Vaultjacking: New Phishing Technique Compromises Google Password Manager
Severity: High (Score: 64.5)
Sources: Reddit, Gbhackers
Published: · Updated:
Keywords: vaultjacking, google, password, single, phishing, technique, captured
Severity indicators: apt
Summary
A new phishing technique named 'Vaultjacking' has been revealed, allowing attackers to exploit a single captured Google Password Manager (GPM) PIN to access an entire user's credential vault. This method can compromise all third-party credentials saved in Chrome, including passkeys, through a single phishing attack on a targeted site. The technique leverages an AiTM (Adversary in the Middle) landing page to capture the PIN. Security experts are raising alarms about the potential for widespread credential theft, as the attack can indirectly compromise even phishing-resistant passkeys. The full scope of the impact is still being assessed, but the cybersecurity community is urged to take precautions. Current status indicates that awareness is growing, but no specific patches or mitigations have been released yet. Key Points: • Vaultjacking allows access to all saved credentials with a single captured PIN. • The attack exploits the Google Password Manager's sync infrastructure. • Phishing-resistant passkeys can be compromised indirectly through this method.
Detailed Analysis
**Impact** Users of Google Password Manager (GPM) are affected globally, with potential compromise of all stored third-party credentials, including passkeys. The attack can lead to full credential vault exposure from a single captured PIN, impacting individuals and organizations relying on Chrome-saved passwords and passkeys. No specific sectors or geographic regions were detailed in the sources. **Technical Details** The attack uses a phishing vector with an Adversary-in-the-Middle (AiTM) landing page designed to capture the victim’s GPM PIN. This PIN then grants access to the entire password vault, including passkeys, by exploiting the sync infrastructure underlying GPM. No malware, CVEs, or specific infrastructure details were provided. The attack occurs at the credential access stage of the kill chain. **Recommended Response** Defenders should increase phishing awareness training and monitor for suspicious AiTM phishing pages targeting GPM users. Enforce multi-factor authentication beyond PIN verification where possible and consider limiting the use of password managers that rely on PINs without additional protections. No patches or specific IOCs were provided; monitoring for unusual access to password vaults is advised.
Source articles (2)
- New Phishing Technique - Vaultjacking: One Captured PIN, the Entire Google Password Manager Vault — Reddit · 2026-05-27
I've been hard at work on a NEW phishing technique I'm excited to . I'm calling it "Vaultjacking" and the impact is honestly a bit sobering. In my blog I demonstrate how a single AiTM landing page can… - VaultJacking Attack Exposes Google Password Vaults via Single PIN — Gbhackers · 2026-05-28
A newly disclosed phishing technique dubbed “VaultJacking” is raising serious concerns across the cybersecurity community after researchers demonstrated how a single captured Google Password Manager (…
Timeline
- 2026-05-27 — Vaultjacking technique disclosed: A new phishing technique called Vaultjacking was introduced, demonstrating how a single PIN can compromise a user's entire credential vault.
- 2026-05-28 — Cybersecurity community reacts: Researchers and experts are expressing serious concerns regarding the implications of Vaultjacking for user security.
Related entities
- Phishing (Attack Type)
- T1566.002 - Spearphishing Link (Mitre Attack)
- T1566 - Phishing (Mitre Attack)
- Google Chrome (Tool)
- Google Password Manager (Platform)