⚠️ UPDATE: New Court Files Reveal How Microsoft Helped the FBI Identify Peter Stokes "Bouquet" (Scattered Spider Member)
The court files reveal that Microsoft helped the FBI track Peter Stokes down using GDID — a Global Device Identifier, which is assigned to every Windows installation and cannot be changed unless the OS is wiped. The GDID helped them track:
• IP history
• Full web activity
• Video game activity and games played
• Logged-in social accounts, including Snapchat, Facebook, and Apple
According to the court documents, the critical mistake was using a VPN to create the ngrok account used in the May 2025 Tiffany & Co. hack from the same Windows device associated with his GDID.
Although the account was created from a VPN IP address ending in .168, Microsoft records show that the same GDID (6755467234350028) accessed the ngrok signup page at the exact time the account was created, linking the hack to his personal social accounts.
‼️ BREAKING: Volkswagen has banned GrapheneOS users from using their app. Users are reporting they can't log in or control their car anymore. Users are confused, saying Volkswagen allows their app to be used on End-of-Life Android versions, but not on fully patched GrapheneOS.
‼️🚨 This is alarming: Researchers found a one-click data exfiltration vulnerability in M365 Copilot. A single click on a trusted microsoft[.]com link let attackers pull emails, MFA codes, meeting notes, and SharePoint/OneDrive files, no permissions or second click required.
Microsoft has patched it as CVE-2026-42824, rated critical.
my company got breached
the attacker had access for 11 days
on day 3 he emailed our IT helpdesk
complained that the VPN was slow
our helpdesk reset his password
upgraded his access tier to fix the "connectivity issue"
and closed the ticket as resolved
CSAT score: 5 stars
we found this in the logs during forensics
the attacker had rated our IT support
excellent
Nius behauptet auf der Seite nicht mehr prominent, "Die Stimme der Mehrheit" zu sein.
Nius behauptete dann kurz, "verlässlich" zu sein. Auf der Homepage zurückgezogen seit Anfang Mai.
Verlässlich macht Nius aber Riesen-Verlust. Die 2024er-Bilanz ist da (1/2)
‼️Copy Fail (CVE-2026-31431) is a Linux privilege escalation bug that lets any local user get root using a 732-byte Python script, and itworks on basically every major Linux distro shipped since 2017.
Website: https://t.co/f5G6KnEv35
Write-up: https://t.co/W86Pz2PC6C
GitHub: https://t.co/zAMTC6nTRk
It's a logic flaw in the kernel's crypto code (authencesn via AF_ALG and splice()) that allows a small write into the page cache, which can be used to tamper with a setuid binary like /usr/bin/su.
Think how bad this is going to be for shared environments like Kubernetes, CI runners, and cloud sandboxes, where it enables container escape and tenant-to-host compromise.
Found by Theori's Xint Code scanner, patched in the mainline kernel, and publicly disclosed on April 29, 2026; if you can't patch right away, the recommended workaround is to disable the algif_aead module.
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised.
However, sophisticated attackers have engaged in a harmful phishing campaign, posing as “Signal Support” by changing their profile display name and using social engineering to trick people into handing over their credentials — information that allowed these attackers to take over some targeted Signal accounts. This is something that plagues any mainstream messaging app once it reaches the scale of Signal, but we know how high the stakes are given the trust people place in us.
In the coming weeks, you’ll see us rolling out a number of changes to help hinder these kinds of attacks.
Because we don’t collect user data, what we know about these attacks comes from the victims of phishing. And from what victims have told us, the attacks followed a broad pattern: after tricking people into revealing their Signal credentials, attackers then used those credentials to take over their account and also frequently changed the associated phone number. Because such a change results in de-registering your Signal accounts, attackers prepared people for this by telling them that being de-registered was intended behavior, and that all they would need to do is “re-register,” or, create a new account. When they moved to create a new Signal account — one that was now decoupled from their hijacked account — the victims thought they were logging back in to their primary account. As a result, many didn't notice the takeover. The compromised accounts were then weaponized to target the victims' contact lists by posing as the owners of the account.
We understand the trust that people put in Signal, and how devastating this kind of social engineering can be. While it’s true that all messaging platforms are susceptible to scammers and phishing that betrays people’s trust and convinces them to “unlock the front door” where no backdoor exists, we are looking to do everything we can to help people avoid and detect such scams.
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock).
Hacking the #EU#AgeVerification app in under 2 minutes.
During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory.
1. It shouldn't be encrypted at all - that's a really poor design.
2. It's not cryptographically tied to the vault which contains the identity data.
So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.
After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid.
Other issues:
1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying.
2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step.
Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.
It appears @Microsoft is actively suspending developer accounts with no warning or reason of various security tools like VeraCrypt, WireGuard and also Windscribe. We've had this VERIFIED account for 8+ years to sign our drivers.
We've been trying to resolve this for over a month, and getting nowhere. Support is non-existent. Anyone know a human with a brain that still works at Microsoft and can help?
WireGuard has some big updates ready to go on Windows, our first on the platform in nearly 4 years. We've done some nice modernizations and improvements, fixed bugs, added features, updated the toolchain, and more. But our release is currently blocked by @Microsoft.
The recent thread on Hacker News encouraged me to write this up, rather than just grumbling to myself privately about it as I have the last two weeks.
I logged in to get the WireGuardNT driver signed -- a necessary step for driver authors -- and was greeted by this vague message that the account has been suspended. Looking further into it, it seems like they instituted an identity verification policy, didn't notify me about it, and then I guess they suspended accounts who didn't do the verification. So of course I did the ID card verification immediately, but now an appeal is necessary. The appeals process requires filing a support ticket, but filing a support ticket requires a non-suspended account... Catch-22, eventually resolved by filing one through Azure and getting it rerouted to the right department. That was two weeks ago. Now they've told me there's a 60 day appeal review period. Wish us luck!
It's a little crazy, because what if there was some critical ring 0 RCE vuln that was being exploited in the wild and that needed to be patched immediately? (Just hypothetical; there isn't.) In that case, telling users "sorry, you've got to wait 60 days" would be sort of bad. And users of WireGuard for Windows are also Microsoft Windows users, so I can't see how this is good for Microsoft either. I think it must just be a case of bureaucracy gone slightly off the rails. Happens.
If any Microsofters are able to make this take not-sixty-days, please do get in touch.
Stellungnahme der Schule:
„[S]icher haben viele von Ihnen das Foto bei Instagram, auf dem einige unserer Schülerinnen mit Herrn Siegmund zu sehen sind, zur Kenntnis genommen. Dieses Foto ist bei einem Besuch des Landtages entstanden und stellt eine Momentaufnahme dar./1
So ist CDU-Generalsekretär Linnemann von Markus #Lanz noch nie in den Senkel gestellt worden! Schaut Euch an, wie Lanz die neue Gaskostenfalle für Mieterinnen und Mieter auseinandernimmt!