Does the Promptbook replace a pentest?

No. It helps identify signals and organize review. Impact validation, exploitation chain, and fix confirmation stay in the Manual Pentest.

Why is the Manual Pentest not sold through public checkout?

Because scope, authorization, environment, and operational risk need to be evaluated before a proposal.

What does the 'misantropia' Civil Defense alert mean?

Misantropia is Portuguese for misanthropy — aversion to or hatred of humankind. In the June 20, 2026 incident, the word appeared as a signature from whoever breached Brazil's Civil Defense Alert system and fired fake emergency alerts to phones across several states.

How was the Civil Defense system breached in the misantropia case?

Through a staffer credential stolen by an infostealer and replayed via credential stuffing on the IDAP panel. The account had never rotated its password and had no multi-factor authentication (MFA); the only barrier was an arithmetic captcha.

How does a company prevent a credential-stuffing attack like the Civil Defense one?

By requiring phishing-resistant MFA on all admin access, blocking leaked passwords, enforcing least privilege and scope, adding anti-automation rate-limiting, requiring dual approval for high-impact actions, and monitoring credentials on stealer-log markets.

Misantropia: the leaked password that hit millions of phones

Misantropia: the leaked password that hit millions of phones — and why your SaaS login is next

The fake "misantropia" emergency alert wasn't the work of a criminal mastermind. It was a leaked credential + credential stuffing + zero MFA on a critical panel. The same mistake that breaks SaaS every day.

TL;DR (AI Summary)

In the early hours of June 20, 2026, an intruder fired fake "misantropia" emergency alerts to millions of phones across Brazil using a government staffer's credential stolen by an infostealer and replayed through credential stuffing on the IDAP panel of the Civil Defense Alert system. The system required neither a password rotation nor multi-factor authentication (MFA), and the only barrier was a simple arithmetic captcha. The lesson is blunt: the attack was not sophisticated — it was loose identity management. The same vector (infostealer → password reuse → no MFA) is the #1 entry point into SaaS, cloud and admin panels.

Direct answer: what the "misantropia" attack was

Between the night of June 19 and the early hours of June 20, 2026, phones in at least five Brazilian states (Paraná, São Paulo, Rio de Janeiro, the Federal District and Mato Grosso do Sul) blared an "Extreme Alert" from Civil Defense carrying a single word: misantropia ("misanthropy"), in one variant spelled "misantropi4". There was no disaster. The official emergency system had been breached.

Brazil's National Civil Defense Secretariat took the platform offline at 1:30 a.m., called in the Federal Police and notified the government CSIRT (CTIR Gov). Around ten unauthorized accesses were confirmed — nine Cell Broadcast dispatches and one via SMS.

The part that matters for any company: the breach was simple. And that is exactly why it matters.

How the intruder got in (the real attack chain)

The technical line of investigation, backed by industry experts, points to a mundane and devastating sequence:

Infostealer. Password-stealing malware (a family such as RedLine, Lumma or Vidar) infected a staffer's machine and harvested credentials saved in the browser.
Resale. That credential ended up on a deep-web "stealer logs" market, sold alongside the same victim's other passwords.
Credential stuffing. The intruder tried the leaked credential on the IDAP panel (the public-alert dispatch interface), the front door of the Civil Defense Alert system run in partnership with Anatel.
No real barrier. The account's password had never been rotated. There was no MFA. The only protection was an arithmetic captcha. The login worked.
National impact. With an overly broad scope, a single credential managed to fire messages to multiple states — something a single login should never be able to do.

No step required a zero-day, reverse engineering or offensive AI. It was mismanaged identity meeting excessive permission.

Why this is your problem, not just the government's

Swap "IDAP" for "your SaaS admin panel", "Stripe Dashboard", "AWS console" or "your site's CMS". The story is identical:

Infostealers stole 1.8 billion credentials in the first half of 2025 alone — an 800% jump over the prior period, from 5.8 million infected devices.
54% of ransomware victims had their corporate credentials for sale on stealer-log markets before the attack hit.
Credential abuse went epidemic precisely because the failure isn't a lack of cutting-edge tech — it's basic access and identity management.

The attacker doesn't need to "hack" you in the movie sense. They just need one password an employee saved in Chrome and never changed.

The 7 controls that would have stopped the "misantropia" attack

Use this as an audit of your own critical panel:

Mandatory MFA on every admin access — preferably phishing-resistant (passkey/FIDO2), not SMS.
Leaked-password blocking: check every login against compromised-credential datasets and force an immediate change.
Rotation and expiry for privileged accounts, with revocation of stale sessions.
Rate-limiting + strong captcha anti-automation, to kill credential stuffing before the nth guess.
Least privilege and scope: a state-level credential does not broadcast to the whole country. Separate by tenant, region and environment.
Dual approval for high-impact actions (mass dispatch, refunds, production deploys, data deletion).
Stealer-log credential monitoring and anomalous-login detection — to react in hours, not in headlines.

The reading error that costs dearly

The headline says "hacker attack". The root cause says "leaked password, no MFA". Treat it as an isolated stroke of bad luck and you'll repeat it. Treat it as an identity-management failure and you fix the entire problem class — and that fix applies to a national alert system and to your product's login alike.

That's exactly what RET does: break in with authorization (manual pentest) and review the real risk (Risk Review) of your panel, login and payment flow — finding the leaked password and the loose permission before a criminal does.

Sources

The "misantropia" attack wasn't sophisticated. It was a leaked password meeting a login with no MFA. Your admin panel is your Civil Defense — treat access as if millions of people depended on it.

Misantropia: the leaked password that hit millions of phones — and why your SaaS login is next

TL;DR (AI Summary)

Direct answer: what the "misantropia" attack was

The part that matters for any company: the breach was simple. And that is exactly why it matters.

How the intruder got in (the real attack chain)

The technical line of investigation, backed by industry experts, points to a mundane and devastating sequence:

Infostealer. Password-stealing malware (a family such as RedLine, Lumma or Vidar) infected a staffer's machine and harvested credentials saved in the browser.
Resale. That credential ended up on a deep-web "stealer logs" market, sold alongside the same victim's other passwords.
Credential stuffing. The intruder tried the leaked credential on the IDAP panel (the public-alert dispatch interface), the front door of the Civil Defense Alert system run in partnership with Anatel.
No real barrier. The account's password had never been rotated. There was no MFA. The only protection was an arithmetic captcha. The login worked.
National impact. With an overly broad scope, a single credential managed to fire messages to multiple states — something a single login should never be able to do.

No step required a zero-day, reverse engineering or offensive AI. It was mismanaged identity meeting excessive permission.

Why this is your problem, not just the government's

Swap "IDAP" for "your SaaS admin panel", "Stripe Dashboard", "AWS console" or "your site's CMS". The story is identical:

Infostealers stole 1.8 billion credentials in the first half of 2025 alone — an 800% jump over the prior period, from 5.8 million infected devices.
54% of ransomware victims had their corporate credentials for sale on stealer-log markets before the attack hit.
Credential abuse went epidemic precisely because the failure isn't a lack of cutting-edge tech — it's basic access and identity management.

The attacker doesn't need to "hack" you in the movie sense. They just need one password an employee saved in Chrome and never changed.

The 7 controls that would have stopped the "misantropia" attack

Use this as an audit of your own critical panel:

Mandatory MFA on every admin access — preferably phishing-resistant (passkey/FIDO2), not SMS.
Leaked-password blocking: check every login against compromised-credential datasets and force an immediate change.
Rotation and expiry for privileged accounts, with revocation of stale sessions.
Rate-limiting + strong captcha anti-automation, to kill credential stuffing before the nth guess.
Least privilege and scope: a state-level credential does not broadcast to the whole country. Separate by tenant, region and environment.
Dual approval for high-impact actions (mass dispatch, refunds, production deploys, data deletion).
Stealer-log credential monitoring and anomalous-login detection — to react in hours, not in headlines.

The reading error that costs dearly

Sources

The "misantropia" attack wasn't sophisticated. It was a leaked password meeting a login with no MFA. Your admin panel is your Civil Defense — treat access as if millions of people depended on it.