vaultjackingpasskeysphishing

    VaultJacking: How a Single PIN Compromises All Your Passkeys

    A new phishing technique, VaultJacking, demonstrates how capturing a single Google Password Manager PIN can expose an entire vault of passkeys and passwords, even those deemed phishing-resistant.

    Schutz IT 1 June 2026 6 min read

    VaultJacking: How a Single PIN Compromises All Your Passkeys

    VaultJacking: A New Threat to Passkeys and Synchronized Credentials

    The cybersecurity landscape is constantly evolving, with new attack techniques emerging that challenge established security paradigms. A recent discovery, dubbed "VaultJacking," highlights a critical vulnerability in how synchronized credential vaults, particularly Google Password Manager (GPM), can be exploited. This technique demonstrates that even passkeys, widely lauded as phishing-resistant, are not immune if the underlying synchronization infrastructure is compromised. It's a stark reminder that the strength of a security system is often determined by its weakest link, and for enterprise security teams, this presents a new set of considerations for protecting user identities and access.

    How VaultJacking Works: Exploiting the Sync Infrastructure

    VaultJacking operates as an advanced Adversary-in-the-Middle (AiTM) phishing attack. Unlike traditional phishing, which aims to capture individual credentials, VaultJacking targets the entire synchronized credential vault. By convincing a victim to enter their 6-digit GPM PIN on a meticulously crafted fake Google sign-in page, attackers gain the "master key" to decrypt and access every password and passkey stored in the user's Google account. [Sources: 7, 8]

    The core of the attack lies in its ability to compromise the Security Domain Secret (SDS). Once the GPM PIN is obtained, attackers can add a new, attacker-controlled device to the victim's Google "security domain." This action tricks Google into providing the SDS to the attacker's device, effectively decrypting the entire vault. This means that every stored password, every third-party login, and every enrolled passkey becomes immediately accessible to the adversary.

    Critically, this attack bypasses the inherent phishing resistance of passkeys. While passkeys themselves are designed to prevent credential theft via phishing by binding authentication to a specific device and relying on cryptographic proofs rather than shared secrets, their effectiveness is undermined if the vault storing them can be compromised through a different vector. The VaultJacking attack specifically targets the synchronization mechanism, not the passkey protocol itself, demonstrating a sophisticated pivot in attack methodology.

    Implications for Enterprise CIAM and PKI

    For enterprise security architects, CISOs, and IAM engineers, VaultJacking underscores several essential considerations:

    • The Expanded Scope of Credential Theft: The attack moves beyond individual credential compromise to full vault exfiltration. This means the blast radius of a successful phishing attack can be significantly larger than previously anticipated, potentially affecting all online services linked to an employee's synchronized Google account.
    • Rethinking Passkey Deployment Strategies: While passkeys remain a superior authentication method compared to passwords, the VaultJacking attack necessitates a review of how they are stored and synchronized. Enterprises need to assess the security of their chosen passkey management solutions and understand their susceptibility to such vault-level compromises. Relying solely on the phishing-resistant nature of passkeys without considering their storage and synchronization mechanisms is an incomplete strategy.
    • Enhanced Phishing Awareness and Defense: The attack vector is still a form of phishing, emphasizing the persistent need for robust anti-phishing training and technologies. Employees must be educated about the evolving sophistication of phishing attacks, particularly those that mimic legitimate login pages and request seemingly innocuous information like a GPM PIN.
    • Identity Provider (IdP) Security: Identity providers that offer synchronized password management features, or integrate with third-party password managers, must rigorously evaluate the security of these synchronization mechanisms. The ability to decrypt an entire credential vault with a single piece of information, even a PIN, represents a significant risk.
    • PKI's Role in a Passkey World: While VaultJacking directly impacts credential management, it indirectly touches upon the broader PKI landscape. Secure authentication, whether via passwords, MFA, or passkeys, relies on a foundational trust infrastructure. The compromise of a credential vault could lead to unauthorized access to systems protected by certificates, if those certificates are in turn protected by credentials stored in the compromised vault.

    Mitigation Strategies for Security Teams

    To counter threats like VaultJacking, enterprise security teams should consider the following actions:

    • Strengthen User Education: Implement advanced phishing awareness programs that specifically address sophisticated AiTM attacks and the dangers of entering credentials or PINs on untrusted sites, even if they appear legitimate. Emphasize the importance of verifying URLs and using official applications for login.
    • Evaluate Password Manager Configurations: Work with identity and access management teams to review the security configurations of all password managers used within the organization, especially those offering synchronization features. Understand how PINs and other unlock mechanisms are protected and if they are susceptible to similar vault-level compromises.
    • Implement FIDO2/WebAuthn with Strong Attestation: For critical systems, prioritize the deployment of FIDO2/WebAuthn with strong attestation to ensure that passkeys are genuinely bound to hardware security modules and are not easily exportable or duplicable. While VaultJacking targets the vault, not the passkey directly, a robust FIDO2 implementation provides a stronger root of trust.
    • Adopt Zero Trust Principles: Assume breach and implement granular access controls. Even if credentials are compromised, a Zero Trust architecture can limit an attacker's lateral movement and access to sensitive resources.
    • Regular Security Audits and Penetration Testing: Conduct regular security audits and penetration tests that specifically target credential management systems and synchronization mechanisms. Employ techniques that simulate AiTM phishing attacks to identify vulnerabilities before they are exploited by malicious actors.

    Moving Forward

    The VaultJacking attack serves as a crucial reminder that security is a continuous process requiring vigilance and adaptation. While the industry progresses towards more secure authentication methods like passkeys, adversaries will continue to innovate. Enterprise security teams must remain proactive, understand the nuances of these new threats, and implement comprehensive strategies that protect not just individual credentials, but the entire ecosystem of digital identities and access. Ignoring the potential for vault-level compromises could significantly undermine an organization's overall security posture. [Source: 9]

    Keep reading

    Tycoon 2FA AiTM Kit: Bypassing MFA on Entra ID & Google Workspace

    Explore the Tycoon 2FA AiTM phishing kit, its ability to bypass MFA on Microsoft 365/Entra ID and Google Workspace, and crucial enterprise defense strategies.

    Read article →

    Post-Quantum Cryptography: Preparing Enterprise PKI for the Quantum Threat

    Strategic guidance for enterprise security architects and CISOs on migrating Public Key Infrastructure (PKI) to post-quantum cryptography (PQC) to preempt quantum threats.

    Read article →