< ciso
brief />
Incidents and Data Breaches Banner

All news in category “Incidents and Data Breaches

3003 articles · page 140 of 151

Cloudflare Hit by Data Breach in Salesloft Drift Attack

🔒 Cloudflare disclosed attackers accessed a Salesforce instance used for internal customer case management in a broader Salesloft Drift supply‑chain breach, exposing 104 Cloudflare API tokens and the text contents of support case objects. Cloudflare was notified on August 23, rotated all exfiltrated platform-issued tokens, and began notifying impacted customers on September 2. The company said only text fields were stolen — subject lines, case bodies and contact details — but warned customers that any credentials shared via support tickets should be considered compromised and rotated immediately.
read more →

Cloudflare Response to Salesloft Drift Salesforce Breach

🔒 Cloudflare confirmed that it and some customers were impacted by the Salesloft/Drift breach which exposed Salesforce support case text. The company found 104 Cloudflare API tokens in the exfiltrated data, rotated them, and observed no suspicious activity tied to those tokens. No Cloudflare infrastructure was compromised; affected customers were notified and advised to rotate any credentials shared in support tickets and to harden third-party integrations.
read more →

Lazarus Group Expands Cross-Platform RATs Against DeFi

🔍 Researchers link a social engineering campaign to the North Korea–linked Lazarus Group that distributed three cross-platform RATs — PondRAT, ThemeForestRAT, and RemotePE — against a decentralized finance (DeFi) organization. Fox-IT observed the actors impersonating an employee on Telegram and using fake Calendly/Picktime pages to arrange meetings and gain a foothold via a loader named PerfhLoader. The intrusion delivered multiple tools (screenshotter, keylogger, credential stealers, Mimikatz, proxy programs) and saw an operational progression from the primitive PondRAT to the in-memory ThemeForestRAT, culminating in the more advanced RemotePE for high-value access.
read more →

ICE Reinstates Contract with Paragon Spyware Vendor

🔁 ICE has reinstated a $2m contract with Israeli-founded vendor Paragon Solutions, now owned by US private equity, enabling delivery of hardware and perpetual license software to the agency. The agreement, originally signed on 27 September 2024 and suspended after a White House review on 8 October 2024, was cleared to resume work on 30 August. Paragon has been linked to the Graphite spyware used against European journalists and implicated in Italian government investigations, raising procurement and national security concerns.
read more →

Cloudflare Blocks Record 11.5 Tbps UDP Flood DDoS Attack

🛡️ Cloudflare says it blocked the largest recorded volumetric DDoS attack, peaking at 11.5 Tbps. The UDP flood, which Cloudflare attributes mainly to traffic originating from Google Cloud, lasted roughly 35 seconds and was part of a broader surge of hyper‑volumetric events. The mitigation highlights Cloudflare's automated scaling and defensive capabilities against short, extremely high‑bandwidth assaults.
read more →

Malicious npm Package Masquerades as Nodemailer Library

⚠️ A malicious npm package named nodejs-smtp impersonating the popular nodemailer library was discovered to both send mail and inject malware into Electron-based desktop cryptocurrency wallets. When imported, it unpacked and tampered with Atomic Wallet on Windows, replacing vendor files and repackaging the app to silently redirect transactions to attacker-controlled addresses. Socket's researchers prompted npm to remove the package and suspend the account.
read more →

Azure AD Client Credentials Exposed in Public appsettings

🔒 Resecurity’s HUNTER Team discovered that ClientId and ClientSecret values were inadvertently left in a publicly accessible appsettings.json file, exposing Azure AD credentials. These secrets permit direct authentication against Microsoft’s OAuth 2.0 endpoints and could allow attackers to impersonate trusted applications and access Microsoft 365 data. The exposed credentials could be harvested by automated bots or targeted adversaries. Organizations are advised to remove hardcoded secrets, rotate compromised credentials immediately, restrict public access to configuration files and adopt centralized secrets management such as Azure Key Vault.
read more →

Jaguar Land Rover Cyberattack Severely Disrupts Production

🔒 Jaguar Land Rover (JLR) said a cyberattack forced the company to proactively shut down multiple systems to mitigate impact. The incident, reported over the weekend, has severely disrupted retail and production operations, including systems at the Solihull plant. JLR stated there is no evidence that customer data was stolen and is working to restart global applications in a controlled manner.
read more →

Jaguar Land Rover Cyber Incident Disrupts Sales & Production

🔒 JLR has disclosed a cyber incident that has severely disrupted global sales and production. The company said it proactively shut down systems and is working to restart applications in a controlled manner. At this stage there is no evidence customer data has been stolen, but retail and manufacturing activities remain affected. Tata Motors disclosed related "global IT issues" to investors.
read more →

Pennsylvania AG Office Confirms Ransomware Caused Outage

🔒 The Office of the Pennsylvania Attorney General confirmed a ransomware attack is behind a two-week service outage that has taken its public website offline and disrupted email and phone systems. Attorney General David W. Sunday Jr. said the office refused to pay the extortionists and that an active investigation with other agencies is ongoing. Partial recovery of email and phones has allowed staff to work via alternate channels while courts issue filing extensions. No group has claimed responsibility and the office has not yet confirmed any data exfiltration.
read more →

Drift–Salesforce OAuth Attack: Rethink SaaS Security

🔒 A sophisticated adversary exploited legitimate OAuth tokens issued to Salesloft's Drift chatbot integration with Salesforce, using the connection to silently exfiltrate customer data between August 8–18, 2025, according to Google Threat Intelligence Group. The campaign, attributed to UNC6395, leveraged trust in third-party integrations and service-to-service tokens to maintain covert access. Organizations should reassess OAuth governance, entitlement controls, and logging for SaaS integrations to reduce exposure.
read more →

Palo Alto Networks Salesforce Breach Exposes Support Data

🔒 Palo Alto Networks confirmed a Salesforce CRM breach after attackers used compromised OAuth tokens from the Salesloft Drift incident to access its instance. The intrusion was limited to Salesforce and exposed business contacts, account records and portions of support cases; technical attachments were not accessed. The company quickly disabled the app, revoked tokens and said Unit 42 found no impact to products or services.
read more →

Palo Alto Networks Salesforce Breach Exposes Customer Data

🔒 Palo Alto Networks confirmed a Salesforce data breach after attackers abused OAuth tokens stolen in the Salesloft Drift supply-chain incident to access its CRM. The intruders exfiltrated business contact, account records and support Case data, which in some instances contained sensitive IT details and passwords. Palo Alto says products and services were not affected, tokens were revoked, and credentials rotated.
read more →

Palo Alto Networks Response to Salesloft/Drift Breach

🔐 Palo Alto Networks confirmed last week that a breach of Salesloft’s Drift third‑party application allowed unauthorized access to customer Salesforce data, affecting hundreds of organizations including Palo Alto Networks. We immediately disconnected the vendor integration from our Salesforce environment and directed Unit 42 to lead a comprehensive investigation. The investigation found the incident was isolated to our CRM platform; no Palo Alto Networks products or services were impacted, and exposed data primarily included business contact information, internal sales account records and basic case data. We are proactively contacting a limited set of customers who may have had more sensitive data exposed and have made support available through our customer support channels.
read more →

Salesloft–Drift OAuth Abuse Targets Salesforce Data

⚠️ Unit 42 observed a campaign that abused the Salesloft Drift integration using compromised OAuth credentials to access and exfiltrate data from customer Salesforce instances. The actor performed large-scale extraction of objects including Account, Contact, Case and Opportunity records and scanned harvested data for credentials. Salesloft revoked tokens and notified affected customers; organizations should immediately review logs, rotate exposed credentials and hunt for the provided IoCs.
read more →

Ukrainian AS FDN3 Linked to Massive Brute-Force Attacks

🔒 Intrinsec reports that Ukraine-based autonomous system FDN3 (AS211736) conducted widespread brute-force and password-spraying campaigns targeting SSL VPN and RDP endpoints between June and July 2025, with activity peaking July 6–8. The firm links FDN3 to two other Ukrainian ASes (AS61432, AS210950) and a Seychelles operator (AS210848) that frequently exchange IPv4 prefixes to evade blocklisting. Intrinsec highlights ties to bulletproof hosting providers and a Russian-associated Alex Host LLC, stressing that offshore peering arrangements complicate attribution and takedown efforts.
read more →

Ransomware Gang Targets AWO Karlsruhe-Land, Demands €200K

🔒 The AWO Karlsruhe-Land reported a cyberattack on 27 August that briefly caused a full outage of its central IT; affected systems were isolated and external IT specialists were engaged. An extortion letter demanding €200,000 allegedly came from the Lynx ransomware group, linked by local reporting to the Russian milieu. Central services were largely restored within a day, investigations with data protection authorities and the Landeskriminalamt continue, and the organisation says the compromised server held employees' employment contracts, prompting stepped-up security measures and staff briefings.
read more →

Silver Fox Abuses Signed WatchDog Driver to Disable AV

🚨 Check Point attributes a BYOVD campaign to the Silver Fox actor that leverages a Microsoft-signed WatchDog kernel driver (amsdk.sys v1.0.600) to neutralize endpoint defenses. The operation uses a dual-driver approach—an older Zemana-based driver on Windows 7 and the WatchDog driver on Windows 10/11—to terminate processes and escalate privileges. An all-in-one loader bundles anti-analysis checks, embedded drivers, AV-killer logic, and a ValleyRAT downloader to establish persistent remote access.
read more →

Zscaler Says Salesforce Data Exposed via Drift OAuth

🔒 Zscaler has disclosed that OAuth tokens tied to the third-party Salesloft Drift application were stolen, allowing an attacker to access its Salesforce instance. The company said exposed data included business contact details, job titles, phone numbers, regional information, product licensing and some plain-text support case content, but not attachments or images. Zscaler revoked the app's access, rotated API tokens, implemented additional safeguards and urged customers to remain vigilant for phishing and social-engineering attempts.
read more →

Malicious npm Package Mimics Nodemailer, Targets Wallets

🛡️ Researchers found a malicious npm package named nodejs-smtp that impersonated the nodemailer mailer to avoid detection and entice installs. On import the module uses Electron tooling to unpack an app.asar, replace a vendor bundle with a payload, repackage the application, and erase traces to inject a clipper into Windows desktop wallets. The backdoor redirects BTC, ETH, USDT, XRP and SOL transactions to attacker-controlled addresses while retaining legitimate mailer functionality as a cover.
read more →