SaaS giant Workiva discloses data breach after Salesforce attack

• Workiva, a leading cloud-based SaaS provider with 6,305 customers and $739 million in 2024 revenues, disclosed a data breach affecting customer data stored in a third-party CRM system.
• The attack was part of the ongoing Salesforce data theft campaign linked to the ShinyHunters extortion group. Attackers exfiltrated a limited set of business contact information including names, email addresses, phone numbers, and support ticket content.
• The breach affected 85% of Fortune 500 companies that are Workiva customers, including high-profile clients such as Google, T-Mobile, Delta Air Lines, and Mercedes-Benz.
• The company confirmed that the Workiva platform itself and any data within it were not accessed or compromised. Workiva warned customers to remain vigilant against potential spear-phishing attacks using the stolen information.
• The company emphasized that all communications from Workiva come through trusted official support channels and they will never contact anyone by text or phone to request passwords or secure details.
• This incident was connected to compromised OAuth tokens from the Salesloft Drift breach that allowed attackers to access Salesforce instances.

*Source

Palo Alto Networks data breach exposes customer info, support cases

• Palo Alto Networks suffered a data breach that exposed customer data and support cases after attackers abused compromised OAuth tokens from the Salesloft Drift breach to access its Salesforce instance.
• The company was one of hundreds affected by the supply-chain attack targeting the Salesloft Drift application.
• The attackers extracted primarily business contact and related account information, along with internal sales account records and basic case data. Support case data contained contact information and text comments, but not technical support files or attachments.
• The threat actors, tracked as UNC6395, specifically targeted support cases to identify sensitive data such as authentication tokens, passwords, and cloud secrets. Attackers were searching for AWS access keys, Snowflake tokens, VPN and SSO login strings, and generic keywords like “password,” “secret,” or “key.”
• The company quickly contained the incident and disabled the application from their Salesforce environment.
• Palo Alto Networks confirmed that this situation did not affect any of their products, systems, or services.
• The company has revoked associated tokens and rotated credentials following the incident.
• They recommend treating the incident with “immediate urgency” and performing comprehensive security reviews.

*Source

Financial services firm Wealthsimple discloses data breach

• Wealthsimple, a leading Canadian online investment management service holding over CAD$84.5 billion in assets, disclosed a data breach affecting less than 1% of their 3 million customers.
• The company detected the breach on August 30th after learning that a specific software package written by a trusted third party had been compromised. Personal data accessed included contact details, government IDs provided during sign-up, financial details such as account numbers, IP addresses, Social Insurance Numbers, and dates of birth.
• The attackers did not steal any funds and did not compromise passwords, ensuring customer accounts remained secure.
• Wealthsimple is providing affected customers with two years of complimentary credit monitoring, dark-web monitoring, identity theft protection, and insurance.
• The company advised customers to secure their accounts using two-factor authentication with an authenticator app, never reuse passwords, and remain vigilant against potential phishing attempts.
• Wealthsimple confirmed this incident was not related to the ongoing Salesforce data theft campaign.
• The breach notification was sent via email to impacted customers, and the company emphasized the brief duration of unauthorized access to the compromised data.

*Source

Chess.com discloses recent data breach via file transfer app

• Chess.com disclosed a data breach after threat actors gained unauthorized access to a third-party file transfer application used by the platform.
• The incident occurred in June 2025, with attackers maintaining access for two weeks between June 5 and June 18. Chess.com discovered the breach on June 19, 2025, and immediately launched an investigation.
• The incident affects only a very small percentage of the platform’s massive 100 million user base, estimated to be just over 4,500 users. Data that may have been accessed includes names and other personally identifiable information, though specific details were not included in the sample notices shared with authorities.
• The company emphasized that no financial information was exposed and has no evidence that stolen data has been publicly disclosed or misused.
• Chess.com confirmed that only the unnamed third-party app was affected, while its own infrastructure and member accounts remained unaffected. The platform has taken additional measures to secure its systems and notified law enforcement accordingly.
• Affected members are being offered 1-2 years of free identity theft and credit monitoring services.
• Letter recipients have until December 3, 2025, to enroll in the offered services, though enrollment as soon as possible is recommended.

*Source

Texas sues PowerSchool over breach exposing 62M students, 880k Texans

• Texas Attorney General Ken Paxton filed a lawsuit against education software company PowerSchool following a massive data breach in December 2024 that exposed personal information of 62 million students, including over 880,000 Texans.
• PowerSchool serves more than 18,000 K-12 school customers supporting over 60 million students worldwide.
• The PowerSource customer support portal was breached on December 19, 2024, using stolen subcontractor credentials.
• The attacker demanded a $2.85 million Bitcoin ransom on December 28, 2024, after stealing full names, physical addresses, phone numbers, passwords, parent information, contact details, Social Security numbers, and medical data of students and faculty.
• The threat actor claimed to have stolen data from 62.4 million students and 9.5 million teachers from 6,505 school districts across the U.S., Canada, and other countries.
• PowerSchool made a ransom payment and received a video claiming the stolen data had been erased, but someone claiming to be ShinyHunters began individually extorting school districts in May 2025.
• The lawsuit alleges PowerSchool violated Texas Deceptive Trade Practices Act and Identity Theft Enforcement and Protection Act by misleading customers about security practices.
• A 19-year-old college student Matthew D. Lane from Massachusetts later pleaded guilty to orchestrating the cyberattack with several conspirators.

*Source

Zscaler data breach exposes customer info after Salesloft Drift compromise

• Cybersecurity company Zscaler suffered a data breach between August 13-16, 2025, after threat actors gained access to its Salesforce instance through the Salesloft Drift supply chain attack.
• The exposed information includes customer names, business email addresses, job titles, phone numbers, regional/location details, Zscaler product licensing and commercial information, and content from certain support cases.
• The breach impacts a large number of customers, though Zscaler has not disclosed the exact count.
• The attack was conducted by threat actor UNC6395, who specifically targeted support cases to harvest authentication tokens, passwords, and secrets such as AWS access keys and Snowflake tokens.
• Zscaler has revoked all Salesloft Drift integrations, rotated API tokens, and strengthened customer authentication protocols for support calls.
• The company emphasized that only the Salesforce instance was affected, with no impact to Zscaler products, services, or infrastructure.
• This breach is part of a larger campaign affecting multiple cybersecurity companies through compromised OAuth tokens.

*Source

At least 700 organizations potentially impacted by hack of Atlanta tech firm

• In August 2025, hackers exploited compromised OAuth tokens from Salesloft’s Drift AI chat platform to access and steal sensitive data from over 700 organizations, mainly targeting Salesforce environments but also Google Workspace, Slack, and cloud storage integrations.
• The stolen data included customer contacts, sales and support case details, business records, and embedded credentials like AWS keys and passwords.
• This breach allowed attackers to perform bulk exports of sensitive data and infiltrate connected systems without phishing.
• Salesloft and Salesforce revoked all access tokens and removed Drift from the Salesforce marketplace to contain the incident.
• The breach highlights significant risks from trusted SaaS integrations and token abuse in cloud ecosystems.

*Source