Orange Belgium Data Breach Affects 850,000 Customers

Plex, a media streaming platform, has experienced a data breach where an unauthorized third party accessed a subset of customer data from one of its databases. The compromised data includes email addresses, usernames, and securely hashed passwords. Users are advised to reset their passwords and enable two-factor authentication. The breach did not include payment card information. Plex has addressed the vulnerability used in the attack but has not disclosed technical details about the incident. Plex has also blocked the attackers' access to its systems and launched internal reviews to improve security. Users are encouraged to be wary of potential phishing attacks and to enable the 'Sign out connected devices after password change' option when resetting their passwords. Plex suffered a similar data breach back in 2022.

Bridgestone Americas, the North American arm of Bridgestone, is investigating a cyberattack affecting multiple manufacturing facilities in North America. The incident impacted operations in Aiken County, South Carolina, and Joliette, Quebec, leading to the suspension of operations at the latter. Bridgestone's rapid response reportedly contained the attack early, preventing customer data theft or deep network infiltration. The attack began on September 2, 2025. Bridgestone operates 50 production facilities and employs 55,000 people in North America, representing roughly 43% of Bridgestone Corporation's total size. The company is working to mitigate the impact and maintain business continuity. No threat actor or group has claimed responsibility for the attack.

A threat actor, UNC6395, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access customer data across multiple integrations, including Salesforce, Google Workspace, and others. The breach occurred between August 8 and 18, 2025, affecting over 700 organizations, including Zscaler, Palo Alto Networks, Cloudflare, Google Workspace, PagerDuty, Proofpoint, SpyCloud, and Tanium. The attackers targeted Salesforce instances and accessed email from a small number of Google Workspace accounts, exporting large volumes of data, including credentials and access tokens. Salesloft and Salesforce have taken steps to mitigate the breach and are advising affected customers to revoke API keys and rotate credentials. Salesloft will temporarily take Drift offline to enhance security. UNC6395 demonstrated operational security awareness by deleting query jobs, indicating a sophisticated approach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is not limited to Salesforce customers who integrate their own solutions with the Salesforce service; it impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials. The breach started with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the Salesloft GitHub account and downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred between March 2025 and June 2025 in the Salesloft and Drift application environments. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. Salesforce restored the integration with the Salesloft platform on September 7, 2025, but Drift remains disabled. 22 companies have confirmed they were impacted by the supply chain breach. ShinyHunters and Scattered Spider were also involved in the Salesloft Drift attacks.

French retailer Auchan experienced a cyberattack that exposed sensitive personal data of several hundred thousand customers. The compromised data includes full names, titles, postal addresses, email addresses, phone numbers, and loyalty card numbers. The breach did not affect bank data, passwords, or PIN numbers. The company has notified affected customers and the French Data Protection Authority (CNIL). Auchan has advised customers to be vigilant against potential phishing attacks using the stolen information. The incident follows similar breaches at other large French entities, but no evidence links these attacks to a coordinated campaign. This is the second data breach that Auchan has disclosed over the past year. The company sent the same notification to its customers in November 2024.

Inotiv, a U.S. pharmaceutical company, experienced a ransomware attack on August 8, 2025, resulting in the encryption of systems and data. The attack, claimed by the Qilin ransomware group, has impacted business operations, including databases and internal applications. The company is working to restore systems and mitigate disruptions. The Qilin ransomware group claims to have stolen 162,000 files totaling 176GB and has published data samples on their leak site. Inotiv has engaged external security experts and notified law enforcement. The company employs around 2,000 specialists and has an annual revenue exceeding $500 million. The attack has caused significant disruptions to business operations, with no estimated timeline for full recovery. The Qilin ransomware group has also targeted Creative Box Inc. (CBI), a subsidiary of Nissan, stealing 4TB of data, including 3D vehicle design models and internal reports.