CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ShinyHunters and Scattered Spider Collaboration

First reported
Last updated
4 unique sources, 24 articles

Summary

Hide ▲

The **ShinyHunters and Scattered Spider collaboration** has escalated with a **new extortion campaign targeting PornHub Premium members**, following the **Mixpanel data breach on November 8, 2025**. ShinyHunters, confirmed as the perpetrator, stole **94GB of data** containing **over 200 million records** of PornHub users' historical search, watch, and download activity from 2021 or earlier. The stolen data includes **email addresses, video URLs, keywords, locations, and timestamps**, which the group is now using to extort victims, including PornHub, via ransom demands. PornHub confirmed the breach impacted its Premium users but clarified that **no passwords, payment details, or financial information were exposed** and that the compromise stemmed from a **third-party vendor (Mixpanel)**, not its own systems. **Mixpanel has disputed the origin of the data**, stating it was last accessed by a legitimate PornHub employee account in 2023 and that there is no evidence it was stolen during their November 2025 incident. This latest attack follows a year-long pattern of **high-impact breaches** by ShinyHunters and Scattered Spider, including the **$107 million loss at the Co-operative Group (U.K.)**, **Jaguar Land Rover’s operational shutdown**, and breaches at **Allianz Life, Farmers Insurance, and Workday**, all exploiting **Salesforce platform vulnerabilities**. The groups have also targeted **Almaviva/FS Italiane Group**, **Zendesk users**, and now **Mixpanel customers**, demonstrating their ability to **leverage third-party IT providers, cloud-based CRM systems, and analytics platforms** to maximize data exposure. Despite arrests (e.g., **Scattered Spider members Owen Flowers and Thalha Jubair**) and claims of shutdowns, the threat persists, with authorities like the **FBI and U.K. NCA** issuing ongoing alerts as the groups adapt tactics, including **smishing, OAuth token abuse, and AI-enhanced tooling** to evade detection. The **Gainsight cyber-attack** further expanded in late November 2025, with Salesforce confirming a **larger, unspecified number of victims** beyond the initial three disclosed. The breach involved **unauthorized access via an AT&T IP address on November 8**, followed by **reconnaissance and intrusions using VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**. Forensic investigations revealed the attackers exploited **compromised multifactor credentials**, prompting Gainsight to advise customers to **rotate S3 keys, reset passwords, and re-authorize integrations**. Meanwhile, the **SLSH alliance unveiled ShinySp1d3r**, a **ransomware-as-a-service (RaaS) platform** with **advanced anti-forensic capabilities** and **network propagation tools**, administered by core member **Saif Al-Din Khader (aka Rey)**, who claims cooperation with law enforcement since June 2025. The alliance has been linked to **51 cyberattacks in the past year**, combining **RaaS, extortion-as-a-service (EaaS), and insider recruitment** to maximize impact across sectors.

Timeline

  1. 15.12.2025 23:27 2 articles · 23h ago

    ShinyHunters Extorts PornHub via Mixpanel Analytics Breach

    On **November 8, 2025**, ShinyHunters compromised **Mixpanel**, a third-party analytics vendor, via an **SMS phishing (smishing) attack**, stealing **94GB of data** containing **201,211,943 records** of **PornHub Premium members’ historical search, watch, and download activity** from 2021 or earlier. The stolen data includes **email addresses, activity types (watched, downloaded, searched), video URLs, video names, associated keywords, locations, and timestamps**—highly sensitive information the group is now using to **extort Mixpanel customers**, including PornHub. ShinyHunters sent extortion emails beginning with **"We are ShinyHunters"**, demanding ransom payments to prevent public disclosure of the data. PornHub confirmed the breach impacted **select Premium users** but clarified that **no passwords, payment details, or financial information were exposed**, as the compromise originated from Mixpanel’s systems. **Mixpanel disputed the claim**, stating the data was last accessed by a legitimate PornHub employee account in 2023 and that there is **no evidence it was stolen during their November 2025 security incident**. This discrepancy raises questions about the data's origin, including potential **earlier breaches or insider involvement**. The incident marks a **significant expansion of ShinyHunters’ targeting**, moving beyond **Salesforce and CRM platforms** to exploit **analytics vendors** and **consumer-facing services**, further demonstrating the group's ability to **leverage third-party providers for high-impact extortion campaigns**.

    Show sources
    Open in new tab
  2. 27.11.2025 11:30 1 articles · 19d ago

    Scattered Lapsus$ Hunters Launches Zendesk Phishing Campaign

    The **Scattered Lapsus$ Hunters (SLSH) alliance** has initiated a **new phishing campaign targeting Zendesk users**, deploying **over 40 typosquatted domains** (e.g., *znedesk[.]com*, *vpn-zendesk[.]com*) and **fraudulent helpdesk tickets** to harvest credentials and deploy **remote access trojans (RATs)**. The domains, registered via **NiceNic** with **US/UK registrant details** and **Cloudflare-masked nameservers**, mirror tactics used in the **August 2025 Salesforce campaign**, including **deceptive SSO portals** and **social engineering lures** aimed at support staff. ReliaQuest reports that **Discord** has already fallen victim, confirming a breach via its **Zendesk-based support system** that exposed user data, including **names, emails, billing information, IP addresses, and government-issued IDs**. The campaign underscores the group’s **expanding focus on high-value SaaS platforms** (Salesforce, Salesloft, Gainsight, and now Zendesk) to exploit **downstream customer data access**. While the activity aligns with SLSH’s modus operandi, ReliaQuest notes it could also be the work of a **copycat group** adopting similar phishing and credential-harvesting techniques. Organizations are urged to **monitor for typosquatted domains**, **audit helpdesk ticket submissions**, and **enhance endpoint protections** for support teams. This development follows the group’s **November 2025 unveiling of the ShinySp1d3r RaaS platform**, signaling a **multi-pronged escalation** in both **technical sophistication** and **target diversification**.

    Show sources
    Open in new tab
  3. 27.11.2025 09:03 1 articles · 19d ago

    ShinyHunters-Scattered Spider-LAPSUS$ Alliance Unveils ShinySp1d3r RaaS Platform

    The **ShinyHunters-Scattered Spider-LAPSUS$ (SLSH) alliance** has developed **ShinySp1d3r**, a new **ransomware-as-a-service (RaaS) platform** combining advanced technical features with extortion-as-a-service (EaaS) capabilities. The platform includes **anti-forensic measures** such as hooking the *EtwEventWrite* function to disable Windows Event Viewer logging, terminating processes to bypass file locks, and filling free drive space with random data to overwrite deleted files. ShinySp1d3r also supports **network propagation** via *deployViaSCM*, *deployViaWMI*, and *attemptGPODeployment* to encrypt open network shares and spread laterally. The platform is administered by **Saif Al-Din Khader (aka Rey)**, a core SLSH member and former BreachForums/HellCat ransomware administrator, who claims to have **cooperated with law enforcement since June 2025**. Rey describes ShinySp1d3r as a **rehashed version of HellCat ransomware modified with AI tools**. The SLSH alliance has been linked to **51 cyberattacks in the past year**, leveraging **insider recruitment, RaaS/EaaS hybrid models, and multi-vector monetization** to target organizations. Palo Alto Networks Unit 42 warns that the group’s **combined offerings and tactical adaptability** pose a formidable threat, particularly to **Salesforce-dependent enterprises and third-party IT providers**.

    Show sources
    Open in new tab
  4. 26.11.2025 14:05 3 articles · 20d ago

    Gainsight Attack Expands Salesforce Customer Impact with New IOCs

    The **Gainsight cyber-attack** has expanded significantly, with Salesforce initially identifying **three impacted customers** but later confirming a **larger, unspecified number of victims** by **November 21, 2025**. Gainsight CEO Chuck Ganapathi stated only a "handful" of customers had their data affected, though the full scope remains undisclosed. The breach began with **reconnaissance from IP 3.239.45[.]43 on October 23, 2025**, followed by **unauthorized access via an AT&T IP address on November 8** and approximately **20 suspicious intrusions between November 16–23** using **commercial VPNs (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**—a tactic linked to the **Salesloft Drift attack**. Salesforce **revoked all access and refresh tokens** for Gainsight applications, while **Google disabled OAuth clients** with callback URIs like *gainsightcloud[.]com*. Gainsight disabled read/write capabilities for **Customer Success (CS), Community (CC), Northpass, and Skilljar**, while isolating **Staircase** (confirmed unaffected). Third parties (**Gong.io, Zendesk, HubSpot**) severed integrations as a precaution, with HubSpot explicitly stating no evidence of compromise. Forensic analysis by **Mandiant** and Salesforce revealed attackers exploited **compromised multifactor credentials** for VPN and critical system access. Customers were advised to **rotate S3 keys, reset NXT passwords, and re-authorize integrations**, while adopting **Google Threat Intelligence Group (GTIG) mitigations** to counter the **ShinyHunters-Scattered Spider-LAPSUS$ collective’s evolving tactics**. The incident underscores the group’s persistent focus on **Salesforce ecosystems**, leveraging **third-party app vulnerabilities, OAuth token abuse, and VPN obfuscation** to maximize impact. **Meanwhile, the SLSH alliance has extended its targeting to Zendesk users**, deploying **typosquatted domains and malicious helpdesk tickets** to harvest credentials and deploy malware, as detailed in a concurrent campaign reported on **November 27, 2025**.

    Show sources
    Open in new tab
  5. 20.11.2025 20:54 1 articles · 26d ago

    Almaviva Breach Exposes 2.3TB of FS Italiane Group Data

    A threat actor breached **Almaviva**, the IT services provider for **FS Italiane Group (Italy’s national railway operator)**, stealing **2.3TB of data** and leaking it on a dark web forum. The compromised files include **internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and complete datasets from FS Group companies**, with evidence confirming the data is recent (Q3 2025). Almaviva publicly acknowledged the breach, stating its **security monitoring services detected and isolated the attack**, activated counter-response procedures, and ensured the protection of critical services. The company notified Italian authorities, including the **police, national cybersecurity agency (ACN), and data protection authority (Garante)**, and is conducting an investigation with government support. The **structure of the leaked data**—organized into compressed archives by department/company—mirrors the tactics of **ransomware groups and data brokers active in 2024–2025**, though no specific group has claimed responsibility. Almaviva, a global IT provider with **41,000+ employees and $1.4B in annual revenue**, serves FS Italiane Group, a **100% state-owned railway operator** with **$18B+ in annual revenue**, managing railway infrastructure, passenger/freight transport, and logistics chains. As of November 20, 2025, it remains unclear whether **passenger information was exposed** or if other Almaviva clients beyond FS Italiane Group were impacted. The breach underscores the **growing risk to critical infrastructure via third-party IT providers**, a tactic increasingly used by groups like **ShinyHunters and Scattered Spider**.

    Show sources
    Open in new tab
  6. 25.09.2025 14:48 2 articles · 2mo ago

    Scattered Spider Members Arrested in September 2025

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  7. 25.09.2025 14:48 2 articles · 2mo ago

    Noah Urban Sentenced for SIM-Swapping and Cybercrime Activities

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  8. 25.09.2025 14:48 2 articles · 2mo ago

    Ransomware Attack Disrupts European Airports

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  9. 24.09.2025 23:21 3 articles · 2mo ago

    Scattered Spider Member Surrenders in Las Vegas

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  10. 18.09.2025 17:37 4 articles · 2mo ago

    UK Arrests Scattered Spider Members Linked to Transport for London Hack

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  11. 15.09.2025 23:12 5 articles · 3mo ago

    Scattered Lapsus$ Hunters' Claims and Google's Response

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  12. 13.09.2025 12:04 6 articles · 3mo ago

    FBI Alert on UNC6040 and UNC6395 Targeting Salesforce Platforms

    The **Gainsight cyber-attack** has expanded to impact more Salesforce customers than initially disclosed, with notifications sent to all affected parties by **November 21, 2025**. The breach began with **unauthorized access via an AT&T IP address on November 8**, followed by approximately **20 suspicious intrusions** between November 16–23 using **commercial VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**—a method previously observed in the **Salesloft Drift attack**. Gainsight temporarily disabled read/write capabilities for products like **Customer Success (CS), Community (CC), and Northpass**, while isolating **Staircase** (confirmed unaffected due to separate infrastructure). Third-party vendors, including **Gong.io, Zendesk, and HubSpot**, also disabled Gainsight integrations as a precaution, though HubSpot reported no evidence of compromise. Forensic investigations by **Mandiant (Google Cloud’s incident response team)** and Salesforce revealed the attackers leveraged **compromised multifactor credentials** for VPN and critical system access. Gainsight advised customers to **rotate S3 keys, reset NXT passwords, and re-authorize integrations**, while recommending mitigation measures from the **Google Threat Intelligence Group (GTIG)** to counter the **ShinyHunters-Scattered Spider-LAPSUS$ collective’s evolving tactics**. The incident underscores the persistent threat to **Salesforce ecosystems**, with attackers exploiting **third-party app vulnerabilities** and **OAuth token abuse** to expand their reach.

    Show sources
    Open in new tab
  13. 10.09.2025 18:29 5 articles · 3mo ago

    Jaguar Land Rover Data Breach Confirmed

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  14. 25.08.2025 22:48 3 articles · 3mo ago

    Farmers Insurance Data Breach Details Revealed

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  15. 21.08.2025 09:45 1 articles · 3mo ago

    Scattered Spider Member Sentenced for Cybercrime Activities

    A 20-year-old member of Scattered Spider, Noah Michael Urban, was sentenced to ten years in prison and $13 million in restitution for wire fraud and aggravated identity theft. Urban was arrested in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023, resulting in the theft of at least $800,000 from five victims. Urban and his co-conspirators used SIM swapping attacks to hijack victims' cryptocurrency accounts and steal digital assets.

    Show sources
    Open in new tab
  16. 12.08.2025 19:20 15 articles · 4mo ago

    ShinyHunters and Scattered Spider Target Salesforce Customers

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab
  17. 12.08.2025 15:00 15 articles · 4mo ago

    ShinyHunters and Scattered Spider Collaboration Detected

    The Co-operative Group in the U.K. reported a significant financial loss of £80 million ($107 million) due to a cyberattack in April 2025. The attack, attributed to Scattered Spider affiliates, resulted in a revenue reduction of £206 million ($277 million) and additional expected losses of £20 million ($27 million) for the second half of 2025. The Co-op had to shut down parts of its IT systems, causing disruptions to back-office and call-center services. The attack led to the theft of personal data of 6.5 million members, forcing the Co-op to rebuild its Windows domain controllers and extend system unavailability. The U.K. National Crime Agency arrested four suspects linked to the Co-op cyberattack and similar incidents at Marks & Spencer and Harrods. The Co-op's response prevented encryption but resulted in significant financial impact and operational disruptions. The group implemented manual processes, rerouted items, and offered discounts to mitigate the impact. Despite these measures, the Co-op faced stock allocation issues and a collapse in sales for certain categories, such as tobacco. The Co-op maintained strong liquidity with £800 million available to navigate external pressures and maintain long-term ambitions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Cyber Incident Affects Multiple London Councils

Multiple local authorities in London, including the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council (WCC), are responding to a serious cybersecurity incident identified on Monday morning. The incident has impacted several systems, including phone lines, and both councils have notified the UK Information Commissioner’s Office (ICO) and are working with the National Cyber Security Centre (NCSC) on incident response. RBKC and WCC share IT systems and services, which may explain the simultaneous impact. Hammersmith and Fulham Council is also reportedly affected. RBKC confirmed that some data has been copied and taken away, potentially impacting historical data. The councils have invoked business continuity and emergency plans to ensure critical services are maintained, focusing on supporting the most vulnerable residents. RBKC's IT team worked throughout the night to implement mitigations. Additionally, Hackney Council raised internal cybersecurity threat levels to 'critical' and warned staff about phishing attacks, despite not being directly affected by this incident. RBKC expects at least two weeks of continued disruption as they bring services back online. Westminster City Council confirmed the disruption would last for several weeks, though most services are still running. Hammersmith and Fulham Council has taken steps to isolate and safeguard its networks, with some systems still unavailable.

Open in new tab

Unauthorized Data Access via Gainsight-Linked OAuth Activity by Scattered Lapsus$ Hunters

Salesforce detected unusual activity involving Gainsight-published applications, leading to unauthorized access to customer data. The company revoked all active tokens and removed the apps from AppExchange. The activity is linked to the Scattered Lapsus$ Hunters group, which has claimed responsibility for similar attacks, including a previous breach involving Salesloft Drift. Gainsight has engaged Mandiant for a forensic investigation and disabled connections with Hubspot and Zendesk as a precaution. Organizations are advised to review and revoke tokens for unused or suspicious third-party applications connected to Salesforce.

Open in new tab

ShinySp1d3r Ransomware-as-a-Service Emerges from ShinyHunters

ShinySp1d3r, a new Ransomware-as-a-Service (RaaS) platform, is being developed by the ShinyHunters group, which is associated with Scattered Spider and Lapsus$. The ransomware includes advanced features such as anti-analysis techniques, network propagation, and data wiping. The group plans to operate under the name ShinySp1d3r, with a focus on extortion and data theft. The ransomware encryptor uses the ChaCha20 algorithm with RSA-2048 for key protection and includes unique file extensions and ransom notes. The group claims to avoid targeting healthcare and CIS countries, though such claims have been unreliable in the past.

Open in new tab

ShinyHunters Breach Affects Checkout.com Legacy Cloud Storage

Checkout.com, a global payment processing firm, disclosed a data breach involving a legacy cloud storage system compromised by the ShinyHunters threat group. The breach affected less than 25% of its current merchant base and included data from 2020 and earlier. The company refused to pay the ransom and instead plans to donate the amount to cybersecurity research at Carnegie Mellon University and the University of Oxford Cyber Security Center. The compromised data includes internal operational documents and onboarding materials. ShinyHunters is known for exploiting vulnerabilities and using social engineering tactics to extort large organizations.

Open in new tab

DoorDash Data Breach Exposed User Contact Information

DoorDash confirmed a data breach in October 2025 where an unauthorized third party accessed user contact information, including names, phone numbers, physical addresses, and email details. The breach was caused by a social engineering attack on a DoorDash employee. The company has taken steps to mitigate the breach, including shutting down unauthorized access, starting an investigation, and referring the matter to law enforcement. DoorDash has also deployed new security enhancements and provided additional training for employees. This is the third notable security incident suffered by DoorDash in the last six years, following breaches in 2019 and 2022. The breach notification emails primarily targeted DoorDash Canada users, but the incident may extend beyond Canada. Users have expressed concerns about the timing of the notifications and the handling of the incident, with some users threatening legal action against DoorDash.

Open in new tab