This week's incidents share a single thread: credentials stolen weeks or months ago are still opening doors. Patching the vulnerability that enabled the theft doesn't invalidate what was already taken. Three cases from this week make that point in different ways:

  • FortiBleed confirmed that over 15,000 verified Fortinet admin and VPN credentials (collected from firewall config files across 100+ countries) are already in circulation. CISA's message was unambiguous: rotating credentials is not optional after a compromise, and software updates alone don't close the window.
  • Operation Endgame disrupted the infrastructure behind Amadey and StealC, two of the most active infostealer families. Europol recovered around 27 million stolen credentials and seized hundreds of servers. The infrastructure is down; the credentials already in circulation are not.
  • France's FICOBA breach required no exploit at all. An attacker used a single compromised civil servant account to browse 3.5 million bank records over two weeks: no software vulnerability, just an unmonitored credential left active.

The week also brought a supply chain breach at LastPass through a third-party SaaS platform, an actively exploited Cisco SD-WAN zero-day that gave attackers root access and hidden admin accounts for over two months, and a suspected 200 GB exfiltration from the Council of Europe claimed by ShinyHunters. 

On the industry side, Czech firm Wultra raised €3.5M for post-quantum authentication, and WALLIX partnered with Inria to address the growing machine identity problem: API keys, tokens, and service accounts that most organizations still can't fully inventory.

This digest covers 8 significant events from 22 to 29 June 2026.


FortiBleed: 15,000+ Fortinet admin credentials stolen across 100+ countries, CISA demands immediate rotation

Security researchers uncovered a large-scale credential harvesting campaign dubbed FortiBleed, which exposed more than 15,000 verified administrator and SSL VPN credentials for Fortinet FortiGate firewalls across 100+ countries. The credentials, collected over several years through compromised firewall configuration files, have been linked to organizations including Siemens, DHL, and a Turkish defense contractor. 

Why it matters: FortiBleed highlights a critical distinction: patching a vulnerability does not eliminate the risk once credentials have already been stolen. Following the disclosure, CISA urged organizations to act immediately:

  • Terminate sessions and reset credentials. End all active SSL VPN and admin sessions. Reset all Fortinet VPN and admin passwords, especially on internet-facing systems.
  • Ensure secure credential storage. Confirm use of PBKDF2 for storing administrator credentials and remove weaker legacy hashes per Fortinet's guidance.
  • Review logs. Check firewall, VPN, authentication, and domain controller logs for lateral movement, suspicious accounts, or unauthorized configuration changes.
  • Enable phishing-resistant MFA. Require phishing-resistant MFA on all remote access and admin accounts, including all external gateways and administrative interfaces.
  • Reduce the attack surface and lock down management access. Keep firewall administration off the public internet, restrict management interfaces to trusted internal networks, and disable unnecessary accounts.

Sources: Dark Reading – 23 Jun 2026


LastPass customer support data stolen through Klue supply chain breach

LastPass notified users that customer support and sales data was stolen after attackers compromised Klue, a third-party market research platform. The extortion group Icarus reportedly abused OAuth tokens to access Salesforce data from around 20 cybersecurity companies, including LastPass, HackerOne, and Recorded Future. LastPass said password vaults were not affected, but the stolen data included customer names, phone numbers, email and physical addresses, support case details, and sales records. 

Why it matters: The incident shows how SaaS integrations can expose sensitive customer data even when core systems remain secure. For enterprises, the incident reinforces the need to assess third-party SaaS access, restrict OAuth permissions, monitor integration activity, and treat supplier governance as part of identity security. Under frameworks like NIS2, vendor risk and access control are becoming board-level security concerns.

Sources: TechCrunch – 23 Jun 2026


Operation Endgame: Europol seizes hundreds of servers, recovers 27 million stolen credentials from Amadey and StealC networks

An international law enforcement operation led by Europol disrupted the infrastructure behind the Amadey and StealC malware families, two of the most active credential-stealing platforms. Authorities seized hundreds of servers and domains, froze cryptocurrency linked to the operators, and recovered around 27 million stolen credentials. The operation involved several European countries, including Germany, France, the Netherlands and the UK. Microsoft estimated that these malware families infected hundreds of thousands of devices worldwide during recent campaigns.

Why it matters: This is one of the largest recent disruptions of the infostealer ecosystem. However, organizations should not assume the risk has disappeared. Millions of stolen passwords and session tokens are already circulating in criminal markets and will continue to fuel account takeover attacks. 

Source: The Hacker News / Europol – 24 Jun 2026


Cisco SD-WAN zero-day exploited for 2+ months: attackers gained root access and created hidden admin accounts

Cisco disclosed that attackers had been exploiting a zero-day vulnerability in Catalyst SD-WAN Manager for at least two months before disclosure. According to Mandiant, attackers obtained root privileges, modified administrator credentials, created hidden privileged accounts and removed forensic evidence to maintain long-term persistence. Cisco also released information about a related authentication bypass vulnerability affecting the same platform.

Why it matters: Many organizations treat network appliances as trusted infrastructure, yet these devices often hold highly privileged credentials. Once compromised, they provide attackers with persistent administrative access across the network. Patching should be paired with continuous monitoring of privileged identities.

Source: The Hacker News / Google Mandiant – 25 Jun 2026


Compromised government credentials expose 3.5 million bank accounts in French FICOBA registry breach

French authorities disclosed that attackers used compromised government credentials to access FICOBA, the country's national bank account registry. Over a period of approximately two weeks, attackers viewed information linked to around 3.5 million bank accounts, including names, addresses and IBAN numbers. Authorities reported that the attacker abused an existing civil servant account rather than exploiting a software vulnerability.

Why it matters: The incident highlights that compromised credentials remain a major threat even in government systems. Strong identity controls are just as important as infrastructure security. As NIS2 enforcement expands across Europe, incidents like this show why identity security is becoming a board-level compliance issue.

Source: Shattered.io – 23 Jun 2026


ShinyHunters claims 200 GB stolen from Council of Europe HR and payroll systems

The ShinyHunters group claimed responsibility for breaching internal systems belonging to the Council of Europe and stealing more than 200 GB of HR and payroll information. The organization confirmed a cybersecurity incident, restricted access to affected systems and launched a forensic investigation. At the time of publication, the full scope of the compromise had not been confirmed.

Why it matters: Although attribution remains under investigation, the incident follows a growing pattern of attacks against public institutions using stolen credentials or phishing. European organizations should expect attackers to continue targeting identity systems rather than infrastructure alone. Strong access controls and rapid incident response remain essential for both public and private sectors.

Source: CyPro – 26 Jun 2026


Czech firm Wultra raises €3.5M to build post-quantum, phishing-resistant authentication for European banks

Czech cybersecurity company Wultra announced a €3.5 million Series A funding round to expand its authentication platform across Europe. The company develops phishing-resistant authentication technologies for banks, financial services and digital identity providers. The investment will support the adoption of post-quantum cryptography and authentication methods designed to meet upcoming European regulations, including PSD3, PSR and eIDAS 2.0.

Why it matters: European organizations are preparing not only for today's identity threats but also for future cryptographic risks. As regulators increasingly promote stronger digital identity standards, investments are shifting toward phishing-resistant and post-quantum authentication. The funding reflects growing demand for authentication technologies that can support long-term compliance while reducing dependence on passwords and legacy MFA methods.

Source: The Recursive – 29 Jun 2026


WALLIX and Inria partner to secure machine identities

European IAM/PAM vendor WALLIX and the French research institute Inria have announced a partnership to develop trusted AI solutions for securing machine identities. The collaboration aims to address the structural risks created by the rapid growth of non-human identities, including API keys, service accounts, tokens, and certificates used in automated workflows and CI/CD pipelines. 

Why it matters: Machine identities already outnumber human identities in most enterprise environments, and their numbers continue to grow with every new microservice and deployment pipeline. Yet many organizations still lack centralized control over these credentials, which remain scattered across configuration files, environment variables, and source code repositories. The growing attention from major European cybersecurity players confirms that machine identity management is becoming one of the top priorities for enterprise security.

Source: Industrial Cyber – 26 Jun 2026


This week's recap

Three things stand out as consistent gaps across this week's incidents:

  • Credential rotation is treated as a post-breach task, not a routine one. In all three cases, rotating credentials before or immediately after the initial compromise would have contained the damage.
  • Third-party SaaS access is largely unaudited. The LastPass breach came through a market research platform with OAuth access to Salesforce. Most security teams couldn't list every OAuth integration in their environment right now.
  • Machine identities remain the least-governed credential class. The WALLIX/Inria announcement and the Cisco case both point to the same gap: API keys, service accounts, and tokens in pipelines that no one is actively monitoring.

The good news from Operation Endgame is real: taking down Amadey and StealC infrastructure matters. But millions of previously stolen credentials are still available to attackers.

Effective access management limits the value of stolen credentials, even after the original attack is over. Passwork brings password and secrets management into a single platform — with a REST API, Python SDK, and CLI for teams that need centralized control over machine credentials without the overhead of traditional PAM. Control your credentials before attackers do.

Cybersecurity never stands still. We'll be back next week with the incidents and security trends that matter most for your teams.
Shadow IT in 2026: Risks, detection, and how to manage it
Shadow IT in 2026 spans AI agents, orphaned SaaS accounts, and unmonitored LLM sessions — risks most organizations can’t see. Learn what’s changed, what it costs, and how a 6-step governance framework closes the gap.
Secrets rotation lifecycle: From creation to revocation
Secret rotation fails when it’s treated as a scheduled task rather than a lifecycle. This guide covers all seven stages — from creation and ownership to safe rotation, emergency revocation, and audit evidence.
Supply chain security guide: Vendor risks, regulations, access control in 2026
48% of breaches now involve a third party. This guide covers the attack patterns behind SolarWinds, MOVEit, and XZ Utils — and the access controls, credential management practices, and regulatory requirements that actually stop them.