• Russian Intelligence are targeting Signal accounts of officials based in Ukraine
• They pose as Signal support services and ask users to submit their Backup Recovery Keys
• Using these keys, the hackers can hijack the users account and any other accounts created using the same mobile phone number

The FBI has warned Russian Intelligence Services are posing as commercial messaging application support services in order to steal Backup Recovery Keys belonging to targets of high value in the military and government of the US, Europe, and Ukraine.

In a joint warning alongside the CISA and the Security Service of Ukraine (SSU), the FBI outlined the new phishing campaign which seeks to access messaging accounts in order to perform intelligence gathering of secret information.

Specifically, the FBI provided sample phishing lures targeting users of the Signal messaging app. If the hackers successfully lure a victim into sharing their Backup Recovery Key, they can access the account's message history, private and group messages, and fully take over the victim's account.

Russian Intelligence pose as Signal support services

In the FBI warning, the phishing techniques are further detailed. The Russian Federal Security Service (FSB) are targeting government officials, military personnel, political figures, journalists, and key officials from the US and Europe located in Ukraine.

The attackers send emails that appear to be automated messages from Signal, asking users to turn on their message backup using their Backup Recovery Key. Victims are provided with false instructions that instead send the Backup Recovery Key to the attacker, who can then use the key to take over the victim’s account.

In order to establish urgency and trust that the message is legitimate, the attackers posed the phishing message as a protection against recent hacking attempts from “Iran and post-Soviet countries.” In another sample message, the attacker's message says that the victim’s account data “is at risk of permanent loss due to a sync issue.”

If a victim shares their unique Backup Recovery Key, it allows the attacker to hijack their current Signal account alongside any subsequent accounts made with the same phone number.

For users who may fear their Backup Recovery Key has been compromised, users are instructed to use Signal settings to create a new Backup Recovery Key. This new key will invalidate all previous Backup Recovery Keys and prevent account takeover if the previous key was leaked.

In order to avoid falling victim to phishing messages, there are several ways to stay safe:

• Support services will generally only communicate with users via an official company email address. Always carefully check communications from the legitimate email address.
• Customer support will never request that you supply your Backup Recovery Key via the application
• You will never be asked to verify or restore your account via an automated customer support message

In order to further protect your Signal account, or other accounts, against phishing, users should consider the following:

• Use a passkey wherever possible. This will use your device’s built in biometric verification methods to authenticate your login.
• Use phishing resistant multi-factor authentication where possible
• Always double check messages and emails are legitimate, and are using an official company email
• Never supply your Backup Recovery Keys unless you are actively attempting to regain access to your account via a legitimate service

• Tens of millions of credentials may have been leaked following an attack on one of Japan's largest ISPs
• The attack leveraged a vulnerability in a third-party software used by KDDI
• Five other ISPs were also affected in the attack

A data breach that has potentially exposed the email and password combinations for over 14 million customers across six internet service providers (ISPs) has been disclosed by Japanese telecoms provider KDDI Corporation.

According to the company, hackers exploited a vulnerability in a third-party software to access the database of credentials. KDDI said that it immediately blocked the hackers' access after discovering the intrusion on June 17, 2026.

“Although technical defensive measures have already been implemented for the system, there remains a possibility that customers' email addresses and passwords were obtained by unauthorized third parties as a result of the incident,” the company said in a statement.

Millions of credentials exposed

Unfortunately, the breach was not confined to just KDDI. The email services of five other ISPs were also affected by the breach:

• STNet, Inc.
• JCOM Co., Ltd.
• Chubu Telecommunications C., Inc.
• NIFTY Corporation
• BIGLOBE Inc.

KDDI is yet to finish a formal investigation into the attack, but said that the hacker may have gained access to the emails addresses and passwords for 14.22 million current and former customers. The company also said that some of the passwords were stored in an encrypted format, and so will be inaccessible for the hackers, but the company did not say how many were stored in this manner.

Since discovering the breach, KDDI has also been working alongside the affected ISPs to secure systems and put in place mitigation measures to counter the abuse of exposed account credentials.

In order to stay protected, customers have been advised to change their account passwords and implement two-factor authentication.

Breaches such as these are particularly dangerous because they expose email and password combinations. As most people will have either one or two email addresses across their accounts, it increases the likelihood that hackers can attempt to use the exposed email and password combinations to try and access other accounts created with the same email.

This is especially true if the same password (or a variant thereof) is used across multiple accounts. Hackers can use brute force techniques to try hundreds of password combinations in a very short amount of time in order to crack weak or reused passwords.

When creating or updating a password for any account, no matter how infrequently it is used, always create a strong unique password. Password managers can create and suggest strong passwords, securely store them, and automatically fill login forms to take the hassle out of remembering passwords.

Alternatively, some services offer the ability to login using a passkey, which utilizes the built-in biometric authentication mechanisms of your device such as a facial scan or fingerprint. These login methods not only remove the need to type in passwords, but also reduce the possibility of hackers accessing your account through phishing attacks.

Via BleepingComputer

Like a vestige of a bygone era, my Hotmail email address still exists and works, even if the domain resolves to Microsoft's far less sexy Outlook online mail system. The continued utility of my Hotmail email address is a reminder that, 30 years after its launch, Hotmail played a valuable role in the early days of the Internet, even if its current existence is ephemeral at best.

It's easy to forget that Hotmail, which was founded by a former Apple Engineer, Sabeer Bhatia, and FirePower Systems engineer, Jack Smith, was the first free online email provider and was something of a sensation (the name was then quite apt). Also lost to history is its somewhat peripatetic journey from a platform used by millions (at its height around 130M) to a service that was deplatformed, derided, revived, and eventually abandoned.

Back in 1996, I was an editor at PC Magazine, then the world's most popular computing magazine, and I vaguely recall hearing about Hotmail and signing up for it. Microsoft, ever on the hunt for technology and companies that could fill its substantial online gaps (it licensed Spyglass Mosaic browser code to build Internet Explorer in 1994), purchased Hotmail in late 1996. Bhatia stuck around to run the platform for a year or two, and Smith appears to have left shortly after the acquisition.

Suddenly, 9 million or so early adopters were being quickly integrated into the burgeoning Microsoft ecosystem, with the Microsoft Network (MSN) in particular. To this day, my Hotmail address is tied to my Windows identity.

Hot until it's not

It was a good enough email system that I put my wife on it more than 20 years ago, but in 2006 or so, Microsoft, perhaps feeling the threat of the exploding Google Gmail userbase (launching in 2004, it was free and, at the time, with unlimited storage), decided to rebrand most of its services udner "Live" and the Hotmail service and domain was effectively retired.

But not dead. Our Hotmail address continued to work, but we were opening Windows Live inboxes instead. I hated it and teased Microsoft that if they thought Windows is "live" now, was it dead before?

I also wasn't thrilled that Microsoft had "put a pillow over Hotmail's face". It was a service I loved and used and served as the centerpiece for not just Microsoft's services, but other platforms where it was my login identity. The switch to a "@live.com" email address was just confusing.

In fact, Microsoft's entire email corpus at the time was a hot mess. We had Outlook addresses, Live addresses, Hotmail Addresses, MSN addresses. At one time, I may have had all of them.

A few years later, Microsoft reversed course, revived the Hotmail brand, and gave me the lovely cup you see above. All was forgiven, but, to be honest, by then I had moved on. My Hotmail email account became a resting place for forgotten and discarded subscriptions, as well as quite a few reminders about people's birthdays.

Don't email me

Hotmail as an email platform never really recovered, and eventually, Microsoft moved to put everyone on the Outlook email brand, which was almost as old as Hotmail and used, though not always loved, by millions of people who also use Microsoft Office.

My Hotmail account remains active to access Windows (though I mostly log in with biometrics or PIN codes now) and to access Outlook mail, where I can find emails going back 26 years (not as interesting as you might think).

The truth is, though, while that email account will probably live on, the most concrete reminder that Hotmail was once a thing (much like your old AOL email was once a thing) is that orange coffee cup.