Google says hackers used AI to build the first real-world zero-day exploit bypassing 2FA.
- Hackers built first AI-powered zero-day to crack two-factor authentication
- Google says exploit targeted major services worldwide
- Attackers used AI to speed up vulnerability discovery
Google’s Threat Analysis Group (TAG) spotted the attack in late 2023 and fixed it within weeks. The exploit let hackers bypass 2FA protections on several major platforms, including Gmail, Microsoft 365, and AWS. What makes this attack stand out isn’t just the 2FA bypass—it’s how the hackers used AI to find and weaponize the flaw so quickly.
AI is now a tool for cybercrime
The hackers didn’t just rely on human trial and error. They automated parts of the process with AI, letting them scan millions of code lines to spot weaknesses faster than any team could. Google’s researchers say the AI system likely generated the exploit after analyzing thousands of past vulnerabilities. This marks the first confirmed case of AI being used maliciously in the wild to create a zero-day—something experts feared would happen for years.
The exploit itself worked by tricking authentication systems into accepting fake session tokens. Instead of stealing passwords, hackers intercepted or forged these tokens to gain access to accounts without triggering 2FA alerts. The attack didn’t need victims to click a link or download malware—it exploited a flaw in how services handle authentication tokens behind the scenes.
Who’s behind the attack and why it matters
Google didn’t name the hackers, but clues point to a sophisticated cybercrime group with ties to Russia and China. These groups have used AI before for phishing emails and deepfake scams, but this is the first time AI helped them build a full-blown exploit. The goal appears to be mass account takeovers, likely for espionage or financial gain.
Security teams scrambled to update their systems after Google’s warning. Companies like Microsoft and AWS pushed emergency patches to block the exploit. But the attack shows how AI lowers the barrier for even mid-level hackers to launch advanced cyberattacks. If this becomes common, expect more zero-days—and faster ones.
What happens next
Google and other tech giants are now racing to bake AI-resistant defenses into their systems. One approach is stricter token validation, forcing services to verify every session request in real time. Another is AI-powered threat detection that spots irregular authentication patterns before they turn into exploits. But the cat-and-mouse game is getting harder. As AI tools get cheaper and easier to use, more groups will rely on them—both for defense and attack.
For users, the lesson is simple: don’t assume 2FA makes you safe. Update your devices, enable hardware keys where possible, and watch for unusual login alerts. The days of 2FA being a silver bullet are over.
What You Need to Know
- Source: The Hacker News
- Published: May 11, 2026 at 15:45 UTC
- Category: Security
- Topics: #hackernews · #security · #vulnerabilities · #machine-learning · #hackers-used
Read the Full Story
This is a curated summary. For the complete article, original data, quotes and full analysis:
All reporting rights belong to the respective author(s) at The Hacker News. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.
Curated by GlobalBR News · May 11, 2026
🇧🇷 Resumo em Português
Pela primeira vez na história, hackers usaram inteligência artificial para criar e explorar uma brecha inédita de autenticação em dois fatores (2FA), transformando o que parecia ser um dos métodos mais seguros da internet em alvo de cibercriminosos. A descoberta, anunciada pelo Google, expõe não apenas a evolução das táticas digitais, mas também a urgência de repensar a segurança online diante de ferramentas cada vez mais sofisticadas.
O ataque, que explorou uma vulnerabilidade zero-day — ou seja, desconhecida pelos desenvolvedores até ser explorada —, coloca o Brasil em situação de alerta redobrado. O país já é um dos principais alvos de phishing e sequestro de contas no mundo, e a utilização de IA para driblar o 2FA representa um salto qualitativo na sofisticação dos criminosos. Especialistas brasileiros alertam que, sem atualizações urgentes nos sistemas de autenticação e conscientização dos usuários, milhões de contas — de bancos a redes sociais — podem ser comprometidas em larga escala. A dependência crescente da IA no crime cibernético exige que empresas e governos invistam em defesas capazes de acompanhar essa evolução.
A próxima fronteira da segurança digital já começou: ou o Brasil se prepara agora, ou enfrentará uma onda de invasões sem precedentes nos sistemas que garantem a privacidade e o acesso de seus cidadãos.
The Hacker News
Read full article at The Hacker News →This post is a curated summary. All rights belong to the original author(s) and The Hacker News.
Was this article helpful?
Discussion