The CRM giant’s investigation indicates that this activity may have enabled unauthorized access to Salesforce data through the applications’ external connections.

In an immediate response to contain the threat, Salesforce has revoked all active access and refresh tokens associated with the affected Gainsight apps and temporarily removed them from the AppExchange.​

Salesforce explicitly stated that this incident does not stem from a vulnerability within the Salesforce platform itself. Instead, it exploits the trust relationship between the platform and third-party integrations.

The attack leverages compromised OAuth tokens and digital keys that allow apps to access data without sharing user credentials.

Salesforce Gainsight Breach

This mirrors the tactics used in the August 2025 campaign involving Salesloft Drift, in which attackers used stolen OAuth tokens to bypass authentication and access CRM-layer data, such as business contacts and case logs, across hundreds of organizations.​

Gainsight had previously acknowledged its exposure to the Salesloft Drift incident, confirming that stolen secrets from that breach were the likely root cause. Now, threat actors appear to be replaying the same playbook: combining stolen OAuth tokens with over-permissioned applications to create a “perfect attack chain” that bypasses traditional perimeter defenses.​

Security researchers have linked this campaign to ShinyHunters (also tracked as UNC6040), a threat group notorious for targeting SaaS ecosystems. This group typically employs social engineering to trick users into approving malicious apps or, as seen here, pivots from one compromised vendor to another.

From a Third-Party Risk Management (TPRM) perspective, this incident exemplifies a “supply-chain blast radius” event, where a single compromised vendor serves as a gateway into dozens of downstream environments.

Risk in modern SaaS ecosystems no longer travels linearly; it fans out, creating exponential exposure from a single point of failure.​

Organizations using Gainsight integrations must assume their current connections are compromised until re-authenticated. Teams should immediately audit every connected app in their Salesforce instance, removing or restricting any integration that does not require wide API access.

It is critical to rotate vendor OAuth tokens immediately and treat any token with broad permissions as high-risk. Furthermore, security teams should harden their approval processes for new integrations, as threat actors have previously used social engineering to get malicious apps approved.

Ferhat Dikbiyik, Chief Research and Intelligence Officer (CRIO) at Black Kite, said to cybersecuritynews.com “that this wasn’t a breach of Salesforce’s core platform. Instead, attackers linked to ShinyHunters (ScatteredSpider Lapsu$ Hunters) exploited a third-party integration, using access from a compromised vendor to pull customer data out of Salesforce environments. And there’s an important pattern here”.

“Gainsight has already acknowledged exposure in a previous campaign involving Salesloft Drift, where stolen OAuth tokens were used to access Salesforce data across many organizations. In that earlier case, Gainsight disconnected the Salesloft app and confirmed that only CRM-layer data, mostly business contact info and some Salesforce case text, had been accessed”.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Salesforce Confirms that Customers’ Data Was Accessed Following the Gainsight Breach appeared first on Cyber Security News.

The food delivery platform confirmed that personal data was compromised. However, it highlighted that no sensitive financial or government-issued identification information was accessed.

On October 25, 2025, DoorDash identified unauthorized third-party access to its systems resulting from a social engineering scam targeting an employee.

Social Engineering Attack Exposes Customer Contact Details

The company’s security team quickly detected the intrusion, terminated the unauthorized access, and launched an investigation into the incident.

Law enforcement authorities have been notified and are conducting an ongoing investigation. The breach affected user contact information, which varied by individual.

Exposed data may have included first and last names, phone numbers, email addresses, and physical addresses. DoorDash stated that no sensitive information was accessed during the incident.

Notably, Social Security numbers, government-issued identification numbers, driver’s license details, and bank or payment card information remained secure.

DoorDash reported no evidence that the stolen data had been misused for fraud or identity theft purposes. DoorDash has implemented multiple security enhancements following the breach.

The company deployed upgraded security systems designed to detect and prevent similar malicious activities.

Additional employee training programs focusing on social engineering awareness have been introduced to strengthen defenses against future attacks.

An external cybersecurity firm was brought in to support the investigation and provide specialized expertise. DoorDash focused on its commitment to continuous security improvement and protecting user privacy.

DoorDash tells affected users to be careful about unexpected messages that ask for personal information.

Users should avoid clicking unsafe links or downloading attachments from unknown sources and refrain from sharing personal data on unfamiliar websites.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post DoorDash Confirms Data Breach – Hackers Accessed Users Personal Data appeared first on Cyber Security News.

The breach notification, filed with Maine’s Attorney General, reveals the incident occurred on July 10, 2025, but remained undiscovered until October 27, 2025, nearly three-and-a-half months later.

Maine official regulatory filing submitted by ZwillGen PLLC, the prestigious news organization’s legal counsel. The breach compromised the personal information of 9,720 individuals, including 31 Maine residents.

Oracle E-Suite Exposes Employee Data

The compromised data included names and other personal identifiers combined with additional sensitive information.

Though specific details about what additional data was exposed remain limited in the public disclosure. The Washington Post’s headquarters, located at 1301 K Street NW in Washington, DC, was the site of the intrusion, which was discovered during routine security monitoring.

The extended discovery window raises questions about the organization’s detection capabilities and security monitoring practices within its systems.

Such gaps between breach occurrence and discovery are common in major cyber incidents, allowing threat actors to maintain extended access to sensitive systems and data.

As part of its incident response, The Washington Post offered complimentary identity theft protection services to all impacted employees and contractors.

This proactive approach reflects emerging best practices in breach response. It demonstrates a commitment to mitigating potential harm from unauthorized data access.

Senior Legal Director Marci Rozen, representing The Washington Post through external counsel firm ZwillGen PLLC, filed the formal breach notification with Maine regulators.

The filing represents part of the organization’s legal obligations under the state’s data breach notification laws, which require notification of affected residents within a specific timeframe.

The Oracle E-Suite system targeted in this incident manages employee data and administrative functions across the organization.

Maine’s breach report underscores ongoing vulnerabilities in enterprise software systems and highlights the persistent threat posed by external threat actors.

Targeting major organizations, including media outlets handling sensitive editorial and proprietary information.

The Washington Post’s rapid notification to affected individuals and its provision of identity protection services demonstrate that it has established incident response protocols.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Washington Post Oracle E-Suite 0-Day Hack Impacts 9K+ Employees and Contractors appeared first on Cyber Security News.

The attack, tied to CVE-2025-61882, marks another high-profile victim in Cl0P’s relentless assault on organizations using Oracle’s enterprise software.

Cl0P, known for high-impact extortion schemes, announced the breach on their dark web leak site earlier this week. According to the post, attackers gained unauthorized access to Entrust’s systems via an unpatched flaw that allows remote code execution (RCE) in Oracle EBS environments.

The vulnerability, rated CVSS 9.8 for its ease of exploitation without authentication, affects multiple versions of EBS, a widely used platform for financial and supply chain management. Oracle patched it in October 2025’s Critical Patch Update, but delayed adoption has left many firms exposed.

Entrust, a provider of identity and access management solutions, confirmed the incident in a brief statement, noting that no customer data appears compromised.

“We are investigating the matter with urgency and have implemented enhanced security measures,” the company said. However, cybersecurity experts warn that the breach could undermine trust in Entrust’s services, given its role in securing digital certificates and authentication for global enterprises.

This isn’t Cl0P’s first rodeo with CVE-2025-61882. Since disclosing the zero-day in September 2025, the group has listed over a dozen victims, including manufacturing giants and financial institutions.

Their tactic exfiltrating data before encryption has netted millions in ransoms while pressuring targets through public shaming. Analysts at Mandiant attribute the spree to Cl0P’s shift toward “big game hunting,” targeting vulnerabilities in legacy enterprise systems.

The breach highlights persistent risks in supply chain security. Organizations relying on Oracle EBS should prioritize patching and conduct vulnerability scans immediately. As Cl0P’s list grows, the incident underscores the need for proactive threat hunting in an era of sophisticated ransomware operations.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Cl0P Ransomware Group Allegedly Claims Breach of Entrust in Oracle 0-Day EBS Hack appeared first on Cyber Security News.

The breach, which the company attributes to its own oversight in decommissioning the outdated platform, affects less than 25% of its current merchant base but spares critical payment infrastructure.

The incident surfaced last week when ShinyHunters, a collective known for high-profile data thefts including breaches at Microsoft, AT&T, and Ticketmaster, contacted Checkout.com demanding a ransom.

The group claimed possession of sensitive data tied to the London-based fintech firm, which processes billions in transactions annually for e-commerce giants worldwide.

Upon investigation, Checkout.com confirmed unauthorized access to a cloud system used before 2020 for internal operational documents and merchant onboarding materials. “This was our mistake, and we take full responsibility,” stated Mariano Albera, the company’s Chief Technology Officer, in an official blog post.

What are the Data Affected

The legacy setup, managed by a third-party provider, was not properly retired, creating a vulnerability that threat actors exploited. Crucially, the hackers never reached the live payment processing platform; no merchant funds, card numbers, or real-time transaction data were compromised.

ShinyHunters, active since at least 2020, has built a reputation for selling stolen data on dark web forums, often targeting financial and tech sectors.

Their tactics typically involve exploiting misconfigurations or weak access controls, aligning with the decommissioning lapse here. Security experts note this as a reminder of “zombie systems” forgotten infrastructure that lingers as easy prey for cybercriminals.

Checkout.com emphasized transparency in its response, vowing not to yield to extortion. “We will not pay this ransom,” Albera declared. Instead, the company plans to donate an equivalent amount to Carnegie Mellon University and the University of Oxford’s Cyber Security Center, funding research to combat cybercrime.

“Security, transparency, and trust are the foundation of our industry,” he added. “We will own our mistakes, protect our merchants, and invest in the fight against the criminal actors who threaten our digital economy.”

The firm is now notifying affected merchants, collaborating with law enforcement, and regulators to mitigate fallout. “We are sorry. We regret that this incident has caused worry for our partners,” Albera wrote, offering direct support through account managers.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Checkout.com Hacked – ShinyHunters Breached Cloud Storage, Company Refuses Ransom appeared first on Cyber Security News.

The wiz research, which examined 50 leading AI companies from the Forbes AI 50 list, uncovered widespread security vulnerabilities across the industry.

These leaked secrets were discovered in deleted forks, gists, and developer repositories, representing an attack surface that standard GitHub scanning tools routinely overlook.

What Makes this Different

Unlike commodity secret-scanning tools that rely on surface-level GitHub organization searches. The Wiz researchers employed a three-pronged methodology targeting depth, perimeter, and coverage.

The “Depth” approach examined complete commit histories, deleted forks, workflow logs, and gists, the submerged portion of the security iceberg.

The “Perimeter” dimension expanded discovery to include secrets accidentally committed by organization members to their personal repositories.

Meanwhile, “Coverage” addressed detection gaps for emerging AI-specific secret types across platforms such as Perplexity, Weights & Biases, Groq, and NVIDIA.

Among the most impactful leaks were Langsmith API keys granting organization-level access and enterprise-tier credentials from ElevenLabs, discovered in plaintext configuration files.

One anonymous AI50 company’s exposure included a Hugging Face token that provided access to approximately 1,000 private models, alongside multiple Weights and Biases keys that compromised proprietary training data.

Troublingly, 65% of exposed companies were valued at over $400 billion collectively. Yet, smaller organizations proved equally vulnerable, even those with minimal public repositories demonstrated exposure risks.

Wiz experts emphasize the urgent need for action by AI companies. Implementing mandatory secret scanning for public version-control systems is essential and cannot be overlooked.

Establishing proper disclosure channels from inception protects companies during vulnerability remediation. Additionally, AI service providers must develop custom detection for proprietary secret formats, as many leak their own platform credentials during deployment due to inadequate scanning.

The wiz research underscores a critical message: organizational members and contributors represent extended attack surfaces requiring security policies during onboarding.

Treating employees’ personal repositories as part of corporate infrastructure becomes essential as AI adoption accelerates. In an industry racing ahead, the message is clear: speed cannot compromise security.

Comprehensive secret detection must evolve alongside emerging AI technologies to raise organizational defense standards.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post 65% of Leading AI Companies Exposes Verified Secrets Including Keys and Tokens on GitHub appeared first on Cyber Security News.

The breach began in early September, when the company detected suspicious activity involving the download of backup firewall configuration files stored in a cloud environment.

Upon discovery, SonicWall quickly activated its incident response plan, called in Mandiant, a well-known cybersecurity response firm, and notified partners and customers directly.

The company maintained frequent and transparent communication, hosting live Q&A sessions and providing tools and guidance to help partners respond effectively.

SonicWall also offered commercial concessions to support partners as they worked through remediation steps.

Mandiant Investigation Reveals Cloud-Isolated Attack

Mandiant’s thorough investigation has now concluded. The results show that the attackers, linked to a state-sponsored threat group, used an API call to access cloud backup files stored in a specific cloud environment.

According to the findings, this incident did not relate to the recent global Akira ransomware attacks targeting firewalls and edge devices.

Importantly, SonicWall confirmed that its products, firmware, and other systems, like source code and customer networks, were not impacted or compromised.

All remediation actions recommended by Mandiant have been implemented, and SonicWall continues to work closely with security experts to strengthen its cloud and network infrastructure further.

The company emphasized that its long-standing focus on security excellence and partner support remains firm. Earlier in the year, SonicWall launched a Secure by Design modernization initiative.

This included updates to product architecture, cloud operations, internal cybersecurity practices, and the appointment of a new Chief Information Officer.

The company also continues to invest in advanced response teams and cutting-edge security tools. SonicWall’s determination to stay ahead is underscored by external validation.

Even as nation-state threat actors increasingly target security vendors, SonicWall is committed to transparency, strong partnerships, and relentless improvement to safeguard its customers and partners worldwide.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post SonicWall Confirms State-Sponsored Hackers Behind the Massive Firewall Backup Breach appeared first on Cyber Security News.

The cybersecurity incident highlights growing concerns about data protection in the automotive technology sector.​

Hyundai AutoEver America discovered the cyber incident on March 1, 2025, when unauthorized activity was detected within its information technology environment.

The company immediately launched an investigation with external cybersecurity experts to assess the full scope of the breach.

Forensic analysis revealed that unauthorized access began on February 22, 2025, and the last observed malicious activity occurred on March 2, 2025, spanning approximately 9 days of potential data exposure.​

Compromised Personal Information

The breach exposed a range of sensitive personal data belonging to affected individuals. According to the official breach notification, compromised information included full names along with additional data elements that could enable identity theft.

While the notice template does not specify exact numbers, the company confirmed that Rhode Island residents were among those impacted.

The exposed data includes Social Security numbers, driver’s license information, and other personally identifiable information that could be exploited for fraudulent purposes.​

Upon discovering the intrusion, Hyundai AutoEver immediately terminated the unauthorized third party’s access to affected systems and engaged specialized cybersecurity firms to conduct a comprehensive investigation.

The company also coordinated with law enforcement agencies throughout the response process. The extensive nature of the incident required significant time and resources to analyze forensic data and determine which information was accessed.​

Hyundai AutoEver is offering affected customers complimentary two-year credit monitoring services through Epiq Privacy Solutions, including three-bureau credit monitoring and identity protection.

Affected individuals are encouraged to remain vigilant by monitoring account statements, reviewing credit reports regularly, and considering fraud alerts or security freezes to prevent unauthorized credit applications.

Hyundai Senior Group Manager Ira Gabriel said that “Hyundai AutoEver America, an IT vendor that manages certain Hyundai Motor America employee systems, experienced an incident to that area of business that impacted employment-related data and primarily affected current and former employees of Hyundai AutoEver America and Hyundai Motor America. Approximately 2,000 current and former employees were notified of the incident. The 2.7 million figure that is cited in many media articles has no relation to the actual security incident”.

“No Hyundai consumer data was exposed, and no Hyundai Motor America customer information or Bluelink driver data was compromised”.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hyundai AutoEver Confirms Data Breach Exposing Users’ Personal Information and SSNs appeared first on Cyber Security News.

The Canadian Centre for Cyber Security and the Royal Canadian Mounted Police report that water treatment facilities, energy companies, and agricultural operations have fallen victim to coordinated attacks, raising serious concerns about the vulnerability of Canada’s essential services.

The scope of these attacks extends beyond isolated incidents. Hackers have successfully manipulated programmable logic controllers and automated systems at water facilities, deliberately tampering with pressure values that degraded service for entire communities.

In another case, attackers targeted a major Canadian oil and gas company, compromising an Automated Tank Gauge system that triggered false alarms.

A third incident involved a grain drying silo on a Canadian farm, where unauthorized actors manipulated temperature and humidity readings, potentially creating dangerous conditions if security teams had not detected the breach promptly.

Hacktivism Attacks Growing Rapidly

While sophisticated state-sponsored actors typically target specific organizations, Canadian authorities warn that hacktivists increasingly exploit vulnerable ICS devices as targets of opportunity.

These threat actors gain media attention, discredit organizations, and undermine Canada’s broader reputation by compromising systems that control essential services.

The Canadian public remains unaware of how close these attacks come to causing cascading failures across critical infrastructure.

Exposed components including Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Human-Machine Interfaces (HMIs), SCADA systems, and Building Management Systems (BMS) create substantial risks not only to individual organizations but to their clients and the wider Canadian population.

The interconnected nature of modern infrastructure means that a single compromised device can trigger failures affecting thousands of citizens.

Canadian authorities emphasize that unclear roles and responsibilities between organizations, municipalities, and provincial governments create dangerous security gaps.

Organizations must immediately conduct thorough inventories of all internet-accessible ICS devices and evaluate their necessity.

Where feasible, implementing Virtual Private Networks (VPNs) with two-factor authentication should replace direct internet exposure.

For systems that cannot be isolated, enhanced monitoring through Intrusion Prevention Systems and regular penetration testing becomes essential. Continuous vulnerability management throughout the device lifecycle is mandatory.

Provincial and territorial governments should coordinate with municipalities to ensure all critical infrastructure receives proper documentation and protection, particularly in sectors like water, food, and manufacturing that lack comprehensive regulatory cyber oversight.

Beyond technical measures, organizations must conduct regular tabletop exercises to evaluate incident response capabilities and clearly define roles during cyber emergencies.

Early reporting to both the Cyber Centre and local law enforcement enables coordinated investigations and mitigation efforts.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Canada Warns of Hackers Breached ICS Devices Controlling Water and Energy Facilities appeared first on Cyber Security News.

The incident has drawn attention from cybersecurity experts and government authorities as it involves critical infrastructure responsible for managing the nation’s power distribution network.

The Swedish power grid operator publicly acknowledged the security incident, revealing that attackers gained unauthorized access to certain sensitive information within their systems.

Cem Göcgören, Head of Information Security at Svenska kraftnät, stated that the organization is actively investigating the scope and nature of the compromised data.

Swedish Power Grid Operator Data Breach

The statement emphasized that while a breach occurred, there are currently no indicators suggesting that the core electricity distribution system itself has been affected or compromised.

Svenska kraftnät immediately reported the incident to Swedish law enforcement and established communication with relevant government authorities possessing expertise in cybersecurity and critical infrastructure protection.

This coordinated response reflects standard procedures for addressing breaches involving essential services that affect the entire nation’s energy security and public safety.

The Everest ransomware gang, a known cybercriminal organization, has publicly claimed responsibility for the attack on Svenska kraftnät.

This represents another high-profile incident targeting critical infrastructure, adding to growing concerns about ransomware groups specifically targeting essential services.

The gang’s involvement suggests a calculated approach to compromise organizations managing vital systems that could potentially disrupt national infrastructure if encryption or destruction of data were successful.

While Swedish authorities have confirmed that the electricity system remains operational and secure, the breach raises questions about the cybersecurity posture of critical infrastructure organizations across Europe.

Power grid operators face increasing sophistication in cyberattacks, with ransomware groups demonstrating knowledge of how to access sensitive networks while maintaining operational technology systems.

The incident highlights the distinction between information technology systems and operational technology systems within power utilities.

Even though operational systems remain secure, compromised data may contain valuable intelligence about network architecture, employee information, or other sensitive details that could be leveraged in future attacks.

Svenska kraftnät’s swift response and transparency regarding the incident demonstrate best practices in incident communication. By immediately notifying authorities and the public, the operator has maintained trust while investigations continue.

Energy providers must continue strengthening their cybersecurity defenses, implementing zero-trust architecture, and maintaining robust incident response protocols.

Swedish authorities will likely conduct a thorough investigation into the breach while implementing additional security measures to prevent similar incidents affecting other critical infrastructure operators across the Nordic region.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Swedish Power Grid Operator Confirms Data Breach Following Everest Ransomware Gang Claim appeared first on Cyber Security News.