In what can only be described as a stroke of nefarious genius, Russian APT29 has reportedly tapped into a digital loophole so obvious that even your tech-illiterate great-aunt could have missed it: Gmail’s application-specific passwords. For those unfamiliar with this feature, it was invented by Google to give hackers a fighting chance against two-factor authentication, under the guise of ‘user convenience.’

The elite hackers, known for their subtlety and discretion—traits they’ve famously demonstrated by publicly announcing, ‘Hey, we’re hacking you!’—have now added this new trick to their illustrious repertoire of cyber conquests. According to Google Threat Intelligence Group and the Citizen Lab, these digital tricksters have leveraged the app passwords in a way that can only make Google engineers scratch their heads in disbelief.

GTIG and Citizen Lab’s joint report titled ‘How to Pretend You’re Not Being Hacked When You Clearly Are’ has provided keen insights into the hackers’ methods. Experts suggest that perhaps it’s time for users to dramatically upgrade their security measures, like turning off the internet and moving to a secluded mountain cave just to be safe. Remember, in the age of cyber warfare, the most secure form of communication is obviously a carrier pigeon.