Three storylines are colliding across security teams this week: passkeys are finally seeing real-world momentum, shadow AI is spilling corporate data onto the open internet, and a newly disclosed flaw is crashing Chromium-based browsers in seconds. Each trend carries immediate implications for how organizations authenticate users, govern AI, and harden endpoints.
Passkeys adoption accelerates across major consumer platforms
After years of cautious pilots, passkeys are breaking out of the niche. A recent study from password manager Dashlane reports a sharp uptick in adoption, driven by platforms that now prompt or default users to passkeys at sign-in. Amazon repeatedly nudges shoppers to enroll, Google made passkeys the default sign-in for personal accounts, and Microsoft has pushed passkeys across new Microsoft Account sign-ins and Windows Hello. This isn’t just usability marketing. Passkeys, built on FIDO2 and WebAuthn, are phishing-resistant and eliminate one-time codes that go missing or arrive late—an expensive pain for retailers. The FIDO Alliance has long argued that passkeys cut account takeovers by removing shared secrets entirely. Google, for its part, has said passkeys have already been used over 1 billion times, a strong signal that mainstream users are getting comfortable with device-bound cryptography.
The push is also about fraud economics. Abandoned carts from failed SMS logins and forgotten passwords translate to revenue loss. Meanwhile, a growing percentage of the credential dumps on the dark web trace back to retail and consumer services—data that will remain exploitable as long as passwords hang around and are reused. Replacing passwords with passkeys directly decimates that attack surface. One caveat: convenience features around account recovery and a kind of “password inheritance” in password managers can and will become targets of social engineering. Recent phishing waves impersonating password-vault providers prove adversaries are readily learning. CISOs driving to passkeys should hard-pair enrollments with robust recovery policies and FIDO2 security keys for high-risk roles.
Shadow AI is exposing confidential and cherished business data
The unauthorized use of AI at work has exploded, along with the inadvertent exposure of confidential files. Netskope, the cloud-security house, has seen enterprise access to generative AI tools up more than 20x year over year; DLP champion Cyberhaven has documented sensitive source code, financials, and PII pasted into public chatbots. The result has been distressingly predictable: internal documents slip into model training data, public snippets, or third-party content repositories, frequently unbeknownst to the host who sends out an unexpected, unredacted copy. A speedy search can disclose copies of “internal use only” MRDs, yearly financial projections, or even finished thank-you-for-coming-on-this-technology-ride-with-us manuscripts, content that never should have left the safekeeping of a corporate tenant.
This isn’t purely a user-awareness problem. Many teams lack clear AI governance, defaulting to blocked tools or blanket allowances. Between those poles is a workable middle: sanctioned AI services, with enterprise controls, no-training modes, tenant isolation, redaction, and on-prem or VPC deployments for truly sensitive workloads. For prompts and outputs, legal and compliance teams should review vendor data-handling terms and retention windows. For visibility, new watchdog efforts are emerging. Proton’s Data Breach Observatory, for example, aggregates confirmed breach data from dark-web intelligence instead of corporate self-reporting. The company claims it already catalogs nearly 800 breaches, with the most common exposed elements being names, emails, and contact info, followed by passwords—again, underscoring the value of moving beyond credentials that can be leaked and reused.
New Chromium browser bug triggers crashes and memory lockups
Security researcher Jose Pino disclosed a flaw in Blink, the rendering engine used by Chromium browsers, that can lock up a browser within seconds and, in some cases, freeze the host OS by exhausting memory. The Register validated the behavior and contacted developers of multiple Chromium derivatives: most did not respond, while Brave indicated it will ship a fix once Google lands one. Google says it’s investigating.
The practical risk is disruptive denial of service via a booby-trapped page or embed. While this isn’t remote code execution, it can knock out user sessions at scale if weaponized in malvertising or drive-by campaigns. Notably, other engines—Mozilla’s Gecko and Apple’s WebKit—were not reported affected.
Until patches arrive, rapid browser updates should be an admin priority. Alternatively, consider stricter content filtering and remind users to avoid unknown links. For teams that can stomach it, opening high-risk URLs in Firefox or Safari mitigates some of the exposure to the issue until Chromium fixes trickle down.
What security teams should prioritize and implement now
- Shrink credential exposure with passkeys.
- Operationalize AI like any other powerful SaaS powered by safety belts.
- Assume your front end will be attacked by attackers.
The organizations that can operationalize those messages the fastest will have fewer fires to put out in the next week.