Wealthsimple data breach exposes personal information of less than 1% of customers

Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.

Plex, a media streaming platform, has experienced a data breach where an unauthorized third party accessed a subset of customer data from one of its databases. The compromised data includes email addresses, usernames, and securely hashed passwords. Users are advised to reset their passwords and enable two-factor authentication. The breach did not include payment card information. Plex has addressed the vulnerability used in the attack but has not disclosed technical details about the incident. Plex has also blocked the attackers' access to its systems and launched internal reviews to improve security. Users are encouraged to be wary of potential phishing attacks and to enable the 'Sign out connected devices after password change' option when resetting their passwords. Plex suffered a similar data breach back in 2022.

A threat actor, UNC6395, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access customer data across multiple integrations, including Salesforce, Google Workspace, and others. The breach occurred between August 8 and 18, 2025, affecting over 700 organizations, including Zscaler, Palo Alto Networks, Cloudflare, Google Workspace, PagerDuty, Proofpoint, SpyCloud, and Tanium. The attackers targeted Salesforce instances and accessed email from a small number of Google Workspace accounts, exporting large volumes of data, including credentials and access tokens. Salesloft and Salesforce have taken steps to mitigate the breach and are advising affected customers to revoke API keys and rotate credentials. Salesloft will temporarily take Drift offline to enhance security. UNC6395 demonstrated operational security awareness by deleting query jobs, indicating a sophisticated approach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is not limited to Salesforce customers who integrate their own solutions with the Salesforce service; it impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials. The breach started with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the Salesloft GitHub account and downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred between March 2025 and June 2025 in the Salesloft and Drift application environments. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. Salesforce restored the integration with the Salesloft platform on September 7, 2025, but Drift remains disabled. 22 companies have confirmed they were impacted by the supply chain breach. ShinyHunters and Scattered Spider were also involved in the Salesloft Drift attacks.

Threat actors are increasingly using social engineering tactics to bypass traditional security measures. They target help desks to gain unauthorized access to networks through MFA resets and password overrides. This approach exploits human vulnerabilities and organizational weaknesses, bypassing technical defenses. The FBI has highlighted groups like Scattered Spider as prominent actors in these campaigns. In August 2023, Scattered Spider targeted Clorox, resulting in approximately $380 million in damages. The attack involved repeated phone calls to the service desk, obtaining resets without meaningful verification, and quickly gaining domain-admin access. The incident underscores the need for robust verification processes and effective communication between help desks and security teams. Organizations must rethink their help desk operations and training to mitigate these risks. Frontline staff need to recognize red flags and escalate suspicious requests. Cultural changes are necessary to prioritize security over speed, and ongoing, relevant training is essential. Effective communication between help desks and security teams can enhance detection and response to social engineering attempts.

Allianz Life, a U.S. insurance subsidiary of Allianz SE, experienced a data breach in July 2025. Hackers accessed a third-party cloud CRM system, stealing personal information of 1.1 million customers. The breach involved a malicious OAuth app linked to Salesforce instances, leading to the exfiltration of sensitive data. The extortion group ShinyHunters, tracked as UNC6040, claimed responsibility and leaked the stolen data. The breach is part of a broader campaign targeting multiple high-profile companies, including Google, Adidas, Workday, Qantas, Pandora, and Workiva. Allianz Life confirmed the breach but declined to provide additional details due to an ongoing investigation. Qantas Group executives reduced their short-term compensation by 15% due to the impact of the cyberattack on customers, which affected approximately 5.7 million passengers.