CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Sensitive Data Exposed in Auchan Retailer Cyberattack

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A cyberattack on Auchan, a French multinational retail group, exposed sensitive data associated with the loyalty accounts of several hundred thousand customers. The breach, which occurred in November 2024, included full names, titles, postal addresses, email addresses, phone numbers, and loyalty card numbers. The incident did not affect bank data, passwords, or PIN numbers. The company has notified the French Data Protection Authority (CNIL) and is advising customers to be vigilant against potential phishing attacks. The breach occurred amidst a series of similar incidents affecting large French entities, though no direct links have been established. This is the second data breach Auchan has disclosed over the past year.

Timeline

  1. 25.08.2025 21:56 2 articles · 1mo ago

    Auchan Retailer Data Breach Exposes Customer Information

    The breach occurred in November 2024, and notifications were sent to customers last week. The company has taken steps to contain the attack and improve the security of its systems. This is the second data breach Auchan has disclosed over the past year.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.

Open in new tab

Plex Data Breach Exposes Customer Authentication Details

Plex, a media streaming platform, has suffered a data breach where an unauthorized third party accessed a subset of customer data from one of its databases. The compromised information includes email addresses, usernames, and securely hashed passwords. Plex has advised users to reset their passwords, enable two-factor authentication, and sign out connected devices to secure their accounts. The breach did not include payment card information. Plex has addressed the vulnerability and launched internal reviews to improve security. The company also warns users about potential phishing attacks. This is the second data breach for Plex, prompting users to take immediate action to secure their accounts.

Open in new tab

Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data

The threat actor, tracked as UNC6395 by Google and GRUB1 by Cloudflare, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and steal data from Salesforce customer instances. The campaign, active from August 8 to at least August 18, 2025, targeted over 700 organizations, including Workiva and Stellantis, and impacted all integrations connected to the Drift platform, not just Salesforce. The attackers exported large volumes of data, including credentials for AWS, passwords, and Snowflake access tokens. Zscaler, Palo Alto Networks, Cloudflare, and Workiva reported data breaches after threat actors accessed their Salesforce instances via compromised Salesloft Drift credentials, exposing customer information. The breach began with the compromise of Salesloft's GitHub account, accessed by UNC6395 from March to June 2025. The threat actor accessed multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred in the Salesloft and Drift application environments between March and June 2025. The attackers accessed Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened it with improved segmentation controls. Salesloft recommends that all third-party applications integrated with Drift via API key revoke the existing key. Salesforce restored the integration with the Salesloft platform on September 7, 2025, except for the Drift app, which remains disabled. Salesloft and Salesforce have taken steps to mitigate the breach, including revoking tokens and removing the Drift application from AppExchange. The breach highlights the risks associated with third-party integrations and the potential for supply chain attacks. UNC6395 demonstrated operational discipline, querying and exporting data methodically, and attempting to cover their tracks by deleting query jobs. The targeted organizations included security and technology companies, suggesting a broader strategy to infiltrate vendors and service providers. The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service. There is no evidence that the breaches directly impacted Google Cloud customers, though any of them that use Salesloft Drift should review their Salesforce objects for any Google Cloud Platform service account keys. The threat group ShinyHunters and Scattered Spider claimed responsibility for many of those attacks, and vishing attacks have been cited as the means of compromise. Google disclosed that UNC6040 breached one of its Salesforce instances using these tactics. The UNC6395 Salesloft Drift activity is separate from the vishing attacks attributed to UNC6040. Okta successfully defended against a potential breach by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric. Palo Alto Networks' Unit 42 advised organizations to conduct immediate log reviews for signs of compromise and rotate exposed credentials. Okta suggests reducing the blast radius of a single entity breach by constraining token use by IP and client and ensuring granular permissions for M2M integrations. The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims. UNC6040 is a threat actor that specializes in voice phishing or vishing and recently was observed using social engineering to pose as IT support staff to get into Salesforce environments. UNC6395 is best known for using stolen OAuth tokens from Salesloft's Drift application, which has a Salesforce integration, to steal sensitive data from hundreds of Salesforce environments earlier this year. The FBI's latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040's activity, which began last fall. The advisory also includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.

Open in new tab

DaVita ransomware attack exposes data of nearly 2.7 million individuals

DaVita, a kidney dialysis firm, confirmed that a ransomware attack compromised the personal and health information of nearly 2.7 million people. The breach occurred between March 24 and April 12, 2025, affecting data from DaVita's dialysis labs database. The Interlock ransomware gang claimed responsibility and leaked approximately 1.5 terabytes of data. The stolen data included names, addresses, dates of birth, social security numbers, health insurance details, treatment information, and dialysis lab test results. In some cases, tax identification numbers and images of personal checks were also compromised. The impact includes potential identity theft and financial fraud for affected individuals.

Open in new tab

Orange Belgium data breach impacts 850,000 customers

Orange Belgium, a telecommunications subsidiary, disclosed that attackers breached its systems in July 2025, stealing data from approximately 850,000 customer accounts. The compromised data includes surnames, first names, telephone numbers, SIM card numbers, PUK codes, and tariff plans. No passwords, email addresses, or financial information were accessed. Orange Belgium is notifying affected customers and advising them to be vigilant against potential fraud. The breach is unrelated to previous attacks on Orange Group or its other subsidiaries. Orange Belgium operates in Belgium and Luxembourg, serving over 3 million customers and employing 1,500 staff.

Open in new tab