Google’s security researchers have confirmed the first known case of hackers using artificial intelligence to find and build a real, working exploit — one that bypasses two-factor authentication (2FA), the extra “verify it’s you” code that protects your accounts. The vulnerability was found in an unnamed popular web-based system administration tool. The attackers wrote the exploit code with AI assistance, and the code itself gave them away: it was full of educational notes and comments that are a telltale sign of AI generation, and it even included a made-up security score that the AI hallucinated on its own.
Two-factor authentication is one of the strongest defenses ordinary people have online. Most attacks that steal passwords still cannot get in because they do not have your phone to receive the second code. This incident shows that attackers are now using AI to find clever ways around that protection. The silver lining is that the attack still requires a valid username and password first — so strong, unique passwords across every account remain your single most important line of defense. Google’s researchers are also tracking several hacking groups, including North Korean and Chinese government-linked teams, that are using AI tools to speed up their research into other security flaws.