Cushman & Wakefield Confirms Data Breach Following Dual Cyberattacks by ShinyHunters and Qilin Real estate firm Cushman & Wakefield (C&W) has acknowledged a limited data breach after two cybercrime groups ShinyHunters and Qilin independently claimed responsibility for attacks on the company. The incident originated from a vishing (voice phishing) attack, suggesting an employee was manipulated through social engineering. A C&W spokesperson stated that the company detected the breach, activated response protocols, and engaged third-party experts to investigate. While the company assured that systems and operations remain unaffected, it did not address the dual claims by the two threat actors. ShinyHunters, known for its pay-or-leak extortion model, alleged it breached C&W on May 1, stealing over 500,000 Salesforce records containing PII and internal corporate data. The group set a May 6 deadline for C&W to respond before leaking the data, though no contact was reportedly made. Meanwhile, Qilin, currently ranked as the world’s most prolific ransomware group, listed C&W on its leak site on May 4 but did not disclose attack details. The timing of the two incidents appears coincidental, as there is no known collaboration between the groups. ShinyHunters has been particularly active in recent months, claiming responsibility for high-profile breaches, including a supply chain attack on Salesforce in March that exposed data from over 100 customers. Other victims linked to the group include ADT, Carnival Cruise Line, Rockstar Games, and Vimeo, though not all attacks were directly tied to the Salesforce compromise.

AI Agents Weaponized via Prompt Injection: A New Threat to Enterprise Data Researchers from Google and Forcepoint have confirmed that indirect prompt injection attacks long considered theoretical are now actively targeting production AI systems in the wild. These attacks embed hidden instructions in web pages, documents, or emails, which AI agents then execute without detection. The result: data exfiltration, credential theft, and unauthorized outbound requests to attacker-controlled servers, all carried out by the AI itself. Unlike traditional cyberattacks, these incidents require no phishing links, malicious binaries, or anomalous logins just an AI agent processing attacker-crafted content as part of its normal operations. Security tools, designed to flag suspicious behavior, see nothing amiss because the AI is functioning as intended. ### A Class of Attacks, Not a Single Vulnerability This isn’t an isolated incident. Earlier this month, Noma Security disclosed GrafanaGhost, a zero-click flaw in Grafana’s AI assistant that turned it into a silent data exfiltration channel. Attackers embedded instructions in URL parameters, which the AI processed from logs, sending sensitive data including financial metrics and customer records to external servers via seemingly legitimate image-render requests. While Grafana patched the flaw, the underlying attack pattern remains unaddressed. Similar exploits have emerged in Salesforce Agentforce (ForcedLeak), Google Gemini (GeminiJack), and DockerDash, all following the same playbook: AI features integrated into existing platforms process untrusted content, execute attacker instructions, and evade detection by operating through legitimate channels. ### Why Model-Level Guardrails Fail Most enterprises rely on system prompts, safety filters, and human review to govern AI behavior none of which are true security controls. Research shows these measures are easily bypassed: - InjecAgent benchmark (ACL 2024) found GPT-4 vulnerable to indirect prompt injection at a 24% baseline rate, rising to 47% with enhanced attacks. - AgentDojo benchmark (used by U.S. and U.K. AI Safety Institutes) revealed that effective defenses degrade AI utility, while those preserving functionality leave systems exposed. - Human oversight is lacking: A Kiteworks survey found 41-44% of organizations lack basic governance controls, and 55-63% have no kill switches, network isolation, or purpose binding for AI agents. Regulators won’t accept "the model was instructed not to" as a defense. HIPAA, CMMC, PCI, and SOX audits require enforceable access controls not just configuration settings. ### The Solution: Data-Layer Governance The shift from model-level to data-layer enforcement is critical. Instead of trying to govern AI behavior at the model, security must be enforced between the agent and the data: - Authentication: Cryptographic verification, not session-based. - Authorization: Real-time policy evaluation for every request. - Encryption: Validated cryptographic modules meeting federal standards. - Audit trails: Tamper-evident logs streamed to SIEM for regulatory compliance. This approach ensures that even a compromised AI agent cannot access unauthorized data, and every action is logged for auditability. ### The New Reality The first wave of AI security focused on preventing employees from exposing data to tools like ChatGPT a challenge addressed (imperfectly) with policy and DLP. The second wave is now here: how to stop AI agents from being weaponized against enterprise data. The Google and Forcepoint findings confirm that this threat is no longer hypothetical it’s active. The only remaining question is whether organizations will rely on model behavior or enforceable data-layer controls to protect their systems.

Hackers Impersonate Microsoft Teams Help Desk in Sophisticated Malware Campaign A new cyberattack campaign, attributed to the threat group UNC6692, is leveraging social engineering and malicious tools to breach corporate systems by impersonating Microsoft Teams help desk workers. The findings, reported by Mandiant (a Google-owned cybersecurity firm) on April 27, highlight an evolving tactic that exploits trust in enterprise software. The attack begins with email flooding to overwhelm a target’s inbox, followed by a Microsoft Teams message from an external account posing as IT support. The attacker convinces the victim to install a fake "patch" that instead deploys SnowBelt, a malicious browser extension. This extension grants attackers persistent access to corporate accounts, allowing them to move within systems without repeated authentication. UNC6692’s methods reflect a broader shift in cybercrime, where attackers increasingly exploit software-as-a-service (SaaS) vulnerabilities rather than traditional network breaches. Recent high-profile incidents including breaches at Mercor (an AI data vendor for OpenAI, Anthropic, and Meta) and a Salesforce-centered extortion wave underscore this trend. These attacks signal a fundamental change in digital risk, where the SaaS layer has become the primary target for cybercriminals.

ADT Hit by "Pay or Leak" Extortion Attack, Exposing 5.5M Email Addresses ADT, a leading security and smart home services provider, suffered a data breach involving a "pay or leak" extortion scheme, resulting in the public exposure of 5.5 million unique email addresses. The leaked data also included names, physical addresses, phone numbers, and a limited number of dates of birth and partial Social Security numbers. The breach was disclosed today, with analysis revealing that 71% of the exposed email addresses were already linked to LinkedIn profiles, suggesting a significant overlap with professional networks. The incident highlights the growing threat of extortion-based cyberattacks, where threat actors demand payment to prevent the release of stolen data. ADT has not confirmed whether a ransom was paid or if the attackers followed through on their threat after demands were ignored. The company is likely conducting an internal investigation to assess the full scope of the breach and its potential impact on affected customers. The exposure of personal and sensitive information raises concerns about identity theft and targeted phishing campaigns.

ADT Data Breach Exposes 5.5 Million Customer Records in SSO Attack Security and smart home provider ADT confirmed a data breach affecting 5.5 million customers after hacking group ShinyHunters compromised an employee’s Okta single sign-on (SSO) credentials through a voice phishing (vishing) attack. The breach, detected on April 20, exposed customer names, phone numbers, addresses, and in some cases Social Security and Tax ID numbers, though payment information remained secure. ADT responded by terminating the unauthorized access, launching a forensic investigation with third-party cybersecurity experts, and notifying law enforcement. According to Bleeping Computer, ShinyHunters gained entry via an ADT Salesforce account after obtaining the employee’s Okta login details through vishing a tactic also linked to the group’s recent Panera Bread breach. ShinyHunters, known for high-profile attacks on companies like Rockstar Games, Crunchyroll, and Bumble, has increasingly targeted SSO vulnerabilities. Okta recently warned about the rise of vishing attacks, which manipulate victims into divulging credentials over the phone. The breach highlights the growing risk of SSO-based attacks and the persistent threat posed by cybercriminal groups exploiting human and technical weaknesses in enterprise security.

ADT Suffers Data Breach as ShinyHunters Claims Theft of 10 Million Records ADT, the Florida-based home security provider, confirmed a cyberattack on Monday that resulted in the theft of customer and prospective customer data. The breach exposed names, phone numbers, addresses, dates of birth, and the last four digits of Social Security numbers and tax IDs though payment data and security systems remained unaffected. While ADT did not disclose the number of impacted individuals or whether a ransom was demanded, the cybercriminal group ShinyHunters later claimed responsibility, alleging the theft of 10 million records and threatening to leak the data unless paid. ADT has notified affected customers and is offering identity protection services where necessary. Law enforcement has been alerted, and third-party cybersecurity experts are assisting in the investigation. This incident marks the latest in a series of attacks by ShinyHunters, which has targeted high-profile organizations in recent months, including Rockstar Games, McGraw Hill, Bumble, and the European Commission. The group resurfaced earlier this year after a period of reduced activity, following legal setbacks in 2025 when two members were sentenced one to 22 years in prison and another to 10 years. ADT, which reported $5.1 billion in revenue last year, has faced multiple cybersecurity breaches in the past two years, including prior incidents involving customer and employee data. The company continues to respond to the latest attack as authorities monitor the situation.

Carnival Corporation Investigates Alleged Data Breach by ShinyHunters Extortion Group Carnival Corporation, the global cruise operator behind brands like Carnival Cruise Line, Princess Cruises, and Holland America Line, is probing a potential data breach after the ShinyHunters extortion group claimed to have stolen over 8.7 million records containing personally identifiable information (PII) and internal corporate data. On April 18, ShinyHunters listed Carnival on its "pay or leak" portal, threatening to release the data publicly if demands were not met by April 21, 2026. The group, known for high-profile breaches, typically gains access through phishing, credential theft, or cloud service exploitation. Carnival confirmed detecting suspicious activity linked to a phishing incident affecting a single user account. In a statement, the company acknowledged the breach, stating it had blocked unauthorized access and was working with security experts to assess the scope. While the investigation is ongoing, Carnival has not confirmed whether customer data was compromised. ShinyHunters’ claims remain unverified, but even limited account access could lead to significant exposure if linked to internal systems or cloud-based tools. Carnival, which serves millions of passengers annually, remains a prime target for cybercriminals seeking financial leverage through extortion. The incident underscores the rising threat of phishing-driven breaches in enterprise environments.

Kemper Corporation Hit by ShinyHunters Data Breach, Exposing Sensitive Information On April 15, 2026, the hacker group ShinyHunters leaked 29 GB of alleged Kemper Corporation data on the dark web, claiming the files were stolen from the company’s Salesforce account. Kemper Corporation, a leading U.S. insurer with $12 billion in assets, confirmed the cybersecurity incident and has launched an internal investigation while notifying law enforcement. The exposed data may include internal corporate documents, employee training materials, names, email addresses, and Stripe payment logs containing customer names and transaction details. Individuals who received breach notifications from Kemper face heightened risks of identity theft and fraud. National class action firm Edelson Lechtzin LLP is investigating potential legal claims on behalf of affected individuals. Kemper provides insurance services through its Kemper Auto and Kemper Life brands, serving individuals, families, and businesses. The full scope of the breach and its impact remain under review.

ShinyHunters Claims Breach of Amtrak, Threatens to Leak 9.4 Million Records The hacking group ShinyHunters has added the National Railroad Passenger Corporation (Amtrak) to its data leak site, alleging the theft of 9.4 million records containing personally identifiable information (PII) and corporate data. The breach reportedly occurred via unauthorized access to Salesforce, a platform the group has previously exploited through social engineering attacks targeting employees. While no samples of the stolen data have been publicly released, ShinyHunters has set a deadline of April 14 for a ransom payment, threatening to expose the information if demands are not met. The compromised data could include details from both Amtrak employees and customers, given the company’s role in ticket sales. ShinyHunters has a history of high-profile breaches, including attacks on Mercer Advisors, Beacon Pointe Advisors, Cisco Systems, Hallmark, and Rockstar Games. The potential exposure of PII raises concerns about follow-on social engineering attacks, depending on the nature of the stolen records.

McGraw-Hill Confirms Data Breach via Salesforce Misconfiguration, Disputes ShinyHunters’ Claims Education giant McGraw-Hill has acknowledged a data breach stemming from a misconfigured Salesforce environment, which allowed hackers to access a limited set of internal data. The company stated that the incident did not compromise its Salesforce accounts, customer databases, or core systems, and that the exposed information was non-sensitive, lacking Social Security numbers, financial details, or student data from its platforms. The breach was first flagged by the extortion group ShinyHunters, which listed McGraw-Hill as a victim on its dark-web portal and threatened to leak allegedly stolen data including 45 million records containing personally identifiable information (PII) by April 14 unless a ransom was paid. McGraw-Hill disputed the group’s claims, asserting that the accessed data was minimal and not critical. McGraw-Hill, a major provider of textbooks, digital learning tools, and K-12/university platforms with $2.2 billion in annual revenue, confirmed that the affected webpages were secured immediately after detecting the unauthorized access. The company is collaborating with Salesforce to reinforce protections and address the misconfiguration, which it described as part of a broader issue impacting multiple Salesforce clients. ShinyHunters, known for high-profile breaches in 2024 including attacks on Rockstar Games, Hims & Hers, the European Commission, and Panera Bread has also targeted other education-related entities, such as Infinite Campus, a K-12 student information system provider, in March. The group’s extortion tactics have raised concerns across industries, though McGraw-Hill’s investigation, supported by external cybersecurity experts, maintains that the incident’s impact was contained.

Google’s 2025 Salesforce Breach: A Major Cyberattack Exposes Advertiser and User Data In August 2025, Google confirmed a significant data breach tied to its Salesforce CRM platform, one of the most damaging third-party incidents in the company’s history. The attack, attributed to the notorious cybercriminal group ShinyHunters, exploited vulnerabilities in Google’s Salesforce environment to exfiltrate sensitive advertiser and business account data. By September 2025, the breach had been publicly acknowledged, though its full scope remains under assessment. ### What Happened? ShinyHunters, a threat group responsible for high-profile breaches at Ticketmaster, AT&T, and Santander Bank, targeted Google’s Salesforce CRM the system managing advertiser relationships and business communications. The stolen data included: - Advertiser account details (business contact information, campaign records) - Internal communication logs - Customer data linked to Google’s advertising and Workspace operations Beyond data theft, the group used the stolen information to launch vishing (voice phishing) attacks, impersonating Google representatives to extract further credentials and payments from advertising clients. ### Impact and Scale Early reports indicated millions of advertiser records were compromised, with some cybersecurity researchers linking the breach to a 184-million-credential dataset circulating in dark web forums spanning Google, Apple, and other major platforms. Google has not disclosed an exact number of affected users, a common practice in breach disclosures. ### Google’s Response Google confirmed unauthorized access via a third-party system, stating it had contained the breach, notified affected parties, and cooperated with authorities. The company also urged users to: - Review saved passwords - Enable two-factor authentication (2FA) - Monitor accounts for suspicious activity However, Google’s statement did not address the post-breach circulation of stolen data on the dark web, where credentials often resurface long after initial containment. ### Broader Context: Google’s Breach History The 2025 Salesforce breach is part of a pattern of security incidents involving Google: - 2018 Google+ Breach: A software bug exposed 500,000+ user profiles (names, emails, birthdates) for over three years before disclosure. A second breach later that year affected 52.5 million users, leading to Google+’s shutdown. - 2023 Google Fi Incident: Customer data was compromised via a T-Mobile breach, highlighting supply chain risks. - 2025 Google Ads Exposure: The Salesforce breach marked the first direct compromise of Google’s advertising infrastructure. ### Dark Web Risks and Credential Reuse Stolen data from breaches like this often migrates to dark web markets, where it’s sold to other threat actors. Google’s Password Checkup tool flags compromised credentials, but it only covers passwords saved in Chrome and known public breaches not private dark web sales or malware logs. ### Legal and Regulatory Fallout Google has faced class-action lawsuits and regulatory fines over past breaches, including: - A $7.5 million settlement for the 2018 Google+ breach. - A $5 billion settlement in 2024 over misleading Incognito mode privacy claims. - GDPR fines (e.g., €150 million in 2022 for cookie consent violations). ### Key Takeaways - The 2025 Salesforce breach exposed advertiser and business data, enabling targeted phishing attacks. - ShinyHunters’ involvement underscores the sophistication of modern cybercrime. - Google’s breach history reflects broader industry challenges in securing third-party systems. - Dark web monitoring remains critical, as stolen data persists long after initial breaches. The incident reinforces the risks of third-party vulnerabilities and the need for proactive security measures beyond platform-provided tools.

7-Eleven Confirms Data Breach After ShinyHunters Claims Theft of 600K Records 7-Eleven, the world’s largest convenience store chain, has confirmed a data breach following claims by the ShinyHunters hacker group that it stole over 600,000 Salesforce records containing personal and corporate data. The intrusion was detected on April 8, targeting systems used to store franchisee documents. In a notification filed with the Maine Attorney General’s Office, 7-Eleven acknowledged that unspecified personal information provided during franchise applications was compromised. While the company did not disclose the total number of affected individuals, it reported that only two Maine residents were impacted, suggesting a potentially limited scope of exposure. ShinyHunters publicly listed 7-Eleven on its leak site on April 17, demanding a ransom by April 21 before later offering the stolen data for sale at $250,000 on a hacker forum. The group has been actively targeting Salesforce instances of major organizations since mid-2025, exploiting phishing attacks, third-party integrations, or misconfigurations rather than vulnerabilities in Salesforce’s core systems. This breach follows a pattern of recent ShinyHunters attacks, including incidents at Instructure, Vimeo, Wynn Resorts, Vercel, and Medtronic. The group’s tactics highlight ongoing risks to enterprises relying on cloud-based platforms for sensitive data storage.

Abrigo Hit by ShinyHunters Breach, Exposing 700K+ Email Addresses In a recent cyberattack, financial software provider Abrigo was targeted by the hacking group ShinyHunters last month. The threat actors subsequently leaked over 700,000 unique email addresses, allegedly stolen from Abrigo’s Salesforce instance. The exposed data also included business contact information, raising concerns about potential phishing and social engineering risks. Analysis revealed that 57% of the compromised email addresses were already linked to LinkedIn profiles, increasing the likelihood of targeted follow-up attacks. The breach highlights vulnerabilities in third-party cloud services and the ongoing threat posed by cybercriminal groups specializing in data exfiltration. No further details on the attack vector or Abrigo’s response have been disclosed. The incident underscores the persistent risks of unauthorized access to enterprise SaaS platforms.

Cisco Hit by Major Cyberattack Linked to Supply Chain Breach Cisco is responding to a significant cybersecurity incident after threat actors breached its internal development networks, stealing sensitive source code and corporate data. The attack, claimed by the hacking group ShinyHunters, also allegedly impacted Salesforce, Aura, and AWS storage buckets. The breach originated from a supply chain attack involving Trivy, a widely used vulnerability scanner. Attackers exploited a malicious GitHub Action plugin tied to the Trivy compromise, allowing them to steal credentials and infiltrate Cisco’s build environments. Once inside, they compromised dozens of devices, including lab workstations and developer systems, gaining access to highly sensitive data. The stolen material includes AWS keys, which were used to perform unauthorized actions in Cisco’s cloud accounts, and over 300 private GitHub repositories. These repositories contain unreleased product source code, including AI Assistants and AI Defense technologies, as well as data belonging to corporate clients, such as major banks, BPO firms, and U.S. government agencies. Cisco’s security teams including the Unified Intelligence Center, CSIRT, and EOC moved quickly to contain the breach by isolating affected systems, wiping compromised machines, and enforcing a mass credential reset. However, the company has not yet issued a public statement, and internal sources suggest ongoing complications from the incident. While ShinyHunters has taken credit for the data theft, security researchers link the underlying Trivy supply chain attack to TeamPCP, a separate group known for deploying custom malware ("TeamPCP Cloud Stealer") to hijack developer platforms like Docker, NPM, and PyPi. TeamPCP has also been tied to recent breaches of LiteLLM and Checkmarx, raising concerns about secondary attacks stemming from related vulnerabilities.

ShinyHunters Threatens ZenBusiness with Data Leak Deadline The notorious ransomware group ShinyHunters has issued a "final warning" to ZenBusiness, a U.S.-based platform supporting small businesses with LLC formation, compliance, and back-office tools. The group threatened to leak terabytes of stolen data and create "several annoying (digital) problems" if a ransom is not paid by March 25. Security researchers believe ShinyHunters gained access through vishing (voice phishing), impersonating IT staff to trick employees into granting remote access. Once inside, the group likely compromised platforms like Salesforce or Snowflake to exfiltrate sensitive data potentially including customer PII, employee records, and internal operations details, which could undermine ZenBusiness’s competitive edge. ZenBusiness, which serves freelancers, startups, and small businesses with an estimated $75 million in annual revenue, is the latest in a string of ShinyHunters targets. Recent victims include Infinite Campus (11 million affected), Telus Digital, Wynn Resorts, and Crunchyroll, highlighting the group’s aggressive and persistent campaign. The breach remains unconfirmed by ZenBusiness, but researchers warn of potential exposure risks.

Infinite Campus Reports Data Breach Following ShinyHunters Extortion Attempt Infinite Campus, a leading U.S.-based provider of K-12 student information systems, has notified customers of a data breach after a threat actor accessed an employee’s Salesforce account. The company serves over 3,200 school districts and manages data for 11 million students across 46 states. The breach was claimed by the extortion group ShinyHunters, which posted a "final warning" on its dark web site on March 24, threatening to leak stolen data unless Infinite Campus engaged in ransom negotiations by March 25. The company confirmed it would not comply with the demands. ShinyHunters alleged the theft of Salesforce records containing personally identifiable information (PII) and internal corporate data. However, Infinite Campus stated that its investigation found no access to customer databases. The exposed data primarily included names and contact details of school staff, much of which is publicly available on school websites. The incident follows a pattern of Salesforce-targeted attacks by ShinyHunters, which has breached hundreds of companies in the past year, including high-profile campaigns like the Salesloft Drift and Salesforce Aura hacks, claiming over 1.5 billion records stolen. In response, Infinite Campus disabled certain customer-facing services for users without IP restrictions and is scanning potentially compromised Salesforce data. The company is also contacting affected school districts to provide guidance. While the breach’s full impact remains unclear, Infinite Campus has not disclosed how many districts were affected. The incident echoes the December 2024 PowerSchool hack, though that attack exposed sensitive data of 62 million students. The perpetrator, a 19-year-old college student, was later sentenced to four years in prison.

AWS Bedrock AI Platform Exposed to Eight Critical Attack Vectors, Research Reveals Amazon’s AWS Bedrock a platform enabling developers to build AI-powered applications by integrating foundation models with enterprise data and systems has been identified as a high-value target for attackers. Security researchers at XM Cyber uncovered eight validated attack vectors that exploit Bedrock’s connectivity to critical infrastructure, including Salesforce, Lambda functions, SharePoint, and vector databases. The vulnerabilities stem from misconfigured permissions and weak access controls, allowing attackers to manipulate logs, compromise knowledge bases, hijack AI agents, inject malicious workflows, degrade security guardrails, and poison prompts. Each vector begins with minimal privileges but can escalate to full system compromise. ### Key Attack Vectors 1. Model Invocation Log Attacks – Attackers can redirect or delete logs stored in S3 buckets, harvesting sensitive data or erasing forensic evidence. 2. Knowledge Base Attacks (Data Source) – By accessing S3, Salesforce, or SharePoint credentials, attackers bypass AI models to extract raw data or move laterally into Active Directory. 3. Knowledge Base Attacks (Data Store) – Compromised credentials for vector databases (Pinecone, Redis) or AWS-native stores (Aurora, Redshift) grant full access to structured enterprise data. 4. Agent Attacks (Direct) – Modifying agent prompts or attaching malicious executors enables unauthorized actions, such as database tampering or user creation. 5. Agent Attacks (Indirect) – Injecting malicious code into Lambda functions allows data exfiltration or model response manipulation. 6. Flow Attacks – Altering workflows to reroute data to attacker-controlled endpoints or bypassing authorization checks via modified condition nodes. 7. Guardrail Attacks – Weakening or removing content filters increases susceptibility to prompt injection and toxic output generation. 8. Managed Prompt Attacks – Modifying centralized prompt templates enables mass-scale data exfiltration or harmful content generation without detection. ### Impact & Implications The research highlights that attackers target Bedrock’s integrations rather than the AI models themselves. A single over-privileged identity can redirect logs, hijack agents, or access on-premises systems. Security teams must map attack paths across cloud and hybrid environments while enforcing strict permission controls to mitigate risks. The findings underscore the need for comprehensive visibility into AI workloads and their associated permissions to prevent exploitation. Full technical details, including architectural diagrams, are available in XM Cyber’s research report.

Nordstrom Customers Targeted in Cryptocurrency Scam via Compromised Email System Nordstrom customers recently received fraudulent emails from the company’s legitimate marketing address ([email protected]), promoting a cryptocurrency scam disguised as a St. Patrick’s Day promotion. The messages promised to double any cryptocurrency sent to a specified wallet within two hours, creating a false sense of urgency to pressure recipients into acting quickly. The scam emails contained red flags, including a misspelled company name ("Normstorm") in the subject line, though the official sender address likely led some victims to overlook the deception. Nordstrom later confirmed the messages were unauthorized and warned customers that the company would never request cryptocurrency transactions. A follow-up email urged recipients to disregard the fraudulent offer. While it remains unclear how many customers were affected, some victims reportedly sent funds to the attacker’s wallet, which accumulated over $5,600 in cryptocurrency. According to sources, the breach stemmed from a compromise in Okta SSO and Salesforce Marketing Cloud, allowing threat actors to send the scam emails through Nordstrom’s official channels. This incident mirrors recent attacks on Betterment and GrubHub, which also exploited similar vulnerabilities to distribute crypto scams. Nordstrom, a major U.S. retailer with over $15 billion in annual revenue and millions of customers, has not publicly detailed the extent of the breach or its response beyond issuing customer warnings. The company is investigating the incident.

Threat Actors Exploit Modified AuraInspector Tool to Harvest Data from Misconfigured Salesforce Sites On March 10, 2026, Salesforce’s Cybersecurity Operations Center (CSOC) warned of a campaign in which threat actors are mass-scanning publicly accessible Salesforce Experience Cloud sites using a modified version of the AuraInspector tool. Originally developed by Google/Mandiant, AuraInspector is an open-source command-line utility designed to audit Salesforce Aura and Experience Cloud applications for data exposure risks by simulating unauthenticated or guest user access. Attackers have adapted the tool to exploit overly permissive guest user settings, enabling them to extract sensitive CRM data including Accounts, Contacts, and Leads via exposed Aura endpoints, record lists, or GraphQL controllers. While the original AuraInspector only identifies vulnerabilities, the modified version actively harvests data from misconfigured environments. Salesforce confirmed that the activity does not stem from a platform vulnerability but rather from customer misconfigurations, particularly in Experience Cloud guest user permissions. Exposed data could be leveraged for targeted social engineering or vishing attacks. The company attributes the campaign to a known threat actor group, potentially ShinyHunters, which has previously targeted Salesforce environments through third-party applications. Salesforce advises organizations to review and secure guest user settings, restrict public access, disable unnecessary APIs, and monitor logs to mitigate risks.

Hallmark Data Breach Exposes 1.7 Million Customer Records In a recent cybersecurity incident, greeting card giant Hallmark confirmed a data breach that occurred in March, with attackers gaining access to its Salesforce environment. The stolen data published this week includes 1.7 million unique email addresses, along with names, phone numbers, physical addresses, and customer support ticket details. Analysis of the exposed records reveals that 82% of the affected email addresses were already linked to LinkedIn profiles, suggesting potential overlap with professional networks. The breach highlights vulnerabilities in third-party integrations, as attackers exploited access to Salesforce, a widely used customer relationship management (CRM) platform. The incident underscores the risks of storing sensitive customer data in cloud-based systems and the growing trend of attackers targeting enterprise software to extract large-scale datasets. No financial or payment information was reported as compromised, but the exposure of personal details raises concerns about phishing and identity-related fraud. The full impact of the breach remains under investigation.

Optimizely Breach Exposes Customer Contact Data in Sophisticated Vishing Attack On February 11, digital experience platform Optimizely fell victim to a cyberattack after hackers bypassed security controls using a voice-phishing (vishing) attack. The breach compromised "basic" customer contact information, including names, email addresses, and potentially phone numbers, though the company confirmed no sensitive data was accessed. The attackers gained entry to internal business systems, CRM records, and limited back-office documents but failed to escalate privileges or deploy malware. Optimizely stated operations remained unaffected, with no evidence of deeper system compromise. While the company did not attribute the attack to a specific group, the tactics align with ShinyHunters, a threat actor known for recent vishing campaigns. The group typically impersonates IT or support staff to trick employees into resetting credentials, often targeting Okta, Microsoft, Google, and Salesforce accounts. ShinyHunters has not claimed responsibility for this incident. Optimizely serves over 10,000 businesses, including major brands like H&M, PayPal, Toyota, Nike, and Salesforce. The breach follows a pattern of similar attacks, underscoring the growing threat of social engineering in cyber intrusions.

South Korea Fines Luxury Brands $24.9M for Major Data Breaches South Korea’s Personal Information Protection Commission (PIPC) has imposed a combined 36 billion won ($24.9 million) in fines on the Korean subsidiaries of Louis Vuitton, Dior, and Tiffany for failing to protect customer data from cyberattacks. Louis Vuitton Korea received the largest penalty 21.4 billion won after hackers breached its systems on three occasions, exposing the personal data of 3.6 million customers, including names, phone numbers, and birth dates. The PIPC cited poor security practices for remote logins, which allowed an external actor to compromise an employee device. Christian Dior Couture Korea was fined 12.2 billion won following a breach affecting 1.95 million users, where employees were tricked into granting system access to malicious actors. The company remained unaware of the incident for three months. Meanwhile, Tiffany Korea faced a 2.4 billion won fine after a breach exposed the data of 4,600 customers, including names and email addresses. In a separate case, the PIPC penalized BKR (Burger King Korea) 924 million won for illegally collecting personal data from minors under 13 without guardian consent. MGC Global (Mega MGC Coffee) was fined 642 million won for sending unsolicited marketing messages to customers who had not opted in. Additionally, eight other food and beverage companies were fined for violating data protection laws. The penalties highlight growing regulatory scrutiny over corporate data security and compliance with South Korea’s privacy laws.

Odido Suffers Cyberattack, Customer Data Compromised in Breach Dutch telecommunications provider Odido disclosed a cyberattack on Thursday, confirming that customer data was compromised while maintaining that its services remained operational. The company, owned by private equity firms Apax Partners and Warburg Pincus, stated it swiftly contained the incident and reported the breach to the Authority for Personal Data. Odido clarified that sensitive information such as passwords, call records, and invoice data was not accessed in the attack. However, due to the scale of the breach, the company plans to notify affected customers within 48 hours, though the exact number of impacted individuals was not specified. The incident follows a separate cyberattack on the European Commission’s central mobile infrastructure reported on February 5, which potentially exposed staff names and mobile numbers. In response, the Commission emphasized its commitment to bolstering the EU’s cybersecurity resilience amid rising threats to critical services and institutions.

ShinyHunters Gang Behind Vishing Attacks Targeting SSO Accounts at Okta, Microsoft, and Google The extortion group ShinyHunters has claimed responsibility for a series of voice phishing (vishing) attacks targeting single sign-on (SSO) accounts at Okta, Microsoft Entra, and Google, enabling threat actors to breach corporate SaaS platforms and steal data for extortion. In these attacks, cybercriminals impersonate IT support staff, calling employees and tricking them into entering credentials and multi-factor authentication (MFA) codes on phishing sites mimicking legitimate login portals. Once compromised, the attackers gain access to the victim’s SSO account, which often serves as a gateway to connected enterprise applications, including Salesforce, Microsoft 365, Google Workspace, Dropbox, Slack, and Atlassian. The phishing kits used in these attacks feature real-time control panels, allowing attackers to dynamically adjust phishing pages during calls prompting victims to approve MFA requests or enter one-time codes as needed. Okta confirmed the use of such kits in a recent report, though it declined to comment on the breaches themselves. ShinyHunters told BleepingComputer that it is behind some of the attacks, with Salesforce as its primary target, though other platforms are also exploited. The group leverages stolen employee data including phone numbers, job titles, and names from previous breaches to make social engineering calls more convincing. Recent victims listed on ShinyHunters’ Tor data leak site include SoundCloud, Betterment, and Crunchbase. While SoundCloud and Betterment had previously disclosed breaches, Crunchbase confirmed a new incident involving data exfiltration from its corporate network, though no operational disruptions occurred. The company has engaged cybersecurity experts and law enforcement. Microsoft and Google have not reported evidence of their products being abused in the campaign, with Google stating it has no indication its systems were affected. ShinyHunters disputed Okta’s attribution of a specific phishing kit, claiming its infrastructure was built in-house.

BreachForums Database Leaked: Inside the Dark Web’s Most Notorious Hacking Hub On January 9, 2026, the cybercriminal underground was shaken by a major breach when shinyhunte[.]rs, a site linked to the ShinyHunters extortion gang, published a leaked database containing 323,986 user records from BreachForums, a prominent Dark Web hacking forum. The dump, extracted from a MySQL database, exposed metadata of forum members including administrators, moderators, and threat actors alongside a manifesto from a self-proclaimed hacker known as "James." ### The Rise and Fall of BreachForums BreachForums emerged in March 2022 as the successor to RaidForums, a notorious hacking platform seized by law enforcement in February 2022. Like its predecessor, BreachForums served as a marketplace for stolen data, hacking tools, and illicit services, operating across multiple domains (e.g., breached.vc, breachforums.st, breachforums.bf) and relying on DDoS-Guard for hosting a provider criticized for enabling cybercriminal activity. Key milestones in BreachForums’ turbulent history: - March 2023: Original owner Conor Brian Fitzpatrick (aka pompompurin) was arrested, leading to a temporary shutdown. - June 2023: The forum resurfaced under ShinyHunters’ control, with administrator "Baphomet" at the helm. - May 2024: Another seizure occurred, but ShinyHunters quickly restored operations using a new domain. - April 2025: ShinyHunters claimed a zero-day vulnerability in MyBB (the forum’s software) forced another shutdown, though the group later migrated to new infrastructure. - August 2025: The forum’s .hn domain was shuttered, coinciding with the last registration date in the leaked database. ### The Leak: What Was Exposed? The leaked database, sourced from a MyBB table (hcclmafd2jnkwmfufmybb_users), included: - Usernames, email addresses, and hashed passwords (using argon2i encryption). - IP addresses (though some were obfuscated with 127.0.0.9 for operational security). - PGP keys, avatars, and forum activity logs for high-profile users. - Administrator and moderator accounts, such as: - ShinyHunters ([email protected]) - Hollow ([email protected]) - 888 ([email protected], linked to IntelBroker) - Loki ([email protected]) Geolocation analysis of registration IPs revealed concentrations in the U.S., Germany, Netherlands, France, Turkey, and the Middle East/North Africa (MENA), though VPN/proxy use complicates attribution. ### The "James" Manifesto: A Cybercriminal’s Confession The leak was accompanied by a 23-part manifesto from an individual calling themselves "James", who claimed to be a longtime cybercriminal mastermind with ties to intelligence agencies (NSA, GCHQ, DGSE) and tech giants (Google, Microsoft). Key assertions: - James framed ShinyHunters and other groups (e.g., Scattered Hunters, LAPSUS$ derivatives) as his "children", alleging they were manipulated into cybercrime. - Named and shamed specific threat actors, including: - Dorian Dali ("cheap murderer") - Nahyl Ojeda (16-year-old hacker) - Ali Aboussi ("Kernel") - Rémy Benhacer ("Judas") - Nassim Benhaddou & Gabriel Bildstein (founders of RaidForums/BreachForums) - Threatened retribution against France, accusing the named individuals of attacking the nation and vowing to "become its protector." - Claimed responsibility for high-profile breaches, including the 2025 Salesforce hack (1 billion records) and WikiLeaks/Anonymous operations. The manifesto’s tone apocalyptic, self-aggrandizing, and theatrical suggests either a genuine insider purge or an elaborate disinformation campaign to mislead investigators. ### Law Enforcement Crackdowns and Underground Dynamics The leak follows a series of global law enforcement actions targeting ShinyHunters and affiliated groups: - June 2025: French authorities arrested four ShinyHunters members, including associates of "IntelBroker" (Kai West). - 2023: Sébastien Raoult (Sezyo Kaizen), a French hacker linked to ShinyHunters, was extradited to the U.S. for 60+ corporate breaches (2020–2021). - 2022–2025: Multiple BreachForums seizures and rebrands, with administrators frequently changing aliases (e.g., Baphomet, N/A, Indra) to evade detection. The ShinyHunters ecosystem is part of "The Com" (The Community), a loosely organized network of teenage and young adult hackers involved in SIM-swapping, cryptocurrency theft, and sextortion. Groups like Scattered LAPSUS$ Hunters (SLH) and Scattered Lapsus$ Shiny Hunters (SLSH) often rebrand to obscure their identities. ### Impact and Implications 1. Exposure of Threat Actors: The leak doxes dozens of cybercriminals, increasing their risk of arrest or retaliation. 2. Disruption of Dark Web Markets: BreachForums’ compromise may erode trust in underground forums, pushing criminals to more secure platforms. 3. Law Enforcement Opportunities: The database provides actionable intelligence for agencies tracking cybercrime, though some data may be deliberately falsified for deception. 4. Sextortion and Exploitation Risks: The forum facilitated doxing, sextortion, and child exploitation, with stolen data used to extort minors and corporations. 5. Attribution Challenges: The manifesto’s contradictory claims (e.g., James’ ties to intelligence agencies vs. his anti-establishment rhetoric) highlight the difficulty of separating fact from fiction in cybercriminal narratives. ### What’s Next? The breach marks a turning point in the cat-and-mouse game between cybercriminals and law enforcement. While the leak may temporarily disrupt BreachForums, the underground’s resilience suggests a swift rebrand or migration to new platforms. Meanwhile, the James manifesto whether genuine or fabricated adds another layer of chaos to an already opaque ecosystem, where identity, motive, and loyalty are constantly in flux.

Ransomware Surge in Early 2026: Key Trends and Evolving Threat Tactics A recent analysis by Bitdefender reveals a sharp rise in ransomware attacks targeting U.S. organizations in the first two months of 2026, with 53 active groups claiming victims seven of which have dominated the threat landscape for over four months. Among the most prolific are Qilin, Akira, Clop, INC Ransom, Play, DragonForce, and Sinobi, though Qilin likely leads in confirmed U.S. victims after excluding inflated claims from 0APT, a group notorious for false reporting. Between January and February, 750–800 U.S. organizations were impacted, with construction and manufacturing bearing the brunt of attacks, followed by technology, healthcare, and legal sectors. Despite the surge in attacks, ransom payments are declining, a shift attributed to stricter cyber insurance requirements, regulatory pressures, and improved incident response practices bolstered by guidance from agencies like CISA, the FBI, and the NSA. ### Evolving Attack Patterns Ransomware groups are refining their tactics to evade detection and maximize impact: 1. Identity-First Compromise Attackers are prioritizing credential theft such as browser session tokens over brute-force methods to bypass multi-factor authentication (MFA) and reduce detection noise. Encrypting authentication tokens and enforcing strict session lifetimes could mitigate this risk. 2. Supply Chain Exploitation Groups are increasingly targeting vendors and SaaS platforms to compromise multiple downstream victims. High-profile examples include ShinyHunters, which orchestrated large-scale supply chain attacks in 2025. While MFA and patch management remain critical, they are no longer sufficient against identity-based breaches. 3. Automated Exploitation The time-to-exploit window has shrunk dramatically, with attackers leveraging AI-driven tools like CyberStrukeAI to automate vulnerability exploitation within hours of a proof-of-concept (PoC) release down from days in 2024–2025. This acceleration allows threat actors to rapidly scale attacks before defenses can react. 4. BYOVD (Bring Your Own Vulnerable Driver) Attacks A resurgence in defense evasion tactics has seen ransomware groups weaponize legitimate drivers to gain kernel-level access, bypassing EDR and antivirus solutions. Unlike past multi-stage attacks, modern ransomware now embeds vulnerable drivers directly, syncing evasion and encryption in a single phase. By Q2 2026, BYOVD attacks are projected to account for 75% of ransomware incidents, posing a severe challenge for defenders. ### Emerging Threat Landscape The ransomware ecosystem is undergoing structural shifts: - RaaS (Ransomware-as-a-Service) platforms are expanding, with some groups offering low-cost or free access to attract affiliates. - Hacktivist messaging is being co-opted by ransomware groups amid geopolitical tensions, particularly in the context of the Iran conflict. - Specialized roles such as initial access brokers (IABs), penetration testers, and negotiators are becoming more defined, reflecting a maturing criminal economy. - Living Off the Cloud (LOTC) tactics are rising, with attackers repurposing cloud management tools (e.g., AWS, Box) to exfiltrate or lock data. Traditional whitelisting is ineffective, as even approved applications can be abused. ### Future Targets Ransomware groups are diversifying their initial access points, with growing focus on: - Edge devices (VPNs, firewalls) as low-effort entry points. - Hypervisors and cloud services, where modern encryptors (e.g., ESXi-targeting malware) can cripple virtualized environments. - Proactive reconnaissance, with attackers scanning for exposed data and vulnerabilities before striking. As the threat landscape evolves, behavior-based detection and dual-control security measures are becoming essential to counter LOTL/LOTC attacks, while BYOVD tactics demand heightened scrutiny of driver vulnerabilities. The first half of 2026 signals a more automated, evasive, and supply-chain-focused ransomware threat one that prioritizes speed and stealth over traditional brute-force methods.

The Salesloft breach originated from a compromise where threat actors stole Salesforce Drift tokens, enabling unauthorized access to Salesforce and Cloudflare systems, along with other connected enterprises. This supply chain attack cascaded across multiple organizations, exposing sensitive data and raising concerns about third-party risk management. The breach exploited vendor vulnerabilities, highlighting gaps in MSSP threat preparedness and external threat visibility. While the exact data compromised was not detailed, the incident involved large-scale credential theft and unauthorized system access, potentially affecting customer and operational data across dependent enterprises. The attack underscored the risks of shadow integrations and unpatched third-party exposures, emphasizing the need for real-time monitoring and autonomous risk assessment in supply chains.

The ransomware group ShinyHunters (Scattered Lapsus$ Hunters) breached Salesforce by exploiting stolen OAuth tokens from Salesloft Drift’s AI chatbot integration, compromising 1.5 billion records across 760 companies (including Cisco, Disney, and Marriott). The leaked data includes PII (names, DOBs, passports, employment histories), shipping details, chat transcripts, flight records, and car ownership data—validated by cybersecurity researchers. Attackers first infiltrated Salesloft’s GitHub repository, extracting private source code and OAuth tokens, then laterally moved to Google Workspace, Microsoft 365, and Okta platforms of victims. The group demanded separate ransoms from Salesforce and listed 39 high-profile victims on a darkweb leak site, pressuring them to pay under threat of full data exposure. The attack leveraged social engineering (vishing, phishing, IT impersonation) to trick employees into granting access, highlighting vulnerabilities in third-party supply-chain integrations and weak 2FA/OAuth security controls.

The attack on Salesloft began with the compromise of an internal GitHub repository, where attackers stole a high-privilege OAuth token granting access to its Drift cloud application. Exploiting Drift’s trusted integrations, the attackers pivoted to Salesforce instances of multiple high-profile customers—including Palo Alto Networks, Cloudflare, Zscaler, and Tenable—exfiltrating customer conversation data, contact details, and sensitive business information. The breach exposed a supply-chain vulnerability, where a single compromised AI-powered integration (Drift’s chatbot) enabled mass data theft across 700+ organizations, including cybersecurity leaders. The attackers also harvested OpenAI API credentials, demonstrating the cascading risks of interconnected AI ecosystems. While companies like Okta mitigated damage via IP allow-listing, others faced reputational harm, forensic costs, and erosion of customer trust. The incident highlighted critical gaps in third-party risk management, token security, and AI integration monitoring, with long-term implications for enterprise security postures.

The ShinyHunters extortion group exploited compromised Drift OAuth tokens linked to Salesloft to steal over 1.5 billion Salesforce records from 760 companies. Attackers used social engineering and malicious OAuth apps to infiltrate Salesforce environments, exfiltrating massive CRM data—including 250M Account records, 579M Contact records, 171M Opportunity records, 60M User records, and 459M Case records. The breach originated from a GitHub repository compromise at Salesloft, where attackers used TruffleHog to extract secrets, including OAuth tokens for Drift and Drift Email, enabling unauthorized access to Salesforce-integrated systems.The stolen Case data was further mined for AWS keys, Snowflake tokens, and other credentials, facilitating deeper intrusions into victim networks. High-profile targets allegedly include Google, Cloudflare, Palo Alto Networks, Zscaler, Tenable, CyberArk, and others. The attackers demanded ransom payments to prevent data leaks, while also searching for additional secrets to expand their campaign. The FBI issued an advisory on the threat actors (UNC6040/6395), warning of ongoing risks. Salesforce advised customers to enforce MFA, least-privilege access, and stricter OAuth app management to mitigate exposure.

Salesloft’s Drift platform—a widely used AI-powered chatbot and marketing SaaS tool—was compromised in a large-scale supply chain attack by the threat cluster UNC6395 (GRUB1). Attackers exploited stolen OAuth and refresh tokens tied to Drift to breach over 700 organizations, primarily by infiltrating their Salesforce instances and potentially other integrated platforms. The breach enabled mass theft of authentication tokens, exposing customer credentials and sensitive data for future targeted attacks. Salesloft responded by temporarily taking Drift offline to mitigate risks, while Salesforce preemptively disabled all Salesloft integrations. Companies like Cloudflare confirmed the incident was part of a coordinated campaign to harvest credentials for follow-on attacks. The initial access vector remains undisclosed, but the scale suggests systemic vulnerabilities in Drift’s security architecture, risking long-term reputational damage, financial fraud, and operational disruptions across affected enterprises.

The Salesloft Drift breach expanded beyond initial estimates, revealing that attackers exploited stolen OAuth tokens not only to access Salesforce customer instances (including sensitive tables like Cases, Accounts, Users, and Opportunities) but also to compromise a small number of Google Workspace email accounts via the Drift Email integration. The threat actors, tracked as UNC6395, scanned support tickets and messages for AWS access keys, Snowflake tokens, and passwords, likely for future extortion or lateral movement into other cloud environments. Google confirmed the breach was broader than first disclosed, affecting third-party integrations beyond Salesforce. While no Google Workspace or Alphabet systems were directly compromised, the stolen tokens were revoked, and the Drift-Google Workspace integration was disabled pending investigation. Salesloft, with assistance from Mandiant and Coalition, disabled Drift integrations with Salesforce, Slack, and Pardot as a precaution. Customers were advised to rotate all authentication tokens linked to Drift and audit connected systems for unauthorized access. The incident highlights risks in OAuth-based supply chain attacks, where compromised third-party credentials enable deep access to enterprise systems, exposing customer data, internal communications, and cloud credentials to potential misuse in follow-on attacks.

Salesforce Customer Farmers Insurance Hit by Major Data Breach Affecting 1.1 Million Farmers Insurance, a U.S.-based provider, confirmed a data breach impacting 1.1 million customers after an unauthorized actor accessed a third-party database in May 2024. The exposed data included names, addresses, birth dates, driver’s license details, and partial Social Security numbers. The company detected the incident shortly after the intrusion and launched an investigation, notifying law enforcement. Affected individuals were informed on August 22, with regulators confirming the total number of impacted records. While Farmers Insurance did not disclose the compromised vendor, reports from Bleeping Computer indicate the breach involved Salesforce, a frequent target of cybercriminal groups. ShinyHunters, in collaboration with Scattered Spider, claimed responsibility, stating they exploited initial access provided by Scattered Spider to exfiltrate data from Salesforce CRM instances—similar to their recent attacks on Google (2.5M records) and suspected breaches at Workday, Qantas, Allianz Life, and Adidas. The attackers used social engineering tactics, tricking employees into approving malicious OAuth apps to gain access to Salesforce systems. This method highlights the growing threat to CRM platforms, which store vast amounts of sensitive data and are increasingly targeted due to their high-value information. Cybersecurity experts noted that the breach underscores vulnerabilities in third-party supply chains, emphasizing the need for continuous vendor risk assessments, zero-trust security models, and proactive monitoring to mitigate similar attacks. The incident also reinforces concerns about human-driven exploits as a primary attack vector, even in otherwise secure enterprise systems.

Workday Hit by Third-Party Cyberattack Linked to ShinyHunters Workday, a leading HR platform provider, disclosed a cyberattack on 16–17 August after threat actors breached its systems via a third-party supplier. The incident appears tied to a broader wave of attacks likely orchestrated through Salesforce products linked to the ShinyHunters cybercrime group, though Workday did not confirm the specific threat actor or software involved. In a public notice, Workday revealed that attackers accessed limited data from its third-party CRM platform, primarily business contact information such as names, email addresses, and phone numbers. The company emphasized that no customer tenant data or internal systems were compromised. Immediate containment measures were taken, including revoking access and implementing additional safeguards. The breach stemmed from a social engineering campaign targeting multiple large organizations, with the stolen data potentially intended for further phishing scams. Workday clarified that it never requests passwords or sensitive details via phone, urging users to verify communications through official support channels. The incident underscores the growing risk of supply chain attacks, where cybercriminals exploit vulnerabilities in third-party vendors to infiltrate larger targets. While the full scope of the campaign remains under investigation, the attack aligns with recent tactics attributed to ShinyHunters, a group known for high-profile data breaches.

The Clop ransomware gang exploited a zero-day vulnerability in Oracle’s E-Business Suite, a critical enterprise software used for managing customer data, HR files, and corporate operations. The attack, active since at least July 10, allowed hackers to steal significant amounts of sensitive data, including personal information of corporate executives and employees, as well as customer data from affected organizations. Oracle initially claimed the vulnerabilities were patched, but later confirmed the zero-day flaw enabled remote exploitation without authentication, meaning attackers could breach systems without credentials.Google’s security researchers revealed that dozens of organizations were compromised, with the Clop gang using the stolen data for extortion campaigns. The group has a history of mass-hacking via unpatched vulnerabilities in file transfer tools (e.g., MOVEit, GoAnywhere), amplifying risks of large-scale data leaks. Oracle’s delayed acknowledgment and the ongoing exploitation of the flaw suggest prolonged exposure, increasing potential damage to financial records, executive identities, and corporate intellectual property.

Salesforce was targeted by the newly formed Scattered LAPSUS$ Hunters (SLH), a federated cybercriminal collective merging the capabilities of Scattered Spider, ShinyHunters, and LAPSUS$. The attack involved AI-driven vishing, spearphishing, and zero-day exploitations (e.g., CVE-2025-61882 in Oracle E-Business Suite) to compromise Salesforce’s cloud infrastructure. SLH leveraged credential harvesting, lateral movement, and privilege escalation to exfiltrate sensitive data, likely including customer and enterprise SaaS records. The group announced the breach on their Telegram-based data-leak site (DLS), using psychological tactics to maximize reputational damage. Given SLH’s Extortion-as-a-Service (EaaS) model and history of targeting high-value enterprises, the attack likely resulted in financial fraud, operational disruption, and erosion of customer trust. The involvement of actors like ‘yuka’ (linked to BlackLotus UEFI bootkit) suggests advanced persistence mechanisms, increasing the risk of long-term data exposure or ransomware deployment. The breach aligns with SLH’s strategy of high-impact, brand-damaging extortion, posing existential threats to Salesforce’s market position and regulatory compliance.

The cybercriminal group ShinyHunters (operating under the alias Scattered LAPSUS$ Hunters) executed a voice phishing (vishing) campaign in May 2025, tricking employees into connecting a malicious app to their Salesforce portals. This breach led to the theft of over a billion customer records from dozens of Fortune 500 firms, including Toyota, FedEx, Disney/Hulu, and UPS. The group threatened to publicly leak stolen data unless ransoms were paid by October 10, 2025, via a victim-shaming extortion blog. The compromised data included customer engagement records, internal communications, and sensitive business details. Salesforce confirmed the attack but refused to negotiate, stating it would not pay extortion demands. The incident also exposed a broader supply-chain risk, as the group claimed responsibility for stealing authentication tokens from Salesloft (a Salesforce-integrated AI chatbot provider), further expanding the attack surface. The group’s actions were linked to multiple zero-day exploits, including CVE-2025-61882 in Oracle’s E-Business Suite, which they weaponized for additional data theft.

Odido Data Breach Exposes 6 Million Customers in Major Dutch Cybersecurity Failure One of the largest data breaches in recent Dutch history has left over six million Odido customers vulnerable after hackers exploited weak security processes and architectural flaws. The telecom provider initially described the attack as "sophisticated," but investigations reveal a preventable incident rooted in social engineering and poor access controls. The breach began with a well-documented tactic: hackers impersonated IT staff over the phone to trick employees into handing over login credentials or approving unauthorized access. This method, known as social engineering, had been flagged months earlier by the FBI and Salesforce, Odido’s customer data platform. Despite these warnings, the company failed to implement adequate safeguards. Once inside, attackers exploited a critical misconfiguration in Odido’s Salesforce environment. They linked a malicious "connected app," effectively creating a backdoor to the database. In a properly secured system, such an action would require administrator approval, but Odido’s setup allowed a single compromised account to access millions of records a violation of the "least privilege" principle, which dictates that users should only have access to data necessary for their role. The breach highlights the dangers of outdated security models. Odido relied on the "castle wall" approach trusting users once inside the network rather than adopting modern "Zero Trust" principles, which verify every access request regardless of origin. The lack of behavioral monitoring also allowed the attackers to exfiltrate data undetected, despite red flags like unusual login times or bulk record requests. The fallout extends beyond Odido. Stolen data, including passport numbers and bank details, enables large-scale identity fraud, eroding public trust in digital services. The incident underscores the need for data minimization companies should not collect or store sensitive information unless absolutely necessary. While Odido has not paid a ransom, the societal cost of compromised privacy continues to mount. The breach serves as a stark reminder that cybersecurity failures are rarely about hacker sophistication but about preventable lapses in process, architecture, and vigilance.

Salesforce experienced a data breach originating from a third-party provider, SalesLoft, specifically via its Drift app—an integration used for automated customer communications. The breach was executed by the hacker group ShinyHunters, who exploited compromised GitHub credentials at SalesLoft between March and June, stealing tokens linking Drift to Salesforce environments. This allowed attackers to infiltrate Drift’s AWS environment, obtaining OAuth tokens from multiple customer organizations, including Cloudflare, Zscaler, Palo Alto Networks, and others.The stolen data primarily included customer contact details, basic IT support information, access tokens, and IT configuration details. While Salesforce confirmed no direct vulnerability in its own systems, the breach exposed CRM fields, support cases, and integration data across hundreds of affected organizations. Salesforce refused to pay ransom demands, emphasizing a no-negotiation stance against extortion. The Drift app remains disabled, and affected customers were advised to renew access tokens to mitigate further risks. The full scope of impacted customers and long-term consequences remain undisclosed.

Grubhub Confirms Data Breach Amid Extortion Demands by ShinyHunters Grubhub has acknowledged a recent data breach after hackers accessed its systems, with sources indicating the company is now facing extortion demands. The food delivery platform confirmed unauthorized access but stated that sensitive data such as financial information or order history remained unaffected. While Grubhub declined to provide further details, including the breach timeline or whether customer data was compromised, it confirmed collaboration with a third-party cybersecurity firm and law enforcement. Multiple sources identified the ShinyHunters cybercrime group as the likely perpetrators, though the threat actors refused to comment when contacted. The extortion demands reportedly involve Bitcoin payments to prevent the release of stolen data, including older Salesforce records from a February 2025 breach and newer Zendesk data accessed in the recent incident. Grubhub uses Zendesk for its customer support chat system, which handles orders, account issues, and billing. The breach appears linked to credentials stolen during the August 2025 Salesloft Drift attacks, where threat actors exploited stolen OAuth tokens to compromise Salesforce integrations. Google’s Mandiant reported that the stolen data including AWS access keys, passwords, and Snowflake tokens was later used in follow-up attacks. ShinyHunters previously claimed responsibility for the Salesloft breach, alleging the theft of 1.5 billion records from 760 companies. This incident follows a separate wave of scam emails sent from Grubhub’s b.grubhub.com subdomain last month, promoting a cryptocurrency scam. While Grubhub stated it contained the issue, it remains unclear whether the two events are connected.

Grubhub Faces Class Action Lawsuit Over January 2025 Data Breach A former Grubhub employee has filed a class action lawsuit against the food delivery platform, alleging the company failed to implement adequate security measures to protect sensitive personal and financial data. The complaint, filed on February 5, 2025, in the U.S. District Court for the Northern District of Illinois, claims cybercriminals accessed the information of tens of thousands of customers and employees in a January 2025 breach. The exposed data reportedly included Social Security numbers, addresses, and financial details. Grubhub notified affected individuals on February 3, 2025, acknowledging the incident. The lawsuit, led by plaintiff Brian Bianchi, accuses Grubhub of negligence in safeguarding user data, potentially leaving victims vulnerable to identity theft and fraud. The case highlights growing scrutiny over corporate cybersecurity practices and the legal consequences of failing to protect consumer information. No further details on the breach’s scope or the attackers’ methods have been disclosed.

South Korea Fines Luxury Brands $24.9 Million Over Data Breaches South Korea’s privacy regulator has levied fines totaling 36 billion won ($24.9 million) against the Korean subsidiaries of Louis Vuitton, Dior, and Tiffany following separate data breaches that exposed millions of customers’ personal information. The penalties stem from investigations confirming unauthorized access to sensitive customer data, though specific details on the breaches’ scope and timing remain undisclosed. The fines highlight growing regulatory scrutiny over data protection in South Korea, where authorities are enforcing stricter compliance with privacy laws. The incident underscores the financial and reputational risks for global brands handling large-scale consumer data. In related cybersecurity developments, Japan Airlines reported that up to 28,000 customers were affected by unauthorized access to its baggage service system, while Volvo Group disclosed that 16,991 employees were impacted as part of a broader Conduent data breach, which has now exposed 25 million individuals. These incidents reflect the escalating threat landscape for both corporate and personal data security.

Ransomware in 2025: A Systemic Threat Disrupting Global Supply Chains and Critical Services In 2025, ransomware evolved from isolated IT disruptions into a systemic risk, threatening national supply chains, essential services, and entire industries. Cybersecurity Ventures projects the global cost of ransomware will surge to $275 billion annually by 2031, driven by downtime, data loss, recovery efforts, and lost productivity not just ransom payments. A recent SOCRadar analysis highlighted the top 10 ransomware attacks of 2025, each exposing vulnerabilities across sectors: 1. Salesforce Ecosystem – A SaaS supply chain blind spot exploited for widespread disruption. 2. Oracle E-Business Suite – A zero-day attack leveraging supply chain extortion. 3. Jaguar Land Rover – Britain’s costliest cyberattack, crippling automotive operations. 4. Ingram Micro – A ransomware strike paralyzing global IT distribution. 5. Co-operative Group – A sustained siege on the UK retail sector. 6. PowerSchool – Large-scale extortion targeting the education sector. 7. Synnovis – Healthcare disruption with confirmed patient harm. 8. DaVita – Ransomware striking critical healthcare infrastructure. 9. Asahi Group – Manufacturing halts exposing IT-OT convergence risks. 10. Collins Aerospace – Ransomware grounding European airports. Key patterns emerged across these incidents: - Initial access frequently relied on stolen credentials or social engineering rather than sophisticated exploits. - Supply chain vulnerabilities amplified impact, turning single breaches into cascading failures. - Data theft and operational paralysis often outweighed encryption as the primary damage driver. - Delayed consequences such as regulatory penalties or confirmed human harm surfaced months after the attacks. The incidents underscore ransomware’s growing role as a strategic threat, with far-reaching consequences beyond financial losses.

The cybercriminal group Scattered LAPSUS$ Hunters (a collaboration of Scattered Spider, ShinyHunters, and Lapsus$) has resurfaced, claiming to have stolen 1 billion customer records from 40 companies’ Salesforce environments. The gang is demanding $989.45 to prevent the data from being leaked online, setting an October 10 deadline for negotiation. While Salesforce denies a direct platform breach, the attack appears linked to a prior OAuth token abuse campaign via Salesloft’s Drift integration, which compromised hundreds of organizations in August 2024. Google and Mandiant confirmed the intrusions, attributing them to UNC6040 (Salesforce-related breaches). The group had previously announced retirement but reemerged following arrests of UK teens tied to Scattered Spider, suggesting operational shifts. The leaked data reportedly includes customer records, posing severe reputational, financial, and operational risks to affected businesses. Salesforce maintains no evidence of a platform-level vulnerability, but the extortion attempt escalates pressure on victims.

The Urgent Shift to Autonomous SOCs: Why Legacy Security Can’t Keep Up The traditional Security Operations Center (SOC) is failing under the weight of modern cyber threats. By late 2025, mid-market enterprises were drowning in over 4,000 alerts per day a volume no human team can accurately triage. The result? Alert fatigue, operational blind spots, and breaches like the 2024 National Public Data incident, where attackers exfiltrated 3 billion records over months by exploiting gaps between disconnected security tools. ### The Rise of Algorithmic Adversaries Attackers have evolved beyond manual hacking. Today, they deploy AI-driven automation to craft undetectable phishing emails, scan for vulnerabilities at scale, and even weaponize deepfake technology. The 2025 Arup breach, where fraudsters used AI-generated video to impersonate a CFO and steal $25 million, demonstrated how easily human trust can be exploited. Traditional SOCs, reliant on manual verification, had no chance to intervene but an autonomous SOC would have flagged anomalies like impossible login locations or unmanaged devices in real time. ### Tool Sprawl and the Visibility Crisis The average organization now deploys 28 distinct security tools, each with its own logs, dashboards, and query languages. This fragmentation forces analysts into "swivel-chair" inefficiency, wasting critical minutes correlating data while attackers move laterally. Dwell time the period between intrusion and detection remains dangerously high for teams relying on manual processes. The solution? Open XDR architectures that unify telemetry from endpoints, networks, cloud, and identity providers into a single, normalized data stream, enabling machines to "think" cohesively. ### How Autonomous Detection Works Legacy SOCs depend on static rules that generate false positives and miss novel attack variations. Autonomous systems, however, use machine learning to establish dynamic baselines of "normal" behavior. For example: - A marketing director logging in at 3 AM to access engineering databases. - A web server initiating outbound connections to unknown IPs. - A sequence of "new ISP login" followed by "high-privilege OAuth token creation" a hallmark of recent Salesforce/Drift OAuth abuse attacks. When anomalies occur, the system scores risk, correlates weak signals, and triggers automated responses not just alerts. ### Collapsing the Response Window Detection is meaningless without action. While manual SOCs measure mean-time-to-respond (MTTR) in days or weeks, autonomous systems act in minutes or seconds. Pre-approved playbooks (aligned with frameworks like NIST SP 800-207) can: - Isolate ransomware-infected devices instantly. - Revoke compromised user sessions and force password resets. - Contain threats before they escalate into major breaches. ### Solving the Talent Crisis The cybersecurity industry faces a 3-million-person skills shortage, with analysts burning out on repetitive tasks like closing false positives. Autonomous SOCs don’t replace humans they elevate their roles. By handling data processing and initial triage, machines free analysts to focus on threat hunting, strategy, and complex investigations, making the job more fulfilling and reducing turnover. ### A Necessity, Not an Option With attackers leveraging AI to scale their offenses, manual defense is no longer viable. The shift to autonomous security operations is a strategic imperative one that decouples risk from headcount, scales with business growth, and replaces reactive panic with proactive control. The tools and methodologies exist; the only remaining variable is adoption.

Salesforce suffered a massive data breach via two distinct campaigns in 2025, orchestrated by threat actors Scattered Lapsus$ Hunters and ShinyHunters. The first wave (late 2024) involved social engineering attacks impersonating IT support to trick employees into linking malicious OAuth apps to Salesforce instances, enabling the theft of databases. The second wave (August 2025) exploited stolen SalesLoft Drift OAuth tokens to pivot into customer CRM environments, exfiltrating support ticket data, credentials, API tokens, and authentication details. The attackers claimed to have stolen ~1 billion records in the first campaign and 1.5 billion records across 760+ companies in the second, targeting high-profile victims like Google, Cisco, Disney, FedEx, and Marriott. A data leak site was launched to extort victims, threatening public release if ransoms were unpaid. Salesforce refused to negotiate or pay, and the leak site was later shut down (potentially via FBI seizure). The breach exposed sensitive customer and corporate data, including authentication tokens, API keys, and support logs, risking downstream attacks on affected companies. The scale and sophistication of the operation—leveraging supply-chain and OAuth abuses—highlighted critical vulnerabilities in Salesforce’s ecosystem, with prolonged unauthorized access and large-scale data exfiltration as core impacts.

Ransomware and Supply Chain Attacks Hit Record Highs in 2025, Signaling Escalating Threats 2025 marked a sharp escalation in cyber threats, with ransomware and supply chain attacks reaching unprecedented levels, according to a new report from threat intelligence firm Cyble. The year saw 6,604 ransomware attacks a 52% increase over 2024 with December alone recording 731 incidents, the second-highest monthly total of the year. Meanwhile, supply chain attacks surged by 93%, rising from 154 in 2024 to 297 in 2025, as threat actors increasingly exploited third-party vulnerabilities to maximize impact. ### Ransomware Groups Adapt and Expand Ransomware operations remained decentralized and resilient, with affiliates quickly regrouping under new leaders following law enforcement disruptions. Qilin emerged as the dominant group in 2025, claiming 17% of all ransomware victims after RansomHub’s decline likely due to sabotage by rival group Dragonforce. Other top players included Akira, CL0P, Play, and the newcomer Sinobi, with only Akira and Play maintaining their positions from 2024. Cyble documented 57 new ransomware groups, 27 extortion groups, and over 350 new ransomware strains in 2025, many derived from MedusaLocker, Chaos, and Makop families. Among the most aggressive new groups, Devman, Sinobi, Warlock, and Gunra disproportionately targeted critical infrastructure, particularly in government, law enforcement, energy, and utilities. ### Supply Chain Attacks Evolve in Sophistication Supply chain attacks not only doubled but also grew in complexity, moving beyond traditional software package poisoning to exploit cloud integrations, SaaS trust relationships, and vendor distribution pipelines. Attackers increasingly abused upstream services such as identity providers and package registries to compromise downstream environments at scale. A notable example involved attacks on Salesforce via third-party integrations, where threat actors weaponized OAuth-based trust relationships after compromising third-party tokens. Every industry tracked by Cyble was affected, but IT and technology sectors bore the brunt, given their potential to amplify attacks across customer networks. ### Geographic and Industry Targeting The U.S. remained the most targeted nation, accounting for 55% of all ransomware attacks, followed by Canada, Germany, the UK, Italy, and France. By industry, construction, professional services, and manufacturing were the hardest hit, with healthcare and IT also facing significant threats. As 2026 begins, the trends suggest no immediate slowdown, with ransomware and supply chain attacks continuing to evolve in both scale and sophistication.

Salesforce is facing a major extortion attempt by a crime syndicate known as Scattered LAPSUS$ Hunters (tracked as UNC6040 by Mandiant), which claims to have stolen approximately 1 billion records from dozens of Salesforce customers, including high-profile companies like Toyota and FedEx. The attack began in May 2024, with the threat actors using voice phishing (vishing) to trick employees into connecting a malicious app to their Salesforce portals. The group created a dedicated leak site, demanding a ransom from Salesforce itself—threatening to publicly dump all stolen customer data if payment was not made by a specified deadline. Salesforce has refused to negotiate, risking potential exposure of sensitive customer records. The stolen data reportedly includes personal, financial, and corporate information from affected organizations, posing severe reputational, financial, and operational risks. The scale of the breach—nearly 1 billion records—suggests a systemic compromise with far-reaching consequences for Salesforce’s client base, including potential fraud, identity theft, and regulatory penalties.

A cybercriminal collective known as Scattered Lapsus$ Hunters—an alliance of the notorious ShinyHunters, Scattered Spider, and LAPSUS$ ransomware groups—threatened to leak one billion records allegedly exfiltrated from Salesforce’s systems, targeting 39 of the world’s largest corporations, including Disney, Toyota, and McDonald’s. The attackers demanded a ransom, warning that failure to comply by October 10, 2023, would result in the massive exposure of customer data across dark web and Clearnet platforms. The breach, if executed, would compromise sensitive personal and corporate information of Salesforce’s high-profile clients, leading to severe reputational damage, financial fraud risks, and potential regulatory penalties. The threat underscores a large-scale, coordinated extortion campaign leveraging ransomware tactics to pressure Salesforce into negotiation, with the attackers explicitly stating their intent to ‘target each and every individual customer’ if demands were unmet. The incident highlights the escalating sophistication of cybercriminal syndicates in exploiting enterprise vulnerabilities for maximal disruption.

The FBI seized BreachForums, a hacking forum operated by ShinyHunters, which was used as a platform for leaking corporate data stolen via ransomware and extortion campaigns. Among the targeted victims was Salesforce, part of a high-profile breach campaign where hackers claimed to have stolen over one billion customer records from multiple companies, including FedEx, Disney, Google, and others. The ShinyHunters group confirmed the seizure of BreachForums’ infrastructure, including all database backups since 2023 and escrow databases, but emphasized that their Salesforce data leak was still proceeding as planned, scheduled for public release. The breach involved massive customer data exposure, with the hackers leveraging the forum to extort companies that refused ransom payments. While the FBI’s takedown disrupted the forum’s operations, the dark web leak site remained active, indicating persistent risk. The attack highlights a large-scale, coordinated extortion scheme targeting enterprise-level customer databases, with potential financial, reputational, and operational fallout for Salesforce and its clients. The stolen records likely include sensitive personal and corporate information, amplifying the severity of the incident.

Salesforce's North American and European customers endured a 15-hour outage after a cyber attack. The incident came after the salesforce technology team blocked access to certain instances that contain customers affected by a database script deployment that inadvertently gave users broader data access than intended. To protect the customers, the company blocked access to all instances that contain affected customers until they could block access to orgs with the inadvertent permissions. As a result, customers who were not affected may also experienced service disruption.