Security Check-in Quick Hits: France's FICOBA Breach, Dell RecoverPoint Zero-Day, AI-Powered FortiGate Attacks, AI Chatbots as C2 Channels, and PayPal SSN Exposure

For February 24, 2026

France’s FICOBA Data Breach: A Wake-Up Call for Government Credential Security

In a alarming disclosure, France’s Ministry of Economy revealed a major data breach affecting the FICOBA national bank account registry, exposing sensitive personal and financial data for around 1.2 million accounts. The incident, stemming from compromised government credentials, highlights vulnerabilities in credential management and potential insider threats. Attackers gained unauthorized access to the registry, which holds details on bank accounts across the country, potentially leading to identity theft, financial fraud, and broader economic disruptions.

Details from recent threat intelligence indicate the breach involved stolen credentials, allowing perpetrators to extract names, account numbers, and other PII. This isn’t just a French issue—similar credential-based attacks have plagued global institutions, underscoring the need for multi-factor authentication (MFA) and zero-trust architectures in government systems. Organizations should audit access logs and rotate credentials immediately to mitigate similar risks.

As cyber threats evolve, this breach serves as a reminder that even fortified registries aren’t immune. Staying vigilant with regular security audits and employee training can help prevent such exposures from escalating into national crises.

Dell RecoverPoint Zero-Day Exploitation: UNC6201’s Persistent VMware Assault

A critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769, CVSS 10.0) has been under active exploitation since mid-2024 by the suspected China-linked group UNC6201. This flaw involves hardcoded Tomcat credentials, enabling unauthenticated root access to deploy web shells and advanced backdoors like SLAYSTYLE, BRICKSTORM, and GRIMBOLT. Attackers can create “ghost” network interfaces for lateral movement and persistence in VMware environments, posing severe risks to enterprise data protection systems.

The exploitation chain starts with authenticating to the Tomcat Manager, uploading malicious payloads, and executing root commands, allowing full appliance compromise. Affected versions prior to 6.0.3.1 HF1 are vulnerable, and organizations using Dell’s backup solutions should patch urgently. This incident reflects broader trends in supply chain attacks targeting virtualization infrastructure.

To defend against such threats, implement network segmentation, monitor for anomalous API calls, and use threat emulation tools. As zero-days become more common, proactive vulnerability management is essential for maintaining operational resilience.

AI-Powered Mass Compromise of FortiGate Devices: A New Era of Scaled Attacks

A financially motivated threat actor has leveraged generative AI to compromise over 600 FortiGate firewalls, using stolen credentials for mass abuse and pivoting to Veeam targets. This campaign demonstrates how AI tools can automate credential stuffing, reconnaissance, and exploitation at unprecedented scales, targeting enterprise network perimeters.

The attacks involve AI-assisted scripting to probe devices, exploit weak credentials, and establish persistence, often leading to ransomware deployments or data exfiltration. Fortinet users are urged to enable MFA, review access logs, and update firmware to thwart these incursions. This shift highlights AI’s dual role as both a defensive asset and an offensive accelerator.

Businesses should integrate AI monitoring into their security operations centers (SOCs) and conduct regular penetration testing. As attackers adopt AI, defenders must evolve strategies to stay ahead in this arms race.

AI Chatbots Turned into Covert C2 Proxies: Exploiting Grok and Copilot

Threat actors are abusing AI assistants like Grok and Microsoft Copilot as command-and-control (C2) channels, disguising malware commands within legitimate API interactions to evade detection. This technique turns URL-fetching capabilities into proxies for data exfiltration and command execution, bypassing traditional security filters.

In one method, attackers encode commands in prompts, using the AI’s responses to relay instructions to infected hosts. Microsoft 365 Copilot also has a flaw allowing summaries to ignore sensitivity labels, exposing protected emails. This novel abuse underscores the risks of integrating AI without robust safeguards.

To counter this, organizations should monitor API traffic for anomalies, implement rate limiting, and use behavioral analytics. As AI adoption grows, securing these tools against misuse is critical to preventing them from becoming attack vectors.

PayPal’s SSN Breach: Heightened Risks of Identity Theft for Millions

PayPal has suffered a data breach exposing customers’ Social Security Numbers, dates of birth, and other PII, amplifying dangers of identity theft and financial fraud. The incident affects both consumers and merchants, with leaked data potentially fueling targeted scams and account takeovers.

Breach details reveal prolonged exposure of sensitive information, likely due to inadequate encryption or access controls. PayPal users should freeze credit reports, enable fraud alerts, and change passwords immediately. This event adds to a string of fintech breaches, emphasizing the need for stricter data handling practices.

Companies must adopt privacy-by-design principles, conduct regular audits, and offer credit monitoring to affected parties. In an era of rampant data leaks, prioritizing user privacy is non-negotiable for maintaining trust.