All news with #breach tag

Palo Alto Networks Salesforce Breach Exposes Support Data

🔒 Palo Alto Networks confirmed a Salesforce CRM breach after attackers used compromised OAuth tokens from the Salesloft Drift incident to access its instance. The intrusion was limited to Salesforce and exposed business contacts, account records and portions of support cases; technical attachments were not accessed. The company quickly disabled the app, revoked tokens and said Unit 42 found no impact to products or services.

Palo Alto Networks Salesforce Breach Exposes Customer Data

🔒 Palo Alto Networks confirmed a Salesforce data breach after attackers abused OAuth tokens stolen in the Salesloft Drift supply-chain incident to access its CRM. The intruders exfiltrated business contact, account records and support Case data, which in some instances contained sensitive IT details and passwords. Palo Alto says products and services were not affected, tokens were revoked, and credentials rotated.

Palo Alto Networks Response to Salesloft/Drift Breach

🔐 Palo Alto Networks confirmed last week that a breach of Salesloft’s Drift third‑party application allowed unauthorized access to customer Salesforce data, affecting hundreds of organizations including Palo Alto Networks. We immediately disconnected the vendor integration from our Salesforce environment and directed Unit 42 to lead a comprehensive investigation. The investigation found the incident was isolated to our CRM platform; no Palo Alto Networks products or services were impacted, and exposed data primarily included business contact information, internal sales account records and basic case data. We are proactively contacting a limited set of customers who may have had more sensitive data exposed and have made support available through our customer support channels.

Ransomware Gang Targets AWO Karlsruhe-Land, Demands €200K

🔒 The AWO Karlsruhe-Land reported a cyberattack on 27 August that briefly caused a full outage of its central IT; affected systems were isolated and external IT specialists were engaged. An extortion letter demanding €200,000 allegedly came from the Lynx ransomware group, linked by local reporting to the Russian milieu. Central services were largely restored within a day, investigations with data protection authorities and the Landeskriminalamt continue, and the organisation says the compromised server held employees' employment contracts, prompting stepped-up security measures and staff briefings.

How Bribery at a Vendor Led to Coinbase Extortion Incident

🔒 In early May 2025 Coinbase disclosed that attackers had extorted the company after bribing employees at an outsourced support provider in India to acquire customer and internal data. The theft affected roughly 1% of monthly active users — about 70,000 people — and exposed information useful for social engineering, though no private keys or wallet credentials were taken. Coinbase refused a $20 million ransom, posted a matching bounty, pledged customer reimbursement, flagged suspect blockchain addresses, dismissed implicated vendor staff, and ended the vendor relationship.

Salesloft token theft exposes wide-ranging integrations

🔐 The mass theft of authentication tokens from Salesloft’s Drift chatbot has exposed integrations across hundreds of customers, according to Google. Attackers stole valid tokens for services including Slack, Google Workspace, Amazon S3, Microsoft Azure and OpenAI. GTIG said the campaign, tracked as UNC6395, siphoned large amounts of Salesforce data and searched the haul for credentials such as AWS keys, VPN logins and Snowflake access. Customers were urged to immediately invalidate and reauthenticate all Salesloft-connected tokens while Salesloft and incident responders investigate.

Zscaler Salesforce Breach Exposes Customer Support Data

⚠️ Zscaler says threat actors accessed its Salesforce instance after a compromise of Salesloft Drift, during which OAuth and refresh tokens were stolen and used to access customer records. Exposed information includes names, business email addresses, job titles, phone numbers, regional details, product licensing and commercial data, and content from certain support cases. Zscaler emphasizes the breach was limited to its Salesforce environment—not its products, services, or infrastructure—and reports no detected misuse so far. The company has revoked Drift integrations, rotated API tokens, tightened customer authentication for support, and is investigating.

Suspected Hacker Arrested for Tampering School Grades

🔒 Spanish police arrested a 21-year-old suspect in Seville accused of accessing the Andalusian Education Ministry's systems to alter high school and university entrance exam grades for himself and several classmates. Authorities say at least 13 university professors' work accounts across Almería, Cádiz, Córdoba, Seville and Jaén were compromised and emails accessed. Seized computer equipment and a notebook listing manipulated grades were recovered during the search, and regional security for the Séneca platform has been tightened.

Salt Typhoon APT Expands to Netherlands, Targets Routers

🔒 Salt Typhoon, a persistent Chinese-aligned threat actor, has expanded operations into the Netherlands by compromising routers at smaller ISPs and hosting providers. Intelligence agencies report the group exploits known flaws in Ivanti, Palo Alto Networks, and Cisco devices to obtain long-term access and pivot through trusted provider links. Authorities urge organizations to audit configurations, disable management access, enforce public-key administrative authentication, remove default credentials, and keep vendor-recommended OS versions up to date to reduce exposure.

TransUnion Breach Exposes Data of 4.5 Million US Consumers

🔐 TransUnion has disclosed unauthorized access to a third-party application serving its US consumer support operations, affecting nearly 4.5 million Americans. The company says the incident exposed specific personal data elements but did not include credit reports or core credit information. Detected July 30 after an intrusion on July 28, TransUnion is offering free credit monitoring and proactive fraud assistance while it enhances security controls.

Google: Salesloft Drift OAuth Breach Impacts Integrations

🔐 Google and Mandiant warn Salesloft Drift customers that OAuth tokens tied to the Drift platform should be treated as potentially compromised. Stolen tokens for the Drift Email integration were used to access email from a small number of Google Workspace accounts on August 9, 2025; Google stressed this is not a compromise of Workspace or Alphabet. Google revoked affected tokens, disabled the Workspace–Drift integration, and is urging customers to review, revoke, and rotate credentials across all Drift-connected integrations while investigations continue.

Salt Typhoon Exploits Router Flaws to Breach 600 Orgs

🔒Salt Typhoon, a China-linked APT, exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks edge devices to compromise and persistently control routers worldwide. The actors modified device configurations, created GRE tunnels, and used on-box Linux containers to stage tools and exfiltrate data. Agencies from 13 countries linked the campaign to three Chinese firms and warned of espionage impacting telecoms, government, transport, lodging, and military sectors.

Netherlands Confirms Salt Typhoon Targeting Small Telcos

🔍 Dutch intelligence agencies MIVD and AIVD have independently confirmed parts of U.S. findings that the Chinese-sponsored group Salt Typhoon targeted organizations in the Netherlands. Investigations in late 2024 indicate the group accessed the routers of primarily small ISPs and hosting providers. There is no evidence the threat actors moved deeper into internal networks. The agencies and the NCSC have shared threat intelligence and stressed that risks can be reduced but not entirely eliminated.

Nevada Confirms Ransomware Attack, Data Exfiltrated

🔒 Nevada has confirmed a ransomware attack that resulted in data being exfiltrated from state networks. Tim Galluzi, Nevada's chief information officer, said the incident was first detected on August 24 and was disclosed by the governor's office on August 25; he provided an update in a press conference on August 27. Systems and digital services were taken offline to prevent further intrusion, and a forensic investigation involving third-party specialists, the FBI and CISA is ongoing to determine the nature and scope of the stolen information. No criminal actor had claimed responsibility at the time of reporting.

Chinese Tech Firms Linked to Salt Typhoon Espionage

🔍 A joint advisory from the UK, US and allied partners attributes widespread cyber-espionage operations to the Chinese APT group Salt Typhoon and alleges assistance from commercial vendors that supplied "cyber-related products and services." The report names Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology and Sichuan Zhixin Ruijie Network Technology. It warns attackers exploited known vulnerabilities in edge devices to access routers and trusted provider connections, and urges immediate patching, proactive hunting using supplied IoCs, and regular review of device logs.

Chinese 'Salt Typhoon' Hackers Active in 80 Countries

🛡️ The FBI says the Chinese-linked hacker group Salt Typhoon has been observed operating in at least 80 countries, with activity reported across regions including the UK, Canada, Australia and New Zealand. U.S. authorities disclosed that the actors compromised U.S. telecommunications firms, exfiltrating more than one million connection records and targeting calls and SMS for over 100 Americans. A detailed technical analysis was published with international partners, including Germany's BSI, to help network defenders detect and remediate the intrusion, and U.S. officials now say the activity appears to have been contained.

CISA Advisory: Chinese State-Sponsored APTs Target Networks

🚨 CISA, the NSA, the FBI, and international partners released a joint advisory detailing ongoing malicious activity by PRC state-sponsored APT actors seeking long-term access to critical infrastructure worldwide. The advisory highlights exploitation of vulnerabilities in routers and edge devices used by telecommunications and infrastructure operators, and notes actors' evasion and persistence tactics. It urges organizations to patch known exploited vulnerabilities, enable centralized logging, secure edge infrastructure, and hunt for signs of compromise immediately.

Salesloft OAuth Breach via Drift AI Exposes Salesforce Data

🔒 A campaign tied to threat actor UNC6395 exploited compromised OAuth and refresh tokens associated with the Drift chat integration to exfiltrate data from Salesforce instances connected via Salesloft. Observed between Aug 8 and Aug 18, 2025, the actor executed targeted queries to retrieve Cases, Accounts, Users and Opportunities and hunted for credentials such as AWS access keys and Snowflake tokens. Salesloft and Salesforce invalidated tokens, removed Drift from AppExchange, and advised affected customers to re-authenticate integrations and rotate credentials.

CrowdStrike Named Leader in IDC MarketScape 2025 IR Services

🔹 CrowdStrike was named a Leader in the IDC MarketScape: Worldwide Incident Response Services 2025 assessment, recognized for its AI-native Falcon platform and a global 24/7 incident response model. The company combines over 100,000 hours of annual IR casework with frontline breach expertise to speed detection, investigation and containment. Its follow-the-sun delivery and AI-augmented tooling reduce time-to-recovery, while proactive offerings like CrowdStrike Pulse Services help customers build long-term resilience.

Google Named a Leader in IDC Incident Response 2025

🔒 Google has been named a Leader in the IDC MarketScape: Worldwide Incident Response 2025, recognizing Mandiant—now integrated into Google Cloud Security—for its decades of incident response expertise. The report praises Mandiant’s "team of teams" model, rapid crisis communications capability, and integration with Google's SecOps platform. Proprietary tools like FACT and Monocle and combined threat intelligence with VirusTotal enhance enterprise-scale investigations.