Dashlane Users Hit by Breach, Trezor Safe 7 Chip Flaw Found, and More Cybersecurity News

Dashlane breach, Trezor chip flaw, China-linked attacks, Instagram AI exploit.

We’ve compiled the week’s most important cybersecurity news.

• Hackers breached users of the Dashlane password manager.
• A flaw was found in the Trezor Safe 7 wallet’s security chip.
• China-linked hackers targeted Europe.
• Fraudsters convinced Meta’s AI support to reassign rare Instagram accounts.

Hackers breached Dashlane password manager users

Attackers bypassed two-factor authentication (2FA) and downloaded encrypted vaults containing user credentials from Dashlane accounts, the password manager’s developer said.

The campaign began on May 31, 2026, and targeted API endpoints for new device registration. The hackers brute-forced six-digit one-time codes sent to victims via email or generated by authenticator apps.

Although Dashlane’s automated security systems flagged the anomaly and began temporarily locking targeted accounts, the attackers managed to guess valid codes for a small number of victims. After passing 2FA, they authorized their own devices on user profiles, triggering the app to automatically download full copies of the encrypted vaults.

The company said “fewer than 20 users” were affected. Dashlane’s internal infrastructure and servers were not compromised. The company implemented additional verification layers and blocking of suspicious traffic.

Experts emphasized that the stolen password databases remain inaccessible without the victim’s master password. Thanks to ZKP architecture and strong encryption, the data are protected from quick cracking.

Because the vaults now physically reside on the attackers’ servers, they can use unlimited computing power for local cracking. The situation largely mirrors the incident with LastPass in 2022.

Flaw found in Trezor Safe 7 wallet’s security chip

Security chip developer Tropic Square disclosed a vulnerability in its TROPIC01 product, used in the Trezor Safe 7 hardware crypto wallet.

The issue was discovered by Ledger Donjon’s security research team during an independent audit. The specialists executed a successful Laser Fault Injection attack. In lab conditions, the method allowed them to bypass firmware signature verification and extract some secret data protected by the chip.

Based on Donjon’s report, Tropic Square identified a complex exploitation method to extract another secret. It affects TROPIC01 functions related to the PIN code. 

As Trezor representatives explained in an email to ForkLog, even with the additional finding, compromising the chip alone is insufficient to access the Trezor Safe 7 PIN. Moreover, users’ private keys and seed phrases are not stored on TROPIC01. To execute the exploit, an attacker would need full physical access to the victim’s wallet, expensive specialized equipment and expert knowledge.

Trezor said users do not need to take any action, as the wallet’s design fully mitigates the risk in practice.

China-linked hackers target Europe

Since March 2026, the pace of attacks by the China-linked group TA4922 has reached unprecedented levels, with the geography expanding to include organizations in Europe, according to Proofpoint.

The group had previously focused solely on East Asia, but recent campaigns shifted to commercial and government organizations in Germany, Italy, the UK and South Africa.

For initial compromise, the hackers use high-quality localized phishing lures mimicking payroll notifications, tax audits, VAT returns and HR messages. In addition to email, they reach out via WhatsApp, LINE and Microsoft Teams.

In recent attacks they deployed a previously unknown remote-access trojan, Atlas. The backdoor supports a wide range of espionage features:

• full system reconnaissance and fingerprinting;
• targeted file exfiltration;
• keylogging and screenshot capture;
• audio and video recording via the victim’s peripherals;
• remote power control of the system.

Atlas also includes sandbox-evasion mechanisms: it checks registry keys and usernames for signs of Microsoft Defender Application Guard and the CExecSvc service.

The group’s toolkit further includes a new loader, RomulusLoader, to stealthily launch remote administration tools such as AnyDesk and China-popular SyncFuture. Researchers also observed a Python installer, SilentRunLoader, aimed at stealing Google Chrome session cookies and passwords.

Proofpoint believes TA4922 leverages large language models (LLMs) to accelerate development, citing an abundance of specific comments and structural patterns in the code characteristic of AI.

Scammers exploited Meta’s AI support to seize rare Instagram accounts

Some Instagram users lost access to their pages due to a critical vulnerability in the architecture of Meta’s AI support, BleepingComputer reports.

Attackers industrialized the bypass of platform safeguards, including two-factor authentication (2FA), by manipulating the AI assistant.

An attacker initiated the standard password-recovery protocol, claiming the page had been hacked. When Instagram’s automated system requested video identity verification, the hackers used a deepfake produced after obtaining images of the victim.

According to media reports, the attackers also enabled a VPN to mimic the victim’s usual geolocation, helping them bypass server-side security checks. The attacker then forced a change of the account’s linked email and reset the password.

Compromised accounts included unique short handles like @hey, @korn, @e and @f, as well as app researcher Jane Manchun Wong’s profile and a page previously used by the White House team during the Obama administration. Such rare digital assets can fetch tens of thousands of dollars on the black market. 

my instagram (@ korn) was stolen overnight via the Meta AI exploit and was subsequently disabled.

it was Meta Verified, facial scan verified, and had 0 TOS violations.

the account is the sole source of my income.

i spent 6 hours trying to get human support and meta’s support… pic.twitter.com/k5x846H8AG

— korn (@kornbuilds) June 1, 2026

Victims complained they could not regain access due to a lack of human support. The owner of @korn said he spent more than six hours talking to a chatbot that sent him four non-working links in a row.

Meta’s VP of communications Andy Stone said that “the issue has been resolved and the security of affected accounts ensured,” without elaborating.

Minecraft infostealer infected 116,000 users

McAfee identified a large WeedHack campaign that affected more than 116,000 Minecraft users.

Researchers say the malware spreads via trojanized mods and clients promoted through SEO poisoning in search queries and on YouTube.

WeedHack operates as CaaS and, in its free base version, steals Minecraft session IDs, browser passwords, crypto wallet data, and Telegram and Discord accounts. A premium version at $5 per month provides full remote access to the victim’s PC.

In addition, according to Have I Been Pwned, data on 64,000 users of the Atlas Menu cheat service for Grand Theft Auto V leaked online in late May. Stolen information includes email addresses, logins, passwords and IP addresses. The hacker posted the database on GitHub.

Also on ForkLog:

• Researchers created an adaptive AI worm.
• Aave tightened listings after the $293 million rsETH incident.
• A white-hat hacker unlocked $2 million in a 2016 smart contract.
• The FBI uncovered a network of scam centers and seized $8 billion in bitcoin.

What to read this weekend?

At ForkLog’s request, Roman Korolev, author of the Telegram channel “Dark Culturology,” examines how the apocalyptic prophets of a “digital concentration camp” went from the margins to the mainstream.