Unauthorized transactions attempted in Sinqia Pix environment

First reported

03.09.2025 01:33

Last updated

📰 1 unique sources, 1 articles

Summary

Hide ▲

On August 29, 2025, hackers attempted to steal $130 million from Sinqia S.A., a Brazilian subsidiary of Evertec, by gaining unauthorized access to its Pix environment. The attack was detected and halted, with some funds recovered. The breach involved stolen credentials for an IT vendor's account. Sinqia's access to Pix has been temporarily revoked by the Central Bank of Brazil. Sinqia operates financial software and IT services for the banking and financial industry. Pix is Brazil’s instant payments system, widely used for 24/7 fund transfers. The attack targeted business-to-business transactions involving two financial institutions, with no reported impact on customer funds or data.

Timeline

03.09.2025 01:33 📰 1 articles · ⏱ 13d ago

Hackers attempt $130M heist via Sinqia Pix environment
On August 29, 2025, hackers attempted to steal $130 million from Sinqia S.A. by gaining unauthorized access to its Pix environment. The breach was detected and halted, with some funds recovered. The attack involved stolen credentials for an IT vendor's account. Sinqia's access to Pix has been temporarily revoked by the Central Bank of Brazil.
Show sources

Hackers breach fintech firm in attempted $130M bank heist — www.bleepingcomputer.com — 03.09.2025 01:33
Open in new tab

Information Snippets

Evertec is a major full-service transaction processor in Latin America, Puerto Rico, and the Caribbean.
First reported: 03.09.2025 01:33

📰 1 source, 1 article
Show sources
- Hackers breach fintech firm in attempted $130M bank heist — www.bleepingcomputer.com — 03.09.2025 01:33
Sinqia S.A. is a São Paulo-based public company acquired by Evertec in 2023.
First reported: 03.09.2025 01:33

📰 1 source, 1 article
Show sources
- Hackers breach fintech firm in attempted $130M bank heist — www.bleepingcomputer.com — 03.09.2025 01:33
The breach was detected on August 29, 2025, and unauthorized transactions were halted.
First reported: 03.09.2025 01:33

📰 1 source, 1 article
Show sources
- Hackers breach fintech firm in attempted $130M bank heist — www.bleepingcomputer.com — 03.09.2025 01:33
The hackers used stolen credentials for an IT vendor's account to gain access.
First reported: 03.09.2025 01:33

📰 1 source, 1 article
Show sources
- Hackers breach fintech firm in attempted $130M bank heist — www.bleepingcomputer.com — 03.09.2025 01:33
Pix is Brazil’s instant payments system, launched in November 2020.
First reported: 03.09.2025 01:33

📰 1 source, 1 article
Show sources
- Hackers breach fintech firm in attempted $130M bank heist — www.bleepingcomputer.com — 03.09.2025 01:33
The attack targeted business-to-business transactions involving two financial institutions.
First reported: 03.09.2025 01:33

📰 1 source, 1 article
Show sources
- Hackers breach fintech firm in attempted $130M bank heist — www.bleepingcomputer.com — 03.09.2025 01:33
Part of the $130 million has been recovered, with recovery efforts continuing.
First reported: 03.09.2025 01:33

📰 1 source, 1 article
Show sources
- Hackers breach fintech firm in attempted $130M bank heist — www.bleepingcomputer.com — 03.09.2025 01:33
Sinqia's access to Pix has been revoked by the Central Bank of Brazil.
First reported: 03.09.2025 01:33

📰 1 source, 1 article
Show sources
- Hackers breach fintech firm in attempted $130M bank heist — www.bleepingcomputer.com — 03.09.2025 01:33
The financial and reputational impact of the incident is not yet fully known.
First reported: 03.09.2025 01:33

📰 1 source, 1 article
Show sources
- Hackers breach fintech firm in attempted $130M bank heist — www.bleepingcomputer.com — 03.09.2025 01:33

Similar Happenings

Salesloft Disables Drift Following OAuth Token Theft

Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.

Open in new tab

UNC6395 Exploits Salesloft OAuth Tokens to Exfiltrate Salesforce Data

UNC6395 exploited Salesloft OAuth tokens to exfiltrate data from Salesforce instances. The campaign, active from August 8 to 18, 2025, targeted over 700 organizations, exporting credentials and sensitive information. Zscaler, Palo Alto Networks, Cloudflare, Google, PagerDuty, Proofpoint, SpyCloud, Tanium, and Workiva were impacted by the breach, exposing customer information. Salesloft and Salesforce have taken remediation steps, and the threat actor demonstrated operational security awareness. The breach involved exporting large volumes of data from Salesforce instances, including AWS access keys, passwords, and Snowflake tokens. The actor deleted query jobs to cover tracks. Salesloft has revoked connections and advised customers to re-authenticate Salesforce integrations. The campaign may indicate a broader supply chain attack strategy. Salesloft has engaged Mandiant and Coalition for investigation and remediation. Drift customers are urged to update API keys for connected integrations. Salesforce removed the Drift application from the Salesforce AppExchange until further notice. Google has revealed that the campaign impacts all integrations, including Google Workspace email accounts, and has taken steps to mitigate the risk. Salesloft is temporarily taking Drift offline to review the application and build additional security measures. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications.