A newly discovered cyberattack campaign is raising serious alarms across the cybersecurity landscape. A hacker group known as PoisonSeed has developed a technique that bypasses even the strongest security measure in use today: FIDO hardware authentication keys.
Read Also:Weak Password Led to Ransomware Attack sank 158-year old Firm
FIDO keys have long been promoted as phishing-proof, but PoisonSeed is proving otherwise. Instead of using fake websites or email logins, they’re exploiting the human element behind device approvals. The attack begins when a user unknowingly shares partial access credentials or session tokens. Then, the attacker initiates a login request on a different device, such as a smartphone, that’s synced or associated with the target’s account.
When the user sees the prompt for FIDO key approval, it looks like a regular login attempt. Trusting the prompt, they tap to allow access—without realizing it’s a fraudulent session initiated by the attacker. Once inside, the hackers gain access to email accounts, file systems, sensitive corporate data, and in some cases, even digital wallets.
Read Also:Robot Showdown in Detroit
Security experts are particularly concerned about the attack’s subtlety. It avoids traditional password harvesting and instead relies on blending into the normal rhythm of user behavior. Because the request comes through familiar systems, many victims don’t question it until it’s too late.
The campaign has so far targeted enterprise-level platforms, especially those with weak internal monitoring or limited authentication verification. Companies are being urged to rethink their zero-trust frameworks, including adding extra validation steps after FIDO usage and educating employees on recognizing suspicious device activity.
Read Also:Citi and Ant Pilot AI‑Powered FX Tool for Clients
The PoisonSeed campaign shows that even the strongest security tools can become weak spots when combined with clever social engineering. Organizations that rely heavily on FIDO must now adapt their systems to defend not just against technical breaches but against user confidence being turned into a vulnerability.
