Vyro AI Leak Exposes Sensitive User Data from Three Applications

Checkout.com, a global payment processing firm, disclosed a data breach involving a legacy cloud storage system compromised by the ShinyHunters threat group. The breach affected less than 25% of its current merchant base and included data from 2020 and earlier. The company refused to pay the ransom and instead plans to donate the amount to cybersecurity research at Carnegie Mellon University and the University of Oxford Cyber Security Center. The compromised data includes internal operational documents and onboarding materials. ShinyHunters is known for exploiting vulnerabilities and using social engineering tactics to extort large organizations.

The Crimson Collective has been targeting AWS cloud environments to steal data and extort companies, including Red Hat. The group claims to have breached Red Hat's private GitLab repositories, stealing nearly 570GB of data across 28,000 internal projects. The stolen data allegedly includes 800 Customer Engagement Reports (CERs), which contain sensitive information about customer networks and platforms. The breach occurred approximately two weeks prior to the announcement. The hackers claim to have accessed downstream customer infrastructure using authentication tokens and other private information found in the stolen data. The affected organizations span various sectors, including finance, healthcare, government, and telecommunications. Red Hat has initiated remediation steps and stated that the security issue does not impact its other services or products. The hackers published a complete directory listing of the allegedly stolen GitLab repositories and a list of CERs from 2020 through 2025 on Telegram. The Centre for Cybersecurity Belgium (CCB) has issued an advisory stating there is a high risk to Belgian organizations that use Red Hat Consulting services. The CCB also warns of potential supply chain impact if service providers or IT partners worked with Red Hat Consulting. The CCB advises organizations to rotate all tokens, keys, and credentials shared with Red Hat or used in any Red Hat integrations, and to contact third-party IT providers to assess potential exposure. The ShinyHunters gang has now joined the extortion attempts against Red Hat, partnering with the Crimson Collective. ShinyHunters has released samples of stolen CERs on their data leak site and has set an October 10th deadline for Red Hat to negotiate a ransom demand to prevent the public leak of stolen data. The breach is part of a series of supply chain threats involving compromised code repositories. In May 2024, threat actors exploited a critical vulnerability (CVE-2023-7028) to take over GitLab accounts. GitLab disclosed and patched two similar vulnerabilities (CVE-2024-5655 and CVE-2024-6385) that jeopardized customers' CI/CD pipelines.

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.

The threat actor, tracked as UNC6395 by Google and GRUB1 by Cloudflare, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and steal data from Salesforce customer instances. The campaign, active from August 8 to at least August 18, 2025, targeted over 700 organizations, including Workiva and Stellantis, and impacted all integrations connected to the Drift platform, not just Salesforce. The attackers exported large volumes of data, including credentials for AWS, passwords, and Snowflake access tokens. Zscaler, Palo Alto Networks, Cloudflare, and Workiva reported data breaches after threat actors accessed their Salesforce instances via compromised Salesloft Drift credentials, exposing customer information. The breach began with the compromise of Salesloft's GitHub account, accessed by UNC6395 from March to June 2025. The threat actor accessed multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred in the Salesloft and Drift application environments between March and June 2025. The attackers accessed Drift's AWS environment and obtained OAuth tokens for Drift customers' technology integrations. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened it with improved segmentation controls. Salesloft recommends that all third-party applications integrated with Drift via API key revoke the existing key. Salesforce restored the integration with the Salesloft platform on September 7, 2025, except for the Drift app, which remains disabled. Salesloft and Salesforce have taken steps to mitigate the breach, including revoking tokens and removing the Drift application from AppExchange. The breach highlights the risks associated with third-party integrations and the potential for supply chain attacks. UNC6395 demonstrated operational discipline, querying and exporting data methodically, and attempting to cover their tracks by deleting query jobs. The targeted organizations included security and technology companies, suggesting a broader strategy to infiltrate vendors and service providers. The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service. There is no evidence that the breaches directly impacted Google Cloud customers, though any of them that use Salesloft Drift should review their Salesforce objects for any Google Cloud Platform service account keys. The threat group ShinyHunters and Scattered Spider claimed responsibility for many of those attacks, and vishing attacks have been cited as the means of compromise. Google disclosed that UNC6040 breached one of its Salesforce instances using these tactics. The UNC6395 Salesloft Drift activity is separate from the vishing attacks attributed to UNC6040. Okta successfully defended against a potential breach by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric. Palo Alto Networks' Unit 42 advised organizations to conduct immediate log reviews for signs of compromise and rotate exposed credentials. Okta suggests reducing the blast radius of a single entity breach by constraining token use by IP and client and ensuring granular permissions for M2M integrations. The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims. UNC6040 is a threat actor that specializes in voice phishing or vishing and recently was observed using social engineering to pose as IT support staff to get into Salesforce environments. UNC6395 is best known for using stolen OAuth tokens from Salesloft's Drift application, which has a Salesforce integration, to steal sensitive data from hundreds of Salesforce environments earlier this year. The FBI's latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040's activity, which began last fall. The advisory also includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.

The **ShinyHunters and Scattered Spider collaboration** has escalated with a **new extortion campaign targeting PornHub Premium members**, following the **Mixpanel data breach on November 8, 2025**. ShinyHunters, confirmed as the perpetrator, stole **94GB of data** containing **over 200 million records** of PornHub users' historical search, watch, and download activity from 2021 or earlier. The stolen data includes **email addresses, video URLs, keywords, locations, and timestamps**, which the group is now using to extort victims, including PornHub, via ransom demands. PornHub confirmed the breach impacted its Premium users but clarified that **no passwords, payment details, or financial information were exposed** and that the compromise stemmed from a **third-party vendor (Mixpanel)**, not its own systems. **Mixpanel has disputed the origin of the data**, stating it was last accessed by a legitimate PornHub employee account in 2023 and that there is no evidence it was stolen during their November 2025 incident. This latest attack follows a year-long pattern of **high-impact breaches** by ShinyHunters and Scattered Spider, including the **$107 million loss at the Co-operative Group (U.K.)**, **Jaguar Land Rover’s operational shutdown**, and breaches at **Allianz Life, Farmers Insurance, and Workday**, all exploiting **Salesforce platform vulnerabilities**. The groups have also targeted **Almaviva/FS Italiane Group**, **Zendesk users**, and now **Mixpanel customers**, demonstrating their ability to **leverage third-party IT providers, cloud-based CRM systems, and analytics platforms** to maximize data exposure. Despite arrests (e.g., **Scattered Spider members Owen Flowers and Thalha Jubair**) and claims of shutdowns, the threat persists, with authorities like the **FBI and U.K. NCA** issuing ongoing alerts as the groups adapt tactics, including **smishing, OAuth token abuse, and AI-enhanced tooling** to evade detection. The **Gainsight cyber-attack** further expanded in late November 2025, with Salesforce confirming a **larger, unspecified number of victims** beyond the initial three disclosed. The breach involved **unauthorized access via an AT&T IP address on November 8**, followed by **reconnaissance and intrusions using VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**. Forensic investigations revealed the attackers exploited **compromised multifactor credentials**, prompting Gainsight to advise customers to **rotate S3 keys, reset passwords, and re-authorize integrations**. Meanwhile, the **SLSH alliance unveiled ShinySp1d3r**, a **ransomware-as-a-service (RaaS) platform** with **advanced anti-forensic capabilities** and **network propagation tools**, administered by core member **Saif Al-Din Khader (aka Rey)**, who claims cooperation with law enforcement since June 2025. The alliance has been linked to **51 cyberattacks in the past year**, combining **RaaS, extortion-as-a-service (EaaS), and insider recruitment** to maximize impact across sectors.