the company stated the incident exposed "a limited set of data from a webpage hosted by Salesforce on its platform". More than 100GB of data was later publicly distributed, containing 13.5M unique email addresses across multiple files, with additional fields such as name, physical address and phone number appearing inconsistently across some records.

In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming service, along with names, phone numbers, physical addresses and support tickets.

“We’ll have a generation of security professionals who can supervise AI but can’t function without it."

Categories: AI Research, Sophos Insights

Tags: AI, AI Cybersecurity, AI RESEARCH, Generative AI, SOC

Following on from our preview, here’s the full rundown on LLM salting: a novel countermeasure against LLM jailbreaks, developed by AI researchers at Sophos X-Ops

Categories: AI Research

Tags: AI, CAMLIS, Featured, jailbreak, LLM, salting, Sophos X-Ops

On October 22-24, SophosAI will present research on ‘LLM salting’ (a novel countermeasure against jailbreaks) and command line classification at CAMLIS 2025

Categories: AI Research

Tags: AI, CAMLIS, Featured, LLM, Sophos X-Ops

Analyzing dark web forums to identify key experts on e-crime

Categories: AI Research, Threat Research

Tags: AI, cybercrime, Dark Web, Featured, threat activity cluster, threat actors

Sophos X-Ops’ research, presented at Virus Bulletin 2024, uses ‘multimodal’ AI to classify spam, phishing, and unsafe web content

Categories: AI Research

Tags: Featured, Large Language Models, Multimodal AI, Sophos X-Ops, spam detection, Web Content Filtering