Microsoft Copilot vulnerability allowed hackers to steal users' 2FA codes

A critical vulnerability called SearchLeak was discovered in Microsoft Copilot, allowing hackers to steal two-factor authentication (2FA) codes from users. Two-factor authentication is an extra security step that usually involves a code sent to your phone or email. The flaw specifically targeted the "search grounding" feature of Copilot — when a user asks a chatbot to search the web on their behalf — and could have let attackers exfiltrate prompt data, including those sensitive 2FA codes.

This vulnerability matters because it could let hackers bypass one of the most important security protections for online accounts. If hackers get your 2FA code, they can access your accounts even if they know your password. This is especially dangerous for accounts with sensitive information, like banking or email. The article notes that this discovery is part of a broader pattern where the industry's approach to large language model (LLM) security continues to fail, exposing user data in ways traditional web security measures were designed to prevent.

If you use Microsoft Copilot, check Microsoft's official security updates for any patches related to this vulnerability. Also, enable additional security features like biometric authentication where possible. You can find these settings in your account security preferences.