CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Farmers Insurance data breach via compromised Salesforce vendor

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Farmers Insurance disclosed a data breach affecting 1.1 million customers. The breach occurred on May 29, 2025, when an unauthorized actor accessed a third-party vendor's database containing customer information. The vendor, identified as Salesforce, was targeted by threat actors classified as UNC6040 or UNC6240, who used social engineering and voice phishing (vishing) to gain access. The stolen data includes names, addresses, dates of birth, driver's license numbers, and the last four digits of Social Security numbers. Farmers Insurance began notifying impacted individuals on August 22, 2025. The breach was discovered on May 30, 2025, and the vendor had monitoring tools that detected the suspicious activity and took containment measures. Farmers Insurance launched a comprehensive investigation and is providing affected individuals with two years of complimentary identity monitoring services.

Timeline

  1. 25.08.2025 22:48 πŸ“° 2 articles Β· ⏱ 22d ago

    Farmers Insurance data breach via compromised Salesforce vendor

    The breach was discovered on May 30, 2025, the day after it occurred. The vendor had monitoring tools that detected the suspicious activity and took containment measures, including blocking the unauthorized actor. Farmers Insurance launched a comprehensive investigation on May 30, 2025, and notified law enforcement. The investigation determined that some personal information was compromised on July 24, 2025. Farmers Insurance is providing affected individuals with two years of complimentary identity monitoring services.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Salesloft Disables Drift Following OAuth Token Theft

Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.

Open in new tab

Jaguar Land Rover Production Disrupted by Cyberattack

Jaguar Land Rover (JLR) experienced a cyberattack that severely disrupted its production and retail operations. The attack prompted the company to shut down several systems to mitigate the impact. Customer data was compromised, and the exact nature of the attack and the timeline for recovery remain unclear. The incident affected multiple systems, including those at the Solihull production plant, where popular models like the Land Rover Discovery and Range Rover are manufactured. The attack occurred over the weekend, a common time for such incidents due to reduced response capabilities. This is the second cyberattack JLR has suffered this year, raising concerns about potential vulnerabilities from the previous attack. JLR has extended the production shutdown for another week, with operations expected to resume on September 24, 2025. The company is still investigating the incident and has not attributed the breach to a specific cybercrime group.

Open in new tab

UNC6395 Exploits Salesloft OAuth Tokens to Exfiltrate Salesforce Data

UNC6395 exploited Salesloft OAuth tokens to exfiltrate data from Salesforce instances. The campaign, active from August 8 to 18, 2025, targeted over 700 organizations, exporting credentials and sensitive information. Zscaler, Palo Alto Networks, Cloudflare, Google, PagerDuty, Proofpoint, SpyCloud, Tanium, and Workiva were impacted by the breach, exposing customer information. Salesloft and Salesforce have taken remediation steps, and the threat actor demonstrated operational security awareness. The breach involved exporting large volumes of data from Salesforce instances, including AWS access keys, passwords, and Snowflake tokens. The actor deleted query jobs to cover tracks. Salesloft has revoked connections and advised customers to re-authenticate Salesforce integrations. The campaign may indicate a broader supply chain attack strategy. Salesloft has engaged Mandiant and Coalition for investigation and remediation. Drift customers are urged to update API keys for connected integrations. Salesforce removed the Drift application from the Salesforce AppExchange until further notice. Google has revealed that the campaign impacts all integrations, including Google Workspace email accounts, and has taken steps to mitigate the risk. Salesloft is temporarily taking Drift offline to review the application and build additional security measures. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications.

Open in new tab

Data I/O Ransomware Attack Disrupts Operations

Data I/O, a tech manufacturer based in Redmond, Washington, experienced a ransomware attack on August 16, 2025. The incident prompted the company to take certain systems offline and implement mitigation measures. The attack affected shipping, manufacturing, production, and other functions, leading to ongoing outages as of August 21. The full scope and impact of the attack remain unknown, with a third-party investigation underway. The company has not yet informed affected individuals. The attack has not yet been determined to have a material impact on the company's business operations, but the costs associated with the incident are expected to be significant. The attack is currently ongoing, with the company working to restore affected systems. The specific ransomware variant and the initial vector of the attack have not been disclosed.

Open in new tab

Healthcare Services Group Data Breach Exposes 624,000 Individuals' Personal Information

Healthcare Services Group (HSG) has disclosed a data breach affecting 624,496 individuals. The breach occurred between September 27, 2024, and October 3, 2024, when unauthorized actors accessed and copied personal information from compromised systems. The compromised data includes names, Social Security numbers, driver’s license numbers, financial account details, and credentials. HSG has notified affected individuals and is providing free credit monitoring and identity restoration services for 12 months. The company has not disclosed the type of cyberattack involved or identified any evidence of identity theft or fraud resulting from the breach. HSG, headquartered in Bensalem, Pennsylvania, provides environmental, dining, and nutritional support services to over 3,000 healthcare facilities across the US. The breach was identified on October 7, 2024, and the company has taken steps to secure its systems and mitigate risks.

Open in new tab