AI Can Now Hack Anything. Here's What That Means for Your Accounts
Free: How to Keep Yourself Safe From Scammers
9 chapters. Reporting checklist. 30-second protection checklist. Read on the site.
AI Can Now Hack Anything. Here's What That Means for Your Accounts
Anthropic — the company behind Claude — just announced something that should make every person with a bank account, email, or smartphone pay attention.
They built an AI system called Project Glasswing (sometimes referred to by its internal name, "Mythos") that is so effective at finding security flaws in software, they've decided it's too dangerous to release publicly. Read that again. The company that built it — one of the most well-respected AI labs in the world — is keeping it locked down because of what it could do in the wrong hands.
This isn't science fiction. This is right now. And it changes what you need to do to protect your accounts.
What Actually Happened (In Plain English)
Anthropic's researchers pointed an AI at the software running browsers, operating systems, and popular apps — the same software running on your phone and laptop right now. The AI found previously unknown security flaws across every major system they tested. Not one or two. Dozens. In software that thousands of engineers have been trying to secure for decades.
The AI did in hours what would take a team of human hackers months. And it did it without anyone telling it what to look for.
Anthropic isn't releasing the tool. They're quietly working with software makers to patch the holes it found. But here's the uncomfortable truth: what Anthropic built, others will eventually build too. The research is out there. The blueprint exists. And not every company building AI is going to be as careful.
Not sure if your message is real? Paste it into Cautellus and get a risk score before you reply.
Scan it free →Or: Get the Chrome extension to scan pages without leaving your browser.
Why This Matters to You
You might be thinking: "I'm not a government, I'm not a Fortune 500 company, nobody's going to aim a million-dollar AI tool at me." And you'd be right — today.
But this is the signal flare for where things are going. When AI-powered security tools become cheaper and more widely available (which always happens), the same capabilities that found flaws in Chrome and Windows will start finding flaws in:
- The app your bank uses
- The browser extensions you installed and forgot about
- The old router in your closet that hasn't had a firmware update in three years
- The smart doorbell that hasn't been touched since you set it up
- The apps on your phone you never update
Every piece of outdated software on your devices is a door. Historically, those doors were hard to find. AI is about to make them easy.
What Scammers Will Do With This
Scammers are already using AI for phishing emails, voice cloning, and deepfake videos. The next wave will be more dangerous:
- Mass-scale vulnerability hunting. Instead of targeting one victim, scammers will scan millions of devices for the same weak points and exploit them automatically.
- Perfect fake login pages. AI can already generate pixel-identical copies of your bank's login screen. Now it can find and exploit the tiny browser bug that lets it hijack your real session.
- Account takeover at scale. Password reuse is already the #1 way people get hacked. AI will make the math work even harder against you.
What to Do Right Now
You don't need to panic. You need to patch. These steps will block the vast majority of AI-assisted attacks before they can reach your accounts.
1. Update every device and app immediately. Phone, laptop, tablet, router, smart home devices — all of them. The patches software makers are releasing right now are literally the fixes for the holes AI is finding. An unpatched device is an open door.
2. Lock down your logins. Even if a scammer steals your password, the right second factor stops them cold — but in 2026 those factors aren't equal, and a password manager makes unique passwords for every account effortless. Here's the ladder, strongest first:
Protect Yourself
Protection in 2026 is a ladder. Climb as high as each account lets you — and don’t stop at the bottom rungs just because they used to be enough.
Passkeys — the strongest, easiest option
A passkey is tied to the real website’s address, so a fake login page can’t use it. That’s what “phishing-resistant” means, and it’s exactly what ordinary 2FA isn’t. Turn passkeys on anywhere they’re offered — Instagram, Google, Apple, Microsoft, and a growing list of banks already support them.
Hardware security keys — for your most important accounts
A physical key you tap or plug in (YubiKey, Google Titan, Feitian; some read your fingerprint). A remote attacker can’t touch it. Use one on your primary email, banking, and any business logins, and keep a spare as backup.
App-based two-factor — strong middle ground
An authenticator app (Authy, Google Authenticator) is far better than text-message codes. It can still be phished in real time, so use it everywhere a passkey or key isn’t available — just don’t treat it as the finish line.
The floor — still required, never sufficient on its own
- SMS (text-message) 2FA is the weakest form of 2FA, but weak 2FA still beats none. Keep it on anything that offers nothing stronger.
- Never reuse a password. Everyone does it; one breach then unlocks every account that shares that password. Don’t.
- Use a password manager. It creates a unique strong password for every site, remembers them all, and increasingly stores your passkeys too. It’s the single highest-leverage habit for most people.
Lock the back door — account recovery
Most takeovers don’t beat your login; they walk in through password recovery. Use a private recovery email that isn’t on your public profile, store backup codes offline, remove SMS as a recovery method where you can, and turn on login alerts so a reset attempt reaches you instantly.
Two-factor authentication and good passwords are the floor you stand on — not the ceiling you stop at.
3. Be extra suspicious of any login page you didn't navigate to yourself. If a link in a text, email, or DM drops you on a login screen — even if it looks perfect — don't enter your credentials. Open a new tab and go directly to the site yourself. AI-generated fake login pages are about to get a lot better.
4. Check haveibeenpwned.com for your email address. It'll show you every known data breach your email has been part of. If anything comes up, change those passwords immediately.
Got something like this in your inbox? Drop it into the scanner — it takes 5 seconds and could save you thousands.
Check it now →Already been scammed? See where and how to report it.
The Bottom Line
Anthropic isn't trying to scare you. They're trying to give the security world time to catch up before this capability spreads. The best thing you can do with that warning is treat it like the early alert it is.
Patch your devices. Turn on 2FA. Stop reusing passwords. Don't click login links you didn't expect. These four habits alone will put you ahead of 90% of everyone else.
And if something looks off — a text, a login prompt, a link, a call — don't trust your gut and click through it.
Scan it at Cautellus.com first.
Think you've been targeted? Paste any text, link, email, or screenshot into Cautellus for instant AI analysis.
Scan something free →Want unlimited scans + the Chrome extension? See pricing.
Courtney
Founder, Cautellus · 20+ years in financial services
Two decades in financial compliance, digital security, and fraud prevention. Built Cautellus because the scam detection tools that exist were made for IT departments, not for real people getting weird texts.
Learn moreKeep reading
The $25 Million Zoom Call That Never Happened: Live Deepfake Video Scams Explained
An AI Just Handed Hackers a Stack of Verified Instagram Accounts. Here's How to Keep Yours Off the Next List.
The Microsoft Phishing Scam That Gets Past Your 2FA
Support Our Mission
Cautellus is built to protect people from online fraud. Your contribution helps us keep building security tools and resources.