Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto Fraud

Cybersecurity researchers have disclosed details of a telecommunications fraud campaign that uses fake CAPTCHA verification tricks to dupe unsuspecting users into sending international text messages that incur charges on their mobile bills, generating illicit revenue for the threat actors who lease the phone numbers.
According to a new report published by Infoblox, the operation is believed to

The Hacker News – ​Read More

Firefox Vulnerability Allows Tor User Fingerprinting

The vulnerability is tracked as CVE-2026-6770 and it has been patched with the release of Firefox 150 and Tor 15.0.10.

The post Firefox Vulnerability Allows Tor User Fingerprinting appeared first on SecurityWeek.

SecurityWeek – ​Read More

Your AI Agents Are Creating Identity Chaos (And You Don’t Even Know It)

Your AI Agents Are Creating Identity Chaos (And You Don't Even Know It)

I was reviewing our authentication logs last week when something caught my eye. Between 2 AM and 4 AM, we logged over 47,000 API calls. Nothing unusual there—except these weren’t coming from users. They were all AI agents.

This got me thinking about a problem nobody’s really talking about yet: we’re about to drown in machine identities, and most of our security teams are still thinking like it’s 2015.

The Problem Nobody Saw Coming

We spent decades building Identity and Access Management systems for humans. Then we evolved to Customer Identity systems that could handle millions of users. I spent years scaling CIAM platform to serve over a billion users, and I thought we’d seen everything.

We hadn’t.

AI agents don’t behave like humans. They don’t log in once a day. They don’t take coffee breaks. One agent can make thousands of requests per minute, accessing dozens of different systems, all with different credentials. And when something breaks? Good luck figuring out which agent, using which key, talking to which service caused the problem.

What Actually Happens in Production

Last month, a developer on my team spun up an AI agent to automate some content research. Simple task, right? Within 24 hours, that agent had:

  • Created API keys for three different services
  • Stored credentials in two different config files
  • Made 12,000 API calls across four systems
  • Left zero audit trail about what it actually did

Now multiply that by every developer, every team, every use case. You see the problem.

The Static API Key Disaster

Most companies are handling AI agent authentication the same way they handled service accounts in 2010: static API keys. Here’s why that’s a nightmare:

They live forever. That key you created for a proof-of-concept six months ago? Still valid. Still working. Still sitting in a GitHub repo somewhere.

They’re everywhere. Slack messages. Shared drives. Documentation. That one engineer’s personal notes. You’ll never find them all.

They scale exponentially. Each new AI agent needs keys for each service it touches. Five agents across ten services? That’s 50 credentials to manage, rotate, and secure.

And when you finally discover a compromised key? You have about 30 seconds to figure out which agent is using it before you break production.

Why Your IAM System Can’t Handle This

Traditional IAM was built for humans. CIAM scaled it for millions of consumers. But AI agents are a different beast entirely:

  • Humans authenticate once per session. Agents authenticate constantly.
  • Humans have predictable patterns. Agents don’t.
  • Humans can complete MFA challenges. Agents can’t (or shouldn’t).
  • You can lock out a suspicious user. Can you lock out the agent that’s running your entire content pipeline?

The authentication patterns that worked for user identity completely break down at machine scale.

What Actually Works

After dealing with this across multiple companies, here’s what I’ve learned:

Short-lived tokens. If your AI agent tokens live longer than an hour, you’re doing it wrong. Yes, it’s more work to implement. Yes, it’s worth it.

Centralized identity. Every agent gets registered. Every credential gets tracked. Every API call gets logged with full context about which agent made it. No exceptions.

Agent-specific roles. Stop giving agents admin access because it’s easier. If the agent only needs to read data, that’s all it gets.

Kill switches. You need the ability to instantly revoke an agent’s access without breaking everything else. Plan for compromise, because it will happen.

The Real Issue

The uncomfortable truth is that most companies are building AI agents faster than they’re thinking about security. I see it constantly—teams spinning up agents with production access, using personal API keys, with zero thought about rotation, monitoring, or incident response.

And when I ask about their agent identity strategy? Blank stares.

I’m as excited about AI agents as anyone. We’re building them at GrackerAI and LogicBalls. But excitement doesn’t excuse bad security. The same principles that apply to human identity apply to machine identity—they just need to work at a completely different scale.

Where To Start

If you’re running AI agents in production (or about to be), here’s your starting checklist:

  1. Audit what you have. Find every agent, every key, every credential. Yes, all of them.
  2. Implement token expiration. No more permanent keys. Period.
  3. Set up monitoring. You need to see what your agents are doing in real-time.
  4. Document everything. Which agent? What access? Why? When does it expire?
  5. Build a kill switch. Before you need it.

The AI agent explosion is happening whether we’re ready or not. The companies that take identity seriously now will save themselves a world of pain later.

The ones that don’t? Well, there’s always incident response consulting.


Deepak Gupta is co-founder & CEO at GrackerAI and previously co-founded LoginRadius, scaling it to serve over 1 billion users. He writes about AI, cybersecurity, and the intersection of both at guptadeepak.com.

Secjuice – ​Read More

Nearly half of cybersecurity pros want to quit – here’s why

Research suggests security specialists around the globe are unhappy, but there is hope.

Latest news – ​Read More

Microsoft Entra Agent ID Flaw Enabled Tenant Takeover via Privilege Escalation

Microsoft Entra Agent ID flaw allowed privilege escalation and tenant takeover via Service Principal abuse, now fully patched by Microsoft.

Hackread – Cybersecurity News, Data Breaches, AI and More – ​Read More

I ran the 20-minute Apple Watch calibration test – and my data got more accurate

Want more accurate, personalized health data during your exercises? Here’s how to calibrate your Apple Watch.

Latest news – ​Read More

Own a Hisense TV? I’d change these expert settings to noticeably improve the picture quality

New Hisense TVs look great right out of the box, but you can get more out of your screen by tweaking just a few menu options.

Latest news – ​Read More

I bought a $40 earwax camera and keep finding reasons to use it

The Bebird Earsight Plus D39R earwax removal tool is a surprisingly useful inspection camera. Here’s how I use it in my tool shed.

Latest news – ​Read More

Framework Laptop 13 Pro vs. MacBook Neo: These Windows rivals are more similar than expected

Framework’s sleek new Laptop 13 Pro is built for power users, but it shares similar ambitions to the Neo: Windows users seeking alternatives.

Latest news – ​Read More

How to audit what ChatGPT knows about you – and reclaim your data privacy

If you’re looking to limit the amount of personal information you give ChatGPT, these are the main settings you should know about.

Latest news – ​Read More