The CRM giant’s investigation indicates that this activity may have enabled unauthorized access to Salesforce data through the applications’ external connections.

In an immediate response to contain the threat, Salesforce has revoked all active access and refresh tokens associated with the affected Gainsight apps and temporarily removed them from the AppExchange.​

Salesforce explicitly stated that this incident does not stem from a vulnerability within the Salesforce platform itself. Instead, it exploits the trust relationship between the platform and third-party integrations.

The attack leverages compromised OAuth tokens and digital keys that allow apps to access data without sharing user credentials.

Salesforce Gainsight Breach

This mirrors the tactics used in the August 2025 campaign involving Salesloft Drift, in which attackers used stolen OAuth tokens to bypass authentication and access CRM-layer data, such as business contacts and case logs, across hundreds of organizations.​

Gainsight had previously acknowledged its exposure to the Salesloft Drift incident, confirming that stolen secrets from that breach were the likely root cause. Now, threat actors appear to be replaying the same playbook: combining stolen OAuth tokens with over-permissioned applications to create a “perfect attack chain” that bypasses traditional perimeter defenses.​

Security researchers have linked this campaign to ShinyHunters (also tracked as UNC6040), a threat group notorious for targeting SaaS ecosystems. This group typically employs social engineering to trick users into approving malicious apps or, as seen here, pivots from one compromised vendor to another.

From a Third-Party Risk Management (TPRM) perspective, this incident exemplifies a “supply-chain blast radius” event, where a single compromised vendor serves as a gateway into dozens of downstream environments.

Risk in modern SaaS ecosystems no longer travels linearly; it fans out, creating exponential exposure from a single point of failure.​

Organizations using Gainsight integrations must assume their current connections are compromised until re-authenticated. Teams should immediately audit every connected app in their Salesforce instance, removing or restricting any integration that does not require wide API access.

It is critical to rotate vendor OAuth tokens immediately and treat any token with broad permissions as high-risk. Furthermore, security teams should harden their approval processes for new integrations, as threat actors have previously used social engineering to get malicious apps approved.

Ferhat Dikbiyik, Chief Research and Intelligence Officer (CRIO) at Black Kite, said to cybersecuritynews.com “that this wasn’t a breach of Salesforce’s core platform. Instead, attackers linked to ShinyHunters (ScatteredSpider Lapsu$ Hunters) exploited a third-party integration, using access from a compromised vendor to pull customer data out of Salesforce environments. And there’s an important pattern here”.

“Gainsight has already acknowledged exposure in a previous campaign involving Salesloft Drift, where stolen OAuth tokens were used to access Salesforce data across many organizations. In that earlier case, Gainsight disconnected the Salesloft app and confirmed that only CRM-layer data, mostly business contact info and some Salesforce case text, had been accessed”.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Salesforce Confirms that Customers’ Data Was Accessed Following the Gainsight Breach appeared first on Cyber Security News.

The food delivery platform confirmed that personal data was compromised. However, it highlighted that no sensitive financial or government-issued identification information was accessed.

On October 25, 2025, DoorDash identified unauthorized third-party access to its systems resulting from a social engineering scam targeting an employee.

Social Engineering Attack Exposes Customer Contact Details

The company’s security team quickly detected the intrusion, terminated the unauthorized access, and launched an investigation into the incident.

Law enforcement authorities have been notified and are conducting an ongoing investigation. The breach affected user contact information, which varied by individual.

Exposed data may have included first and last names, phone numbers, email addresses, and physical addresses. DoorDash stated that no sensitive information was accessed during the incident.

Notably, Social Security numbers, government-issued identification numbers, driver’s license details, and bank or payment card information remained secure.

DoorDash reported no evidence that the stolen data had been misused for fraud or identity theft purposes. DoorDash has implemented multiple security enhancements following the breach.

The company deployed upgraded security systems designed to detect and prevent similar malicious activities.

Additional employee training programs focusing on social engineering awareness have been introduced to strengthen defenses against future attacks.

An external cybersecurity firm was brought in to support the investigation and provide specialized expertise. DoorDash focused on its commitment to continuous security improvement and protecting user privacy.

DoorDash tells affected users to be careful about unexpected messages that ask for personal information.

Users should avoid clicking unsafe links or downloading attachments from unknown sources and refrain from sharing personal data on unfamiliar websites.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post DoorDash Confirms Data Breach – Hackers Accessed Users Personal Data appeared first on Cyber Security News.

The announcement, posted on the group’s dark web leak site on November 16, 2025, includes a sample of stolen records to substantiate the claims, escalating concerns over potential identity theft and phishing risks.

According to Everest, the compromised dataset encompasses a vast array of personal and corporate information from Under Armour’s systems.

Everest Ransomware Group Armour Breach

This includes millions of client records with transaction histories, user IDs, email addresses, physical addresses, phone numbers, passport details, gender information, and both work and personal email contacts.

Employee data from various countries is also implicated, alongside internal company documents. The sample provided by the hackers reveals sensitive customer shopping histories, product catalogs with SKUs, prices, and availability, as well as marketing logs and user behavior analytics.

These details suggest the breach targeted Under Armour’s customer relationship management, personalization, or e-commerce databases, potentially originating from marketing or product registration systems.​

Everest, active since 2021, has a track record of high-profile attacks, including claims against AT&T’s carrier database, which exposed over 500,000 users, 1.5 million passenger records from Dublin Airport, and internal files from Coca-Cola.

The group issued a seven-day ultimatum to Under Armour via Tox messenger, demanding contact before the countdown timer expires and threatening to leak the data if the demand is not fully met. No ransom amount was specified in the initial post, but Everest’s pattern involves escalating leaks for non-compliant victims.​

Under Armour, headquartered in Baltimore, Maryland, has not yet publicly confirmed or denied the breach as of November 18. The company, which serves over 190 countries and boasts brands like MyFitnessPal (previously hit in a 2018 incident affecting 150 million users), could face significant fallout.

Past breaches at the firm exposed usernames, emails, and hashed passwords, but spared financial data; this incident appears far broader, potentially including passports and transaction logs that enable targeted fraud.​

Cybersecurity experts warn that such exposures heighten the risk of supply chain attacks and social engineering. “Ransomware groups like Everest are pivoting to data exfiltration over encryption, turning breaches into intelligence goldmines,” noted a Mandiant analyst.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has not yet listed this in its Known Exploited Vulnerabilities catalog, but similar incidents have prompted federal alerts.

Customers are urged to monitor accounts for unusual activity, change passwords on Under Armour-linked services, enable multi-factor authentication, and watch for phishing emails masquerading as breach notifications.

Enterprises should scan for Everest indicators of compromise, such as Qakbot malware or Cobalt Strike beacons, which the group often uses. Under Armour has been contacted for comment; until verified, these remain allegations, but the sample’s detail lends credibility.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Everest Ransomware Group Allegedly Exposes 343 GB of Sensitive Data in Major Under Armour Breach appeared first on Cyber Security News.

The breach notification, filed with Maine’s Attorney General, reveals the incident occurred on July 10, 2025, but remained undiscovered until October 27, 2025, nearly three-and-a-half months later.

Maine official regulatory filing submitted by ZwillGen PLLC, the prestigious news organization’s legal counsel. The breach compromised the personal information of 9,720 individuals, including 31 Maine residents.

Oracle E-Suite Exposes Employee Data

The compromised data included names and other personal identifiers combined with additional sensitive information.

Though specific details about what additional data was exposed remain limited in the public disclosure. The Washington Post’s headquarters, located at 1301 K Street NW in Washington, DC, was the site of the intrusion, which was discovered during routine security monitoring.

The extended discovery window raises questions about the organization’s detection capabilities and security monitoring practices within its systems.

Such gaps between breach occurrence and discovery are common in major cyber incidents, allowing threat actors to maintain extended access to sensitive systems and data.

As part of its incident response, The Washington Post offered complimentary identity theft protection services to all impacted employees and contractors.

This proactive approach reflects emerging best practices in breach response. It demonstrates a commitment to mitigating potential harm from unauthorized data access.

Senior Legal Director Marci Rozen, representing The Washington Post through external counsel firm ZwillGen PLLC, filed the formal breach notification with Maine regulators.

The filing represents part of the organization’s legal obligations under the state’s data breach notification laws, which require notification of affected residents within a specific timeframe.

The Oracle E-Suite system targeted in this incident manages employee data and administrative functions across the organization.

Maine’s breach report underscores ongoing vulnerabilities in enterprise software systems and highlights the persistent threat posed by external threat actors.

Targeting major organizations, including media outlets handling sensitive editorial and proprietary information.

The Washington Post’s rapid notification to affected individuals and its provision of identity protection services demonstrate that it has established incident response protocols.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Washington Post Oracle E-Suite 0-Day Hack Impacts 9K+ Employees and Contractors appeared first on Cyber Security News.

The attack, tied to CVE-2025-61882, marks another high-profile victim in Cl0P’s relentless assault on organizations using Oracle’s enterprise software.

Cl0P, known for high-impact extortion schemes, announced the breach on their dark web leak site earlier this week. According to the post, attackers gained unauthorized access to Entrust’s systems via an unpatched flaw that allows remote code execution (RCE) in Oracle EBS environments.

The vulnerability, rated CVSS 9.8 for its ease of exploitation without authentication, affects multiple versions of EBS, a widely used platform for financial and supply chain management. Oracle patched it in October 2025’s Critical Patch Update, but delayed adoption has left many firms exposed.

Entrust, a provider of identity and access management solutions, confirmed the incident in a brief statement, noting that no customer data appears compromised.

“We are investigating the matter with urgency and have implemented enhanced security measures,” the company said. However, cybersecurity experts warn that the breach could undermine trust in Entrust’s services, given its role in securing digital certificates and authentication for global enterprises.

This isn’t Cl0P’s first rodeo with CVE-2025-61882. Since disclosing the zero-day in September 2025, the group has listed over a dozen victims, including manufacturing giants and financial institutions.

Their tactic exfiltrating data before encryption has netted millions in ransoms while pressuring targets through public shaming. Analysts at Mandiant attribute the spree to Cl0P’s shift toward “big game hunting,” targeting vulnerabilities in legacy enterprise systems.

The breach highlights persistent risks in supply chain security. Organizations relying on Oracle EBS should prioritize patching and conduct vulnerability scans immediately. As Cl0P’s list grows, the incident underscores the need for proactive threat hunting in an era of sophisticated ransomware operations.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Cl0P Ransomware Group Allegedly Claims Breach of Entrust in Oracle 0-Day EBS Hack appeared first on Cyber Security News.

The breach, which the company attributes to its own oversight in decommissioning the outdated platform, affects less than 25% of its current merchant base but spares critical payment infrastructure.

The incident surfaced last week when ShinyHunters, a collective known for high-profile data thefts including breaches at Microsoft, AT&T, and Ticketmaster, contacted Checkout.com demanding a ransom.

The group claimed possession of sensitive data tied to the London-based fintech firm, which processes billions in transactions annually for e-commerce giants worldwide.

Upon investigation, Checkout.com confirmed unauthorized access to a cloud system used before 2020 for internal operational documents and merchant onboarding materials. “This was our mistake, and we take full responsibility,” stated Mariano Albera, the company’s Chief Technology Officer, in an official blog post.

What are the Data Affected

The legacy setup, managed by a third-party provider, was not properly retired, creating a vulnerability that threat actors exploited. Crucially, the hackers never reached the live payment processing platform; no merchant funds, card numbers, or real-time transaction data were compromised.

ShinyHunters, active since at least 2020, has built a reputation for selling stolen data on dark web forums, often targeting financial and tech sectors.

Their tactics typically involve exploiting misconfigurations or weak access controls, aligning with the decommissioning lapse here. Security experts note this as a reminder of “zombie systems” forgotten infrastructure that lingers as easy prey for cybercriminals.

Checkout.com emphasized transparency in its response, vowing not to yield to extortion. “We will not pay this ransom,” Albera declared. Instead, the company plans to donate an equivalent amount to Carnegie Mellon University and the University of Oxford’s Cyber Security Center, funding research to combat cybercrime.

“Security, transparency, and trust are the foundation of our industry,” he added. “We will own our mistakes, protect our merchants, and invest in the fight against the criminal actors who threaten our digital economy.”

The firm is now notifying affected merchants, collaborating with law enforcement, and regulators to mitigate fallout. “We are sorry. We regret that this incident has caused worry for our partners,” Albera wrote, offering direct support through account managers.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Checkout.com Hacked – ShinyHunters Breached Cloud Storage, Company Refuses Ransom appeared first on Cyber Security News.

The breach began in early September, when the company detected suspicious activity involving the download of backup firewall configuration files stored in a cloud environment.

Upon discovery, SonicWall quickly activated its incident response plan, called in Mandiant, a well-known cybersecurity response firm, and notified partners and customers directly.

The company maintained frequent and transparent communication, hosting live Q&A sessions and providing tools and guidance to help partners respond effectively.

SonicWall also offered commercial concessions to support partners as they worked through remediation steps.

Mandiant Investigation Reveals Cloud-Isolated Attack

Mandiant’s thorough investigation has now concluded. The results show that the attackers, linked to a state-sponsored threat group, used an API call to access cloud backup files stored in a specific cloud environment.

According to the findings, this incident did not relate to the recent global Akira ransomware attacks targeting firewalls and edge devices.

Importantly, SonicWall confirmed that its products, firmware, and other systems, like source code and customer networks, were not impacted or compromised.

All remediation actions recommended by Mandiant have been implemented, and SonicWall continues to work closely with security experts to strengthen its cloud and network infrastructure further.

The company emphasized that its long-standing focus on security excellence and partner support remains firm. Earlier in the year, SonicWall launched a Secure by Design modernization initiative.

This included updates to product architecture, cloud operations, internal cybersecurity practices, and the appointment of a new Chief Information Officer.

The company also continues to invest in advanced response teams and cutting-edge security tools. SonicWall’s determination to stay ahead is underscored by external validation.

Even as nation-state threat actors increasingly target security vendors, SonicWall is committed to transparency, strong partnerships, and relentless improvement to safeguard its customers and partners worldwide.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post SonicWall Confirms State-Sponsored Hackers Behind the Massive Firewall Backup Breach appeared first on Cyber Security News.

The cybersecurity incident highlights growing concerns about data protection in the automotive technology sector.​

Hyundai AutoEver America discovered the cyber incident on March 1, 2025, when unauthorized activity was detected within its information technology environment.

The company immediately launched an investigation with external cybersecurity experts to assess the full scope of the breach.

Forensic analysis revealed that unauthorized access began on February 22, 2025, and the last observed malicious activity occurred on March 2, 2025, spanning approximately 9 days of potential data exposure.​

Compromised Personal Information

The breach exposed a range of sensitive personal data belonging to affected individuals. According to the official breach notification, compromised information included full names along with additional data elements that could enable identity theft.

While the notice template does not specify exact numbers, the company confirmed that Rhode Island residents were among those impacted.

The exposed data includes Social Security numbers, driver’s license information, and other personally identifiable information that could be exploited for fraudulent purposes.​

Upon discovering the intrusion, Hyundai AutoEver immediately terminated the unauthorized third party’s access to affected systems and engaged specialized cybersecurity firms to conduct a comprehensive investigation.

The company also coordinated with law enforcement agencies throughout the response process. The extensive nature of the incident required significant time and resources to analyze forensic data and determine which information was accessed.​

Hyundai AutoEver is offering affected customers complimentary two-year credit monitoring services through Epiq Privacy Solutions, including three-bureau credit monitoring and identity protection.

Affected individuals are encouraged to remain vigilant by monitoring account statements, reviewing credit reports regularly, and considering fraud alerts or security freezes to prevent unauthorized credit applications.

Hyundai Senior Group Manager Ira Gabriel said that “Hyundai AutoEver America, an IT vendor that manages certain Hyundai Motor America employee systems, experienced an incident to that area of business that impacted employment-related data and primarily affected current and former employees of Hyundai AutoEver America and Hyundai Motor America. Approximately 2,000 current and former employees were notified of the incident. The 2.7 million figure that is cited in many media articles has no relation to the actual security incident”.

“No Hyundai consumer data was exposed, and no Hyundai Motor America customer information or Bluelink driver data was compromised”.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hyundai AutoEver Confirms Data Breach Exposing Users’ Personal Information and SSNs appeared first on Cyber Security News.

Balancer, a leading DeFi platform known for its automated market-making pools, confirmed that only its V2 Composable Stable Pools were affected by the exploit. The remainder of its pools, including Balancer V3 and other older pools, remain untouched and fully secure.

The impacted pools had been active on the blockchain for several years and, due to their age, many were outside of Balancer’s “pause window” a built-in feature allowing emergency halts to prevent damage during attacks.

Balancer DeFi Protocol Exploited

The pools that could be paused were quickly taken offline and are currently in recovery mode while the investigation continues.

The Balancer team responded rapidly, working in collaboration with experienced security researchers to analyze the incident. A full post-mortem report with technical details will be provided once the investigation has progressed.

Balancer emphasized its longstanding commitment to security, highlighting extensive third-party audits and robust bug bounty programs designed to encourage independent researchers to uncover vulnerabilities before hackers do.

Legal and security professionals are now working closely to enhance protection for users and to track down the attackers. In the wake of the incident, the Balancer team issued an urgent warning about fraudulent communications.

Malicious actors are already sending fake messages pretending to represent the Balancer Security Team, seeking to further exploit concerned users. Balancer stressed that official updates will be shared only through its official X (Twitter) account and Discord server.

Users are strongly cautioned not to trust unsolicited messages or click on unknown links, as these could be part of phishing schemes aimed at stealing more funds.

As the investigation proceeds, Balancer has reassured the community that they are devoted to operational security and user protection.

The DeFi community and partners are actively supporting the team. Users are encouraged to stay tuned for further updates as more details surrounding the exploit and future preventive measures are released.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Stolen Over $100 Million by Exploiting Balancer DeFi Protocol appeared first on Cyber Security News.

The cybersecurity company revealed that over 300 million stolen credentials are currently circulating on dark web cybercrime markets, putting businesses and individuals at unprecedented risk.

This massive exposure highlights the growing underground economy built on stolen personal and corporate data. The data paints a disturbing picture for small businesses, which have become prime targets for cybercriminals.

According to Proton’s research, four out of five small businesses have experienced a data breach recently. The financial impact is devastating, with a single incident potentially costing a small firm over one million dollars.

Despite these alarming statistics, most breaches go unreported, leaving companies unaware of their vulnerabilities until it’s too late. Traditional breach notification systems often fail to alert affected organizations promptly.

Small Businesses Face Million-Dollar Threats

Many businesses only discover they’ve been compromised months or even years after the initial attack. This delayed awareness gives cybercriminals ample time to exploit stolen credentials, leading to further security incidents, financial fraud, and identity theft.

Proton is taking a proactive approach by directly monitoring dark web marketplaces. The Data Breach Observatory continuously scours underground forums and criminal marketplaces where stolen data is bought and sold.

By capturing and analyzing these leaks in real time, Proton provides businesses with immediate alerts when their information appears on these platforms. The observatory’s latest findings reveal ten major data breaches from 2025 alone, affecting organizations across multiple industries and countries.

Among the most significant incidents is the Qantas Airways breach, which exposed information from 11.8 million records, including names, birth dates, addresses, phone numbers, and email addresses.

The telecommunications sector was particularly hard hit, with Free in France suffering a massive breach affecting over 19 million customers, including sensitive banking information such as IBANs.

The breaches documented by Proton span multiple continents and industries, from transportation and telecommunications to financial services and technology companies.  

Allianz Life in Germany saw one million records compromised, including highly sensitive social security numbers. Meanwhile, SkilloVilla in India experienced one of the largest exposures, with over 33 million records containing personal contact information leaked to dark web markets.

The variety of compromised data types is equally concerning. Beyond basic contact information, cybercriminals have obtained passwords, social security numbers, banking details, and identification numbers. This comprehensive data enables sophisticated identity theft operations and account takeover attacks.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Proton Exposes 300 Million Stolen Credentials Available for Sale on Dark Web Cybercrime Markets appeared first on Cyber Security News.