Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ShinyHunters ransomware. Show all posts
ShinyHunters ransomware
Microsoft Entra SSO attack Okta voice phishing Panera Bread data breach ShinyHunters ransomware

Panera Bread Reportedly Hit by ShinyHunters Data Breach, 14 Million Records Exposed

 

Panera Bread has allegedly fallen victim to a cyberattack carried out by the notorious hacking collective ShinyHunters, with millions of customer records said to have been stolen.

The threat group recently listed Panera Bread, along with CarMax and Edmunds, on its data leak portal. In Panera’s case, attackers claim to have accessed approximately 14 million records. The compromised data reportedly includes customer names, email addresses, mailing addresses, phone numbers, and account-related details. Altogether, around 760MB of compressed data was allegedly extracted from company systems.

In a conversation with The Register, ShinyHunters stated that access to Panera’s network was gained through Microsoft Entra single sign-on (SSO). If accurate, the breach may be connected to a recent alert issued by Okta, which warned that cybercriminals were targeting SSO credentials from Okta, Microsoft, and Google through an advanced voice phishing scheme.

Should that link be confirmed, Panera Bread — which operates thousands of outlets across the United States and Canada — would join a growing roster of companies reportedly compromised through similar tactics, including Crunchbase and Betterment. According to ShinyHunters, both organizations were breached via voice phishing attacks aimed at stealing Okta authentication codes.

To date, most of the affected companies have not publicly addressed the incidents. Betterment is the only firm that has acknowledged a breach, confirming that employees were deceived in a social engineering attack on January 9.

"The unauthorized access involved third-party software platforms that Betterment uses to support our marketing and operations," the company said.

"Once they gained access, the unauthorized individual was able to send a fraudulent, crypto-related message that appeared to come from Betterment to a subset of our customers."

ShinyHunters remains one of the most active ransomware groups currently operating and is notable for abandoning traditional encryption tactics. Rather than locking victims out of their systems, the group focuses solely on stealing sensitive information and pressuring organizations to pay in exchange for keeping the data private — a method that is less complex to deploy but potentially just as profitable.
Read more »
ShinyHunters Salesforce data breach
Cyber Security Drift OAuth token hack Salesforce security incident ShinyHunters ransomware ShinyHunters Salesforce data breach

ShinyHunters Claims Theft of 1.5 Billion Salesforce Records Using Compromised Drift OAuth Tokens

 




The ShinyHunters extortion group has allegedly stolen more than 1.5 billion Salesforce records from 760 companies after exploiting compromised Salesloft Drift OAuth tokens.

Over the past year, cybercriminals have been targeting Salesforce customers through social engineering tactics and malicious OAuth apps, enabling unauthorized access to Salesforce environments and mass data downloads. The stolen information is later used to pressure organizations into paying ransoms to prevent public leaks.

These campaigns have been linked to members of ShinyHunters, Scattered Spider, and Lapsus$, who are now referring to themselves as "Scattered Lapsus$ Hunters." Google tracks these operations under the names UNC6040 and UNC6395.

In March, one of the attackers infiltrated Salesloft’s GitHub repository, which stored private source code. ShinyHunters told BleepingComputer that they leveraged the TruffleHog security tool to uncover OAuth tokens hidden in the code. These tokens gave them access to both the Salesloft Drift platform—used to sync Drift AI chat agents with Salesforce—and Drift Email, which manages CRM email communications and marketing automation.

Using the stolen OAuth tokens, attackers exfiltrated around 1.5 billion records from key Salesforce object tables: Account, Contact, Case, Opportunity, and User. The stolen datasets included:

  • 250 million Account records

  • 579 million Contact records

  • 171 million Opportunity records

  • 60 million User records

  • 459 million Case records

The Case table, in particular, contained sensitive customer support ticket details, potentially exposing confidential information from tech company clients.

As proof, attackers shared a file listing Salesloft’s breached GitHub source code folders. While Salesloft did not respond to inquiries, a source confirmed the figures are accurate.

According to Google Threat Intelligence (Mandiant), attackers searched the stolen Case data for credentials, authentication tokens, and access keys to pivot into additional environments.
"After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments," Google explained.
"GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens."

The massive breach impacted numerous companies, including Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, and Palo Alto Networks.

The FBI has since issued an advisory warning about the UNC6040 and UNC6395 groups, sharing indicators of compromise (IOCs) to help organizations defend against similar attacks.

Despite announcing they would “go dark” on Telegram, the attackers later claimed to have accessed Google’s Law Enforcement Request System (LERS) and the FBI eCheck platform. Google later confirmed, "We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account. No requests were made with this fraudulent account, and no data was accessed."

Although the group suggested they were retiring, ReliaQuest researchers noted that in July 2025, they shifted focus toward financial institutions, making it likely these campaigns will continue.

To defend against such threats, Salesforce urges customers to enforce strong security measures, including multi-factor authentication (MFA), applying the principle of least privilege, and carefully vetting connected applications.

Read more »
Subscribe to: Comments (Atom)