Microsoft: New Accounts are Passwordless, Authenticator's Password Manager Will be Deprecated, Skype is Retired; eCommerce Supply Chain Attack Lay Dormant Six Years

One year after year Microsoft began offering passkey support for consumer accounts, the company has announced that all new Microsoft accounts will be passwordless by default. The move is intended to protect customers' credentials from stuffing, brute force, and phishing attacks. Current Microsoft customers who have not yet adopted passkeys will be encouraged to do so when they sign into their accounts. Other companies, including Apple and Google, are also developing passkey support under the aegis of the Fast Identity Online (FIDO) Alliance.

Read more in

Microsoft has announced that the password manager feature of the Authenticator App will be phased out over the next few months, with the goal of users moving to Microsoft Edge for password management. Starting in June, users will not be able to save new passwords to Authenticator; in July, autofill will become unavailable, and in August, passwords saved in Authenticator will no longer be accessible. Authenticator will continue to support passkeys and multi-factor authentication. As of Monday, May 5, 2025, Microsoft has shut down their Skype video and messaging service. Skype debuted in 2003 and was acquired by Microsoft in 2011. Microsoft announced Skype's farewell in February of this year; Skype users are urged to migrate to Microsoft Teams.

Read more in

Researchers from Sansec have discovered a supply chain attack that targeted multiple vendors of e-commerce software. In all, Sansec found 21 Magento extensions infected with the same malware; Sansec estimates that the malware has infected between 500 and 1,000 online merchants. While the software was infected six years ago, it was activated only last month. The malware executes in site visitors' browsers, and it is capable of stealing payment card data and other sensitive information. Sansec recommends that all e-commerce sites running software from the affected vendors - Tigren, Magesolution (MGS), and Meetanshi, all of which are based on Magento Ð check for a fake license that they name in their report.

Read more in

UK retailer Co-op has disclosed that a recent cyber incident affecting the company's network did compromise some customer data. The incident, which followed a disruptive attack at Marks & Spencer and another at Harrods, has prompted the UKÕs National Cyber Security Centre's (NCSC's) CEO to call the attacks "a wake-up call to all organisations." NCSC has provided guidance for organizations and strongly urges all to adhere to best practices, including the use of multi-factor authentication, increased monitoring for account misuse with particular attention paid to domain admin, enterprise admin, and cloud admin accounts, and "ensur[ing] your security operation centres can identify logins from atypical sources such as VPNs services."

Read more in

US government contractors Raytheon Company, RTX Corporation, Nightwing Group LLC, and Nightwing Intelligence Solutions LLC will collectively pay $8.4 million for violations of the False Claims Act. According to the Department of Justice, "the settlement resolves allegations that Raytheon and its then-subsidiary Raytheon Cyber Solutions, Inc. (RCSI), failed to implement required cybersecurity controls on an internal development system that was used to perform unclassified work on certain DoD contracts. The United States alleged that Raytheon and RCSI failed to develop and implement a system security plan for the system, as required by DoD cybersecurity regulations, and failed to ensure that the system complied with other cybersecurity requirements."

Read more in

The Coweta County School System in the US state of Georgia published a press release on May 4, 2025, disclosing "an apparent cyberattack" characterized as a "network intrusion" that was discovered the previous Friday, May 2, 2025. The IT department immediately took systems offline and is continuing investigation alongside security partners; the school system has notified the Georgia Emergency Management Authority and Homeland Security of the incident. While school operations continue as normal, including use of student Chromebooks, Wi-Fi, and phones, some school system network processes are disrupted, and employees are not to use desktop devices; internal network access will remain restricted during investigation and monitoring. The school system does not believe personal information was compromised. Other US public school districts have experienced cyberattacks in recent weeks, including disruption of testing at Bartlesville Public Schools in Oklahoma and data theft as a result of ransomware at Baltimore City Public Schools in Maryland. Western New Mexico University (WNMU) is also still recovering from an April 13 cybersecurity incident, posting updates and resource information to a temporary website while the main site is being restored. WNMU isolated certain systems from the internet as part of its incident response plan and protective protocols. The attack has "disrupted the availability of certain web-based programs throughout the university system," and WNMU's IT department must check all desktop and laptop computers before they can be used. Campus Wi-Fi and VPN access are not available, and there appear to be disruptions to phone systems and the tuition payment portal; the school is allowing a grace period for Spring 2025 tuition payment, and faculty are offering extensions on academic work.

Read more in

A California man will plead guilty to breaking into a Disney employee's computer, gaining access to the company's network, and downloading more than a terabyte of confidential information. According to the plea agreement, Ryan Mitchell Kramer will plead guilty to "one count of accessing a computer and obtaining information and one count of threatening to damage a protected computer," both of which are felony charges. The plea agreement also provides details about how Kramer gained access to the computer: early last year, Kramer posted a program online that claimed to be an AI image generator. In fact, the program contained malware that gave Kramer access to the computers of people who downloaded it. Kramer could face up to 10 years in prison.

Read more in

Nova Scotia Power and its holding company, Emera Incorporated, published an announcement on April 28, 2025, disclosing a cybersecurity incident discovered on April 25, 2025, stating that while portions of its internal IT system were temporarily offline, there was no disruption to any of the provider's physical operations nor its ability to serve customers in Nova Scotia, and Emera's US and Caribbean utilities were not impacted. Upon discovering unauthorized access to servers supporting business applications, the companies isolated the affected servers, initiated protocols for incident response and business continuity, engaged third-party cybersecurity experts, and informed law enforcement. An update posted May 1, 2025 states that "certain customer personal information was accessed and taken by an unauthorized third party," and any affected customers will be notified and provided with resources and support. The nature and scope of the attack are still under investigation. The companies urge vigilance against unsolicited communication claiming to be from Nova Scotia Power, especially prompts for personal information and any suspicious links or email attachments. A banner on the company's website repeats this caution, and a hotline has been established for customer questions.

Read more in

While the massive power outage on the Iberian peninsula on April 28 may not have been caused by a cyberattack but rather by an atmospheric phenomenon, the resulting widespread disruption was leveraged as part of a phishing campaign targeting speakers of Portuguese and Spanish. Cofense has published a blog post showing email messages sent during the blackout impersonating the Portuguese national airline TAP Air Portugal, invoking an EU regulation on air passengers' rights and offering compensation for delayed or cancelled flights through a WordPress phishing page aimed at collecting the target's name, date of birth, mailing address, email address, phone number, and credit card details. Dark Reading urges wariness of communications that relate current events to financial transactions, noting that the COVID-19 pandemic has also been leveraged before as part of opportunistic social engineering attacks.

Read more in

The US Cybersecurity and Infrastructure Security Agency has published an ICS Medical Advisory warning of two high-severity vulnerabilities affecting MicroDicom DICOM Viewer. DICOM (Digital Imaging and Communications in Medicine) is an international image format standard for storing and transmitting medical images. CVE-2025-35975 is an out-of-bounds write vulnerability that could be exploited to achieve arbitrary code execution. CVE-2025-36521 is an out-of-bounds read vulnerability that could be exploited to achieve memory corruption. The flaws affect MicroDicom DICOM Viewer versions 2025.1 (build 3321) and prior. Users are urged to update to MicroDicom DICOM Viewer version 2025.2 or later.

Read more in