SecureFact – Cyber Security News – Week of September 22, 2025

SonicWall disclosed a security breach affecting MySonicWall accounts where attackers exposed firewall configuration backup files.
The incident was caused by brute-force attacks targeting the API service for cloud backup, affecting fewer than 5% of SonicWall firewalls.
The exposed backup files contained encrypted passwords and sensitive information that could make exploitation of firewalls significantly easier for threat actors.
These files potentially give attackers access to credentials and tokens for services running on SonicWall devices.
SonicWall has provided detailed guidance for administrators to reset all credentials, API keys, and authentication tokens.
The company confirmed this was not a ransomware event but rather a series of account-by-account brute force attacks. SonicWall has cut off attackers’ access and is collaborating with cybersecurity and law enforcement agencies.
The breach highlights the critical importance of securing cloud backup services and regularly updating access credentials.

The ShinyHunters extortion group claimed to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens.
The attack originated from a March breach of Salesloft’s GitHub repository, where threat actors used TruffleHog security tool to scan source code for secrets, discovering OAuth tokens for Salesloft Drift and Drift Email platforms.
The stolen data included approximately 250 million Account records, 579 million Contact records, 171 million Opportunity records, 60 million User records, and 459 million Case records from Salesforce object tables.
Major companies affected include Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, and Palo Alto Networks.
The Case table data contained sensitive information from customer support tickets, which could include confidential data for tech companies.
Google Threat Intelligence confirmed that attackers analyzed the stolen data for hidden secrets like credentials, authentication tokens, and access keys to enable further attacks.
The FBI has issued advisories warning about these UNC6040 and UNC6395 threat actors conducting large-scale data theft campaigns.

New York-based venture capital and private equity firm Insight Partners disclosed a ransomware attack affecting 12,657 individuals whose personal information was stolen.
The attack began with a sophisticated social engineering attack on October 25, 2024, allowing threat actors to gain access to affected servers.
The attackers spent months exfiltrating data before encrypting servers on January 16, 2025, at approximately 10:00 AM EST.
The stolen data includes banking and tax information, personal information of current and former employees, information related to limited partners, as well as fund, management company, and portfolio company information.
Insight Partners manages over $90 billion in regulatory assets and has invested in more than 800 software and technology startups worldwide.
The company is sending formal notification letters to all affected individuals and providing complimentary credit and identity monitoring services.
Multiple class-action lawsuits have been filed related to the data breach. The incident demonstrates the significant impact ransomware attacks can have on financial services firms and their stakeholders.

A major data breach at the Retina Group of Florida compromised the sensitive personal and medical information of nearly 153,000 patients in a cyberattack that occurred in November 2024.
The types of data affected include protected health information such as patient names, medical data, and possibly other identifiers. The breach notification to patients began only in September 2025, nearly a year after the incident occurred.
The Retina Group of Florida filed a notice with the U.S.
Department of Health and Human Services about the breach.
Although specific mitigation steps by the organization were not detailed, the delay in notifying patients suggests challenges in breach response.
There is an implied risk of long-term vulnerability for the affected patients due to the sensitive nature of the data exposed. The breach raises concerns about timely communication and cybersecurity protocols in healthcare providers handling large volumes of patient data.

In June 2025, Kering, the parent company of luxury brands Gucci, Balenciaga, and Alexander McQueen, suffered a data breach where an unauthorized third party temporarily accessed its systems.
Approximately 7.4 million unique email addresses and millions of customer records were compromised.
The stolen data included names, email addresses, phone numbers, physical addresses, and total expenditure details at the brands’ stores.
Notably, no financial information such as credit card numbers or bank details was accessed in the breach.
The hacker group Shiny Hunters claimed responsibility for the attack and had attempted to extort a ransom, which Kering denied paying.
Kering reported the breach to relevant authorities and notified affected customers in compliance with local regulations.
The exposed data puts high-spending customers at risk for phishing and social engineering attacks in follow-up fraud attempts. This incident is part of a broader trend of cyberattacks on luxury brands.

In late 2023, Fairmont Federal Credit Union in West Virginia experienced a data breach that impacted 187,038 individuals.
The breach allowed hackers to access sensitive personal and financial information, including names, dates of birth, Social Security numbers, driver’s license numbers, government IDs, full credit and debit card numbers, security codes, PINs, expiration dates, IRS PINs, tax ID numbers, routing numbers, and full access credentials.
The attackers maintained access to the credit union’s network from September 30 to October 18, 2023, but the breach was only discovered on January 23, 2024.
The credit union began notifying affected individuals about the breach two years later in 2025. As mitigation, the credit union is offering impacted individuals 12 to 24 months of free identity theft protection and credit monitoring services.
They also reported the breach to authorities, although the perpetrators have not been identified yet.
The breach is possibly linked to the Black Basta ransomware group.
There are no confirmed reports of identity theft or financial fraud resulting directly from this incident so far.