Plex Data Breach Exposes User Authentication Data

Wealthsimple, a Canadian financial services firm, disclosed a data breach affecting less than 1% of its customers. Attackers accessed personal data, including contact details, government IDs, financial details, and Social Insurance Numbers. The breach occurred due to a compromised third-party software package. Wealthsimple confirmed that no funds were stolen and that customer accounts remain secure. The incident was detected on August 30, 2025. Affected customers are being offered two years of complimentary credit monitoring, dark-web monitoring, identity theft protection, and insurance. Wealthsimple advised customers to enable two-factor authentication (2FA) and remain vigilant against phishing attempts. The firm clarified that the breach is not related to the recent Salesforce data theft campaign.

A threat actor, UNC6395, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access customer data across multiple integrations, including Salesforce, Google Workspace, and others. The breach occurred between August 8 and 18, 2025, affecting over 700 organizations, including Zscaler, Palo Alto Networks, Cloudflare, Google Workspace, PagerDuty, Proofpoint, SpyCloud, and Tanium. The attackers targeted Salesforce instances and accessed email from a small number of Google Workspace accounts, exporting large volumes of data, including credentials and access tokens. Salesloft and Salesforce have taken steps to mitigate the breach and are advising affected customers to revoke API keys and rotate credentials. Salesloft will temporarily take Drift offline to enhance security. UNC6395 demonstrated operational security awareness by deleting query jobs, indicating a sophisticated approach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is not limited to Salesforce customers who integrate their own solutions with the Salesforce service; it impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials. The breach started with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the Salesloft GitHub account and downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred between March 2025 and June 2025 in the Salesloft and Drift application environments. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. Salesforce restored the integration with the Salesloft platform on September 7, 2025, but Drift remains disabled. 22 companies have confirmed they were impacted by the supply chain breach. ShinyHunters and Scattered Spider were also involved in the Salesloft Drift attacks.

Farmers Insurance and its affiliates experienced a data breach through a third-party vendor on May 29, 2025. The breach exposed personal information of over 1 million customers. The unauthorized access was detected and contained the next day, but the full scope of the breach was confirmed on July 24, 2025. The company is offering affected individuals two years of complimentary identity monitoring services. The breach involved suspicious activity detected by the third-party vendor's monitoring tools, which allowed for quick containment. The nature of the compromised personal information has not been disclosed. Law enforcement has been notified, and no misuse of the compromised data has been reported.

Healthcare Services Group (HSG) has disclosed a data breach affecting 624,496 individuals. The breach involved unauthorized access to HSG's systems between September 27, 2024, and October 3, 2024. The compromised data includes names, Social Security numbers, driver’s license numbers, financial account details, and credentials. The company has notified affected individuals and is providing credit monitoring services. The breach was discovered on October 7, 2024. HSG has secured its systems and notified relevant authorities. The type of cyberattack remains unspecified, and no ransomware groups have claimed responsibility.

French retailer Auchan experienced a cyberattack that exposed sensitive personal data of several hundred thousand customers. The compromised data includes full names, titles, postal addresses, email addresses, phone numbers, and loyalty card numbers. The breach did not affect bank data, passwords, or PIN numbers. The company has notified affected customers and the French Data Protection Authority (CNIL). Auchan has advised customers to be vigilant against potential phishing attacks using the stolen information. The incident follows similar breaches at other large French entities, but no evidence links these attacks to a coordinated campaign. This is the second data breach that Auchan has disclosed over the past year. The company sent the same notification to its customers in November 2024.