Over a dozen companies data exposed after SaaS integration provider Snowflake breach
Data Leak
Summary
Hide ▲
Show ▼
A stolen-token attack from a SaaS integration provider breach has led to data theft claims affecting over a dozen companies, creating immediate exposure and extortion risk. The largest cluster of activity centered on Snowflake customer accounts, where unusual activity was detected in a small number of accounts and those accounts were locked down. The same tokens were also used in attempted access against Salesforce, but that effort was blocked before the theft succeeded. The actors claimed to have stolen data from dozens of companies and were seeking ransom payments to stop release.
Related Happenings
Icarus Salesforce data-theft extortion campaign
Campaign
H score42
First: 18.06.2026 17:19
Last: 18.06.2026 17:19
Sources 1
About this happening:
The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...
Icarus Salesforce data-theft extortion campaign
CampaignAbout this happening: The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...
Latest development: 23.06.2026 16:58
LastPass says an unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in its Salesforce environment, potentially exposing customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM data; LastPass says its products, services, infrastructure, and customer vaults were not affected, rotated the exposed API/OAuth tokens, disabled employee access to Klue, and notified law enforcement.
Klue hit by network compromise
Incident
H score39
First: 18.06.2026 17:19
Last: 18.06.2026 17:19
Sources 1
About this happening:
**Klue** confirmed a **June 12, 2026** security incident in which an attacker used a **compromised legacy credential** to obtain **OAuth tokens** from Klue’s integration infrastru...
Klue hit by network compromise
IncidentAbout this happening: **Klue** confirmed a **June 12, 2026** security incident in which an attacker used a **compromised legacy credential** to obtain **OAuth tokens** from Klue’s integration infrastru...
Latest development: 23.06.2026 16:58
Unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in LastPass's Salesforce environment. LastPass said its products, services, infrastructure, and customer vaults were not affected, and it disabled employee access to Klue, rotated exposed API/OAuth tokens, and notified law enforcement.
ShinyHunters Oracle PeopleSoft data theft and extortion campaign
Campaign
H score60
First: 10.06.2026 21:31
Last: 10.06.2026 21:31
Sources 1
About this happening:
**ShinyHunters**/**UNC6240** used **CVE-2026-35273** in **Oracle PeopleSoft Enterprise PeopleTools** as a **zero-day** to break into exposed systems, steal data, and extort victim...
ShinyHunters Oracle PeopleSoft data theft and extortion campaign
CampaignAbout this happening: **ShinyHunters**/**UNC6240** used **CVE-2026-35273** in **Oracle PeopleSoft Enterprise PeopleTools** as a **zero-day** to break into exposed systems, steal data, and extort victim...
Latest development: 29.06.2026 23:40
Nissan says attackers exploited an Oracle PeopleSoft vulnerability in a ShinyHunters-linked campaign and that the company was specifically targeted, with personal information for current and former employees in the United States, Canada, Mexico, and Brazil potentially exposed. Nissan says the material may include employee contact information, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary information, and the company has activated incident response, engaged external cybersecurity experts, secured affected systems, and is working with Oracle.
Grafana Labs Says GitHub hit by cyberattack
Incident
H score70
First: 17.05.2026 10:13
Last: 17.05.2026 10:13
Sources 1
About this happening:
A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
Grafana Labs Says GitHub hit by cyberattack
IncidentAbout this happening: A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
ADT hit by data theft breach
Incident
H score62
First: 25.04.2026 01:53
Last: 25.04.2026 01:53
Sources 1
About this happening:
**ADT** confirmed a **data breach** after detecting **unauthorized access** to customer and prospective customer data on **April 20, 2026**, and the company said it terminated the...
ADT hit by data theft breach
IncidentAbout this happening: **ADT** confirmed a **data breach** after detecting **unauthorized access** to customer and prospective customer data on **April 20, 2026**, and the company said it terminated the...
Timeline
-
07.04.2026 22:39 2 articles · 3mo ago
Stolen-token campaign hits Snowflake and Salesforce accounts
Campaign Scope UpdateThis past Friday, a stolen-authentication-token campaign followed a breach of a SaaS integration provider and was used to steal data from over a dozen companies, with the majority of the activity focused on Snowflake customer accounts; the same stolen tokens were also used in an attempted theft from Salesforce, where the actors were detected before succeeding. The ShinyHunters group later said it stole data from dozens of companies and was demanding ransom payments to prevent release of the stolen data.
Show sources
- Snowflake customers hit in data theft attacks after SaaS integrator breach — www.bleepingcomputer.com — 07.04.2026 22:39
- Video service Vimeo confirms Anodot breach exposed user data — www.bleepingcomputer.com — 28.04.2026 22:04
-
07.04.2026 22:39 1 articles · 3mo ago
Snowflake detects unusual activity and locks accounts
Initial DisclosureSnowflake detected unusual activity in a small number of customer accounts linked to a specific third-party integration, locked potentially impacted accounts, notified customers, and said the activity did not involve a vulnerability or compromise of its systems. Separate reporting tied the activity to an alleged Anodot security incident, Payoneer said it was not impacted, and Google's Threat Intelligence Group said it was tracking the incident.
Show sources
- Snowflake customers hit in data theft attacks after SaaS integrator breach — www.bleepingcomputer.com — 07.04.2026 22:39