Data breach at Auchan exposes sensitive information of hundreds of thousands of customers

Plex, a media streaming platform, has experienced a data breach where an unauthorized third party accessed a subset of customer data from one of its databases. The compromised data includes email addresses, usernames, and securely hashed passwords. Users are advised to reset their passwords and enable two-factor authentication. The breach did not include payment card information. Plex has addressed the vulnerability used in the attack but has not disclosed technical details about the incident. Plex has also blocked the attackers' access to its systems and launched internal reviews to improve security. Users are encouraged to be wary of potential phishing attacks and to enable the 'Sign out connected devices after password change' option when resetting their passwords. Plex suffered a similar data breach back in 2022.

An Iranian-aligned group, Homeland Justice, has conducted a coordinated, multi-wave spear-phishing campaign targeting embassies and consulates in Europe and other regions. The campaign involves sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware. The phishing emails exploit geopolitical tensions and use compromised email accounts to send malicious Microsoft Word documents. The malware establishes persistence, contacts a command-and-control server, and harvests system information. The campaign is part of a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension. The campaign began on August 19, 2025, and targeted around four dozen embassies, consulates, and government ministries globally, as well as various international organizations. The campaign is assessed to have concluded shortly after it began, with the attackers' command-and-control infrastructure appearing inactive.

A threat actor, UNC6395, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access customer data across multiple integrations, including Salesforce, Google Workspace, and others. The breach occurred between August 8 and 18, 2025, affecting over 700 organizations, including Zscaler, Palo Alto Networks, Cloudflare, Google Workspace, PagerDuty, Proofpoint, SpyCloud, and Tanium. The attackers targeted Salesforce instances and accessed email from a small number of Google Workspace accounts, exporting large volumes of data, including credentials and access tokens. Salesloft and Salesforce have taken steps to mitigate the breach and are advising affected customers to revoke API keys and rotate credentials. Salesloft will temporarily take Drift offline to enhance security. UNC6395 demonstrated operational security awareness by deleting query jobs, indicating a sophisticated approach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is not limited to Salesforce customers who integrate their own solutions with the Salesforce service; it impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials. The breach started with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the Salesloft GitHub account and downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred between March 2025 and June 2025 in the Salesloft and Drift application environments. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. Salesforce restored the integration with the Salesloft platform on September 7, 2025, but Drift remains disabled. 22 companies have confirmed they were impacted by the supply chain breach. ShinyHunters and Scattered Spider were also involved in the Salesloft Drift attacks.

A new variant of the HOOK Android banking trojan has been discovered, featuring ransomware-style overlay screens to extort victims. This variant supports 107 remote commands, including new capabilities for capturing user gestures, stealing cryptocurrency wallet information, and displaying fake NFC overlays. The trojan is distributed via phishing websites, bogus GitHub repositories, and malicious APK files, posing a significant threat to financial institutions and users. The HOOK trojan is believed to be an offshoot of the ERMAC banking trojan, which had its source code leaked publicly. The trojan can display fake overlays on financial apps to steal credentials and abuse Android accessibility services for fraud and remote control. The latest version of HOOK includes commands for ransomware overlays, capturing user gestures, and stealing sensitive information like credit card details and lockscreen PINs. It also features transparent overlays to capture user gestures and screen-streaming sessions for real-time monitoring.

A rapidly spreading phishing campaign targets Windows users worldwide, stealing credentials and deploying remote access trojans (RATs) via malicious scripts. The campaign is particularly impacting organizations in manufacturing, technology, healthcare, construction, and retail/hospitality sectors. The attack begins with socially engineered emails leading to personalized phishing pages, which deliver JavaScript files acting as droppers for UpCrypter malware. This malware deploys various RATs, including PureHVNC, DCRat, and Babylon RAT, providing long-term access to the compromised networks. The campaign has shown rapid growth, with detection counts doubling in just two weeks. The attack chain involves obfuscated scripts, personalized phishing pages, and sophisticated evasion techniques to avoid detection. The use of ready-made tools and phishing kits from underground sites contributes to the campaign's complexity and spread. Additionally, attackers are exploiting legitimate services like Google Classroom, Microsoft 365, and OneNote for phishing campaigns, and using client-side evasion techniques to bypass defenses. Defenders are advised to implement multi-layered defenses, including strong email filters, employee training, and up-to-date security tools.