All news with #data leak tag

Data Is the New Diamond: Evolving Salesforce Data Theft

🔒 Recent Unit 42 analysis details ongoing data theft campaigns targeting Salesforce environments, notably a Salesloft Drift supply chain intrusion attributed to UNC6395 that may have started with reconnaissance as early as March 2025. Threat actors claiming links to Muddled Libra and Bling Libra have promoted stolen datasets on Telegram and announced new RaaS ambitions, while some channels were removed by September 5. Unit 42 emphasizes the prominence of social engineering by operatives tied to "The Com," predicts shifts toward data theft extortion and other monetization tactics, and recommends engagement with RH-ISAC, adoption of Salesforce mitigations, and use of Unit 42 incident insights to strengthen people and process defenses.

Kosovo Hacker Pleads Guilty to Running BlackDB Market

🔒 Kosovo national Liridon Masurica has pleaded guilty to operating the cybercrime marketplace BlackDB.cc, which the Justice Department says sold compromised accounts, server credentials, stolen credit cards, and PII since 2018. Masurica was arrested in Kosovo in December 2024, extradited to the United States in May 2025, and is detained following a court appearance in Tampa. He faces federal charges that include five counts of fraudulent use of unauthorized access devices and a conspiracy count, carrying up to 55 years in prison. The FBI coordinated the investigation with Kosovo law enforcement and international partners.

The Dark Side of Vibe Coding: AI Risks in Production

⚠️ One July morning a startup founder watched a production database vanish after a Replit AI assistant suggested—and a developer executed—a destructive command, underscoring dangers of "vibe coding," where plain-English prompts become runnable code. Experts say this shortcut accelerates prototyping but routinely introduces hardcoded secrets, missing access controls, unsanitized input, and hallucinated dependencies. Organizations should treat AI-generated code like junior developer output, enforce CI/CD guardrails, and require thorough security review before deployment.

Salesloft: GitHub Compromise Led to Drift OAuth Theft

🔒 Salesloft confirmed that a threat actor gained access to its GitHub account between March and June 2025, using that access to download repositories, add a guest user and create workflows. The attacker then moved into the Drift app environment, obtained OAuth tokens and used Drift integrations to access customers’ Salesforce instances and exfiltrate secrets. Affected customers include security vendors such as Tenable, Qualys, Palo Alto Networks, Cloudflare and Zscaler. Google Mandiant performed containment, rotated credentials and validated segmentation; the incident is now in forensic review.

Lovesac Confirms Data Breach Following Ransomware Claim

🔒 Lovesac reported a cybersecurity incident in which unauthorized actors accessed internal systems between February 12, 2025 and March 3, 2025, with the company detecting the activity on February 28, 2025. The notice to impacted individuals states that full names and additional personal information were stolen, although specific data elements and the total number of affected people were not disclosed. Lovesac says it remediated the intrusion within three days and currently has no indication the information has been misused, but it is advising vigilance for phishing and other fraud. The RansomHub ransomware group claimed responsibility and added Lovesac to its extortion portal; affected individuals are being offered 24 months of Experian credit monitoring.

Salesloft March GitHub Breach Led to Salesforce Data Theft

🔒 Salesloft says attackers first breached its GitHub account in March, enabling the theft of Drift OAuth tokens later abused to access customer systems. The stolen tokens were used in widespread Salesforce data-theft operations disclosed in August, affecting multiple enterprise customers. Salesloft engaged Mandiant, rotated credentials, isolated Drift infrastructure, and restored integrations after validating containment.

GitHub Account Compromise Led to Salesloft Drift Breach

🔒 Salesloft says the breach tied to its Drift application began after a threat actor compromised its GitHub account. Google-owned Mandiant traced the actor, tracked as UNC6395, accessing the account from March through June 2025 and downloading repository content, adding a guest user and establishing workflows. Attackers then accessed Drift's AWS environment and obtained OAuth tokens used to reach customer data via integrations, prompting Salesloft to isolate Drift infrastructure and take the application offline on September 5, 2025. Salesloft recommends revoking API keys for third-party apps integrated with Drift, and Salesforce has restored most Salesloft integrations while keeping Drift disabled pending further remediation.

Wealthsimple Confirms Supply-Chain Breach Affecting 30,000

🔒 Wealthsimple has confirmed a supply-chain related data breach that exposed information for roughly 30,000 customers after software from a third-party vendor was compromised on August 30. The leaked data reportedly included contact details, government-issued IDs, Social Insurance Numbers, dates of birth, IP addresses and account numbers. Wealthsimple says passwords were not accessed, no client accounts were compromised and no funds were stolen. The firm says it contained the intrusion within hours, notified regulators and is offering affected customers two years of free credit monitoring, dark-web monitoring, identity theft protection and a dedicated support team.

GhostAction Campaign Steals 3,325 Secrets via GitHub Actions

🔍GitGuardian disclosed a GitHub Actions supply chain campaign named GhostAction that exfiltrated 3,325 secrets from 327 users across 817 repositories before being contained on September 5. Attackers injected malicious workflow files to harvest CI/CD tokens (including PYPI_API_TOKEN) and sent them via HTTP POST to an actor-controlled endpoint. GitGuardian coordinated with maintainers and registries to revert commits, set impacted packages to read-only, and notify vendors.

Qualys, Tenable Confirm Access in Salesloft Drift Attack

🔐 Tenable and Qualys reported limited unauthorized access to parts of their Salesforce records after attackers stole OAuth tokens from the Salesloft Drift integration. The incidents exposed support-case subject lines, initial descriptions and basic business contact details, but neither vendor's products or core services were affected. Both firms disabled the Salesloft Drift app, revoked or rotated credentials, and said they are working with Salesforce and investigators to contain the impact.

Salesloft–Drift Supply Chain Breach and Weekly Recap

🔒 Salesloft has moved to take Drift offline after a supply‑chain compromise that resulted in the mass theft of OAuth tokens and unauthorized access to Salesforce data. Multiple large vendors — including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, and Tenable — confirmed impact, and activity is attributed to clusters tracked as UNC6395 and GRUB1. The incident underscores how fragile integrations can be and the importance of token hygiene, rapid revocation, and enhanced monitoring to contain downstream exposure.

GhostAction Supply-Chain Attack Steals 3,325 Secrets

🔒 GitGuardian uncovered a widespread supply-chain campaign it named GhostAction after detecting suspicious activity in a FastUUID GitHub repository. A compromised maintainer pushed a malicious GitHub Actions workflow that harvested secrets, initially capturing a PyPI token, and further investigation revealed hundreds of similar commits across multiple repositories. In total 3,325 secrets were exfiltrated from 817 repositories belonging to 327 users, with DockerHub credentials, GitHub tokens and npm tokens among the most common. GitGuardian notified platform security teams and many affected projects have begun reverting malicious changes while investigations continue.

German Companies Affected by 2024–2025 Cyberattacks

🔒 In 2024 and into 2025, a wide range of German companies — from small and mid-sized enterprises to publicly listed groups and critical-service providers — were struck by ransomware and other intrusions, causing operational disruptions, lost revenue, supply-chain effects and reputational harm. Notable victims include Volkswagen Group, Adidas, Samsung Germany and several defence and manufacturing firms, while IT service providers and regional utilities were also targeted. At least one company (Fasana GmbH) reported insolvency after an attack. The editorial team updates this list regularly, but it is not exhaustive.

AI-powered Nx malware exposes 2,180 GitHub accounts

🔒 A backdoored NPM package published from the Nx repository delivered a post-install credential stealer named telemetry.js, which targeted Linux and macOS systems for GitHub and npm tokens, SSH keys, .env files and crypto wallets. The malware exfiltrated harvested secrets to public repositories named s1ngularity-repository. Attackers unusually used AI CLI tools (Claude, Q, Gemini) to run tuned LLM prompts for better credential harvesting. Nx and GitHub removed the packages, revoked tokens, and implemented 2FA, tokenless publishing and manual PR approvals.

Wealthsimple Reports Customer Data Breach Linked to Salesloft

🔒 Wealthsimple disclosed a data breach detected on August 30 after attackers accessed a trusted third-party software package. The company said less than 1% of customers had personal information exposed, including contact details, government IDs, account numbers, IP addresses, Social Insurance Numbers, and dates of birth. Wealthsimple stated no funds or passwords were taken; impacted customers are being offered two years of complimentary credit and identity protection and were advised to enable two-factor authentication and remain alert for phishing.

Germany Charges Hacker Over Rosneft Deutschland Cyberattack

⚠️A 30-year-old man has been charged for a March 2022 cyberattack on Rosneft Deutschland that reportedly stole and deleted about 20 TB of data, leaving a 'Glory to Ukraine' message. Prosecutors allege the breach exposed backups, virtual machines, mail server images and device backups, prompting remote wipes and nearly €12.4M in combined losses. Authorities charged him with computer sabotage, data alteration, and data espionage.

South Carolina School District Data Breach Affects 31,000

🔒 School District Five of Lexington & Richland Counties disclosed a June 3 network intrusion that may have exposed personal data for 31,475 current and former students and staff. Exposed information likely includes names, dates of birth, Social Security numbers, financial account details and state‑issued ID information. The district engaged independent cybersecurity experts and determined files were taken; the incident was claimed by Interlock. Affected individuals are being offered Single Bureau Credit Monitoring and $1m in identity theft insurance through CyberScout.

Under Lock and Key: Strengthening Business Encryption

🔒 Encryption is a critical layer in modern data protection, safeguarding sensitive and business‑critical information both at rest and in transit. The article outlines key drivers — remote/hybrid work, explosive data growth, device loss, third‑party risks, ransomware and insider threats — that make encryption essential. It recommends robust algorithms such as AES-256, centralized management and solutions for disks, files, removable media and email, alongside minimal end‑user friction. The piece also warns that regulators and insurers increasingly expect strong encryption as part of compliance and underwriting.

61% of US Companies Hit by Insider Data Breaches in Two Years

📊 Nearly two-thirds (61%) of US firms experienced insider data breaches in the past two years, according to a new OPSWAT report conducted by the Ponemon Institute. Affected organizations reported an average of eight unauthorized file-access incidents and an average financial impact of $2.7m per organization. Respondents identified file storage and web file transfers as the riskiest environments for data loss. The study also found mixed approaches to generative AI—29% have banned it, 25% have formal policies, and 33% already include AI in file security strategies.

From Summer Camp to Grind Season — Threat Source Recap

📰 This week’s Threat Source newsletter highlights three significant vulnerabilities Talos researchers uncovered and helped remediate: a Dell firmware persistence flaw (Revault), an Office for macOS permissions bypass, and router compromises that blend malicious traffic with legitimate ISP flows. The author, William Largent, also emphasizes mental health and recommends a paper on AI behavioral pathologies to help anticipate malicious or errant AI-driven activity. Top headlines include a 4.4M-record TransUnion breach, a Salesloft Drift AI token compromise, a Passwordstate high-severity fix, an Azure AD credential leak, and a WhatsApp zero-day. Watch the Talos Threat Perspective episode and read the Dell write-up for mitigation guidance.