How pirates bypass the double authentication on Gmail

The double authentication, this additional protection which requires a code on your phone, is not as solid as you think. Consequently,

Russian hackers manage to access the Gmail accounts protected by double authentication by using a flaw in application passwords. In addition,

But don’t worry. In addition, This campaign. Moreover, carried out between April and June 2025, specifically targets academics and criticisms of the Russian regime through a particularly elaborate technique.

When the service door becomes the front door – How pirates bypass double authentication

The Double authenticationthis additional protection which how pirates bypass double authentication requires a code on your phone. Meanwhile, is not as solid as you think. Meanwhile, The Russian cybercriminals of the UNC6293 group. Consequently, probably linked to the famous Apt29 (alias Cozy Bear), found a formidable tip: exploit the passwords of application.

To go further
Double authentication (2FA): why. In addition, how to secure your Google, Meta, iCloud, Steam… accounts…

These small codes that Google generates to connect applications like Outlook or Thunderbird to your Gmail? Meanwhile, They give full access to your account, without ever triggering a security alert. Moreover, Google considers them perfectly legitimate.

Hackers have understood that it is enough to convince someone to create. Nevertheless, share this type of password to obtain the keys to the kingdom. However, No need to hack anything: the victim herself opens the door.

The art of manipulation, government version – How pirates bypass double authentication

The story begins with an how pirates bypass double authentication email signed Claudie S. Nevertheless, Weber, allegedly from the State Department. The message invites Keir Giles to “an online private conversation” on subjects related to his expertise. Nothing unusual for a recognized specialist.

The detail that hits the bull’s eye? Several addresses @state.gov appear in a copy, giving the impression of an official communication between colleagues. The attackers exploit a technical particularity: the government messaging server accepts all messages without returning error. even if the address does not exist.

After a few exchanges to establish confidence. “Claudie” offers Giles to join the “MS Dos Guest Teinant” platform of the State Department. A solution that would allow him to easily attend future meetings, whatever his availability.

The manual of the trapped user

The attack switches to engineering with the sending of a PDF. file containing detailed instructions. The document explains how to create a Google application password, presented as how pirates bypass double authentication a compulsory step to access the government platform.

The final instruction is evil: share this password “with American back administrators to add the external user to the. guest tenant O365”. The PDF justifies this approach as a technical solution facilitating secure exchanges between civil servants and external experts.

The victim scrupulously follows the instructions, persuaded to comply with an official security procedure. In reality, she has just given the keys to her Google account to Russian spies.

Why this technique is so effective

This method has all the advantages for cybercriminals. Unlike classic phishing attacks that require acting quickly, the application passwords remain validly. Hackers can come back to consult the emails for months later.

Even better: these connections do not appear as suspects how pirates bypass double authentication in Google newspapers. No security alert, no unusual connection notification. Access seems perfectly normal to the system.

The attackers also use residential proxys and private servers to hide their location. Impossible to go back to them via the IP addresses.

Carefully chosen targets

This campaign is not targeting anyone. Hackers are specifically attacking academics, journalists and criticisms of the Russian regime. Personalities who have access to sensitive information and maintain precious contacts in geopolitical circles.

The Apt29 group has been operating since at least 2008. Its previous victims include government networks, research institutes and reflection groups.

Protect yourself without becoming a paranoid

Google offers a radical solution: the advanced protection program. This service purely. simply prohibits the creation of application passwords and requires the use of physical safety keys for any connection.

For “normal” users, some reflexes are enough. We encourage you to read this how pirates bypass double authentication file elsewhere.

To go further
How to secure your smartphone, tablet or PC? The ultimate guide!

A password manager becomes essential. These tools generate identifiers impossible to remember but impossible to hack. Bitwarden, 1Password, Dashlane: Choose the one that suits you, but choose one.

Authentication with two factors (2FA) must become automatic. Even if your password leak, this additional layer blocks access. SMS, dedicated application, physical key: all options are good to take.

Finally. you should still avoid using SMS to receive 2FA codes, because it is possible to carry out SIM card exchange attacks (SIM SWAP) to divert your phone number and get them.

Passkeys represent the future. This technology completely replaces passwords with biometric authentication or physical key. Apple, Google and Microsoft are already growing this solution. Adopt it as soon as possible.