SecureFact: Cyber Security News Highlights

September 30th 2025 to October 27th 2025

Data Breaches

1. WestJet data breach exposes travel details of 1.2 million customers

The WestJet data breach, disclosed in June 2025, compromised the personal information of approximately 1.2 million customers. The breach involved social engineering, where attackers reset an employee password to gain access via Citrix, which allowed network and Microsoft cloud compromise. Exposed data includes full names, dates of birth, mailing addresses, travel documents like passports or government IDs, requested accommodations, filed complaints, WestJet Rewards information, and some credit card details (excluding card numbers, expiration dates, and CVVs). The breach did not expose credit card or debit card numbers or user passwords. The FBI is investigating, and WestJet is offering affected customers free two-year identity theft protection and monitoring. The company continues to assess the breach's full scope and has taken measures to prevent recurrence.

2. Nearly 1 Billion Records Allegedly Stolen From Salesforce Environments

A hacking group called Scattered LAPSUS$ Hunters claims to have stolen nearly 1 billion records from companies using Salesforce cloud databases. The data allegedly includes personally identifiable information (PII) from about 39-40 organizations, including Toyota, FedEx, Walgreens, HBO Max, Allianz Life, Google, Qantas, and Stellantis. The hackers did not breach Salesforce directly but used voice phishing to trick company help desks and employees, gaining access via third party Salesforce applications like Salesloft Drift. Salesforce has confirmed awareness of extortion attempts but states there is no evidence its platform has been compromised or that vulnerabilities in its technology were exploited. The hacker group launched a dark web site threatening to leak stolen data unless ransom demands are met, with some victims believed to be negotiating. Security experts note the group employs social engineering and tampered Salesforce tools to conduct their attacks.

3. Discord discloses data breach after hackers steal support tickets

Hackers compromised a third-party customer service provider on September 20, 2025, gaining access to Discord user data. The attack affected a limited number of users who interacted with Discord's customer support and Trust and Safety teams. Exposed data includes personally identifiable information such as real names, usernames, email addresses, and contact details. IP addresses, messages and attachments sent to customer service agents were also compromised in the breach. Photos of government-issued identification documents (driver's license, passport) were accessed for a small number of users. Partial billing information including payment type, last four credit card digits, and purchase history was exposed. The hackers demanded a ransom from Discord in exchange for not leaking the stolen information publicly. Discord took immediate action to isolate the support provider, launched an investigation, and engaged law enforcement.

4. Renault and Dacia UK warn of data breach impacting customers

Customers of Renault and Dacia in the United Kingdom were notified of a data breach at an unnamed third-party provider. The compromised information includes full names, gender, phone numbers, email addresses, and postal addresses of customers. Vehicle identification numbers and vehicle registration numbers were also exposed in the security incident. Banking or financial information was not compromised according to the carmaker's notification to affected customers. The targeted third-party company has isolated the incident and removed the threat from its networks following the breach. UK authorities including the Information Commissioner's Office (ICO) have been informed of the cyberattack by Renault. The company advised customers to remain vigilant against unsolicited phone calls and emails following the breach. Renault confirmed the contract agreement prevents them from disclosing the name of the affected third-party provider.

5. Japanese beer giant Asahi confirms ransomware attack

Asahi Group Holdings disclosed that a ransomware attack caused IT disruptions forcing factory shutdowns this week. The Tokyo-based company is Japan's largest beer brewer with 30,000 employees and produces 100 million hectoliters of beverages annually. Investigation confirmed that servers were targeted by ransomware and found traces suggesting potential unauthorized data transfer. The company owns major brands including Peroni, Pilsner Urquell, Grolsch, and Fullers with $20 billion annual revenue in 2024. While the attack only impacted Japanese operations, it forced the company to switch to manual order processing and shipment. System-based order and shipment processes remain suspended with no clear timeline for recovery provided by the company. The Emergency Response Headquarters is working with external cybersecurity experts to restore systems as quickly as possible. No ransomware operations have claimed responsibility for the attack, suggesting ongoing negotiations or non-response to demands.

6. Oracle links Clop extortion attacks to July 2025 vulnerabilities

Oracle confirmed that customers received extortion emails from the Clop ransomware gang targeting E-Business Suite vulnerabilities. The ongoing investigation found potential use of previously identified vulnerabilities addressed in the July 2025 Critical Patch Update. Oracle addressed nine security flaws in E-Business Suite, with three exploitable remotely without requiring user credentials. Executives at multiple companies received ransom emails requesting payment to prevent sensitive data leaks from Oracle systems. The Clop gang claimed involvement in the extortion campaign, linking attacks to a bug in Oracle's core product. Extortion emails began on or before September 29, 2025, according to Google Threat Intelligence Group analysis. While insufficient evidence exists to confirm actual data theft, the campaign follows Clop's pattern of exploiting zero-day vulnerabilities. The U.S. State Department offers a $10 million reward for information linking Clop ransomware attacks to foreign governments.

7. Harvard investigating breach linked to Oracle zero-day exploit

Harvard University is investigating a data breach after the Clop ransomware gang listed the school on its data leak site. The alleged breach was caused by a recently disclosed zero-day vulnerability in Oracle's E-Business Suite servers. Harvard confirmed the incident impacts a limited number of parties associated with a small administrative unit. The university applied a patch from Oracle to remediate the vulnerability and is continuing to monitor systems. Clop has a long history of exploiting zero-day flaws in massive data theft attacks affecting hundreds of organizations. The Oracle E-Business Suite zero-day (CVE-2025-61882) was exploited since early August 2025. Harvard is the first organization publicly linked to this Oracle zero-day attack campaign. The university has no evidence of compromise to other systems beyond the affected administrative unit.

8. SonicWall VPN accounts breached using stolen creds in widespread attacks

Threat actors compromised more than 100 SonicWall SSLVPN accounts in a large-scale campaign using stolen, valid credentials. The attacks impacted over 100 SonicWall SSLVPN accounts across 16 environments protected by Huntress. Most malicious activity began on October 4, 2025, and was still ongoing as of October 10. Attackers followed up with network scans and attempts to access local Windows accounts after initial authentication. Most malicious requests originated from IP address 202.155.8[.]73 according to security researchers. The speed and scale of attacks suggest attackers controlled valid credentials rather than brute-forcing access. SonicWall recommends resetting all local user passwords, updating LDAP/RADIUS server passwords, and implementing MFA. Additional protective measures include restricting WAN management and disabling unnecessary services until secrets are rotated.

9. Lovesac confirms data breach after ransomware attack claims

American furniture brand Lovesac suffered a data breach impacting an undisclosed number of individuals. Hackers gained unauthorized access to internal systems between February 12 and March 3, 2025, stealing hosted data. Lovesac discovered the breach on February 28, 2025, taking three days to fully remediate and block attacker access. The stolen data includes full names and other personal information not disclosed in breach notifications. The RansomHub ransomware gang claimed responsibility for the attack on March 3, 2025. Lovesac operates 267 showrooms across the United States with annual net sales of $750 million. The company is providing 24-month credit monitoring services through Experian for affected individuals. Recipients can enroll in credit monitoring services until November 28, 2025, though no data misuse has been detected.

10. VC giant Insight Partners warns thousands after ransomware breach

New York-based venture capital firm Insight Partners is notifying thousands whose personal information was stolen in a ransomware attack. The data breach affects 12,657 individuals according to filings with Maine's attorney general. Threat actors gained access to the network on October 25, 2024, through a sophisticated social engineering attack. Attackers began exfiltrating data and encrypted servers starting January 16, 2025, at approximately 10:00 a.m. EST. Stolen data includes banking and tax information, personal information of employees, and limited partner information. The company manages over $90 billion in regulatory assets and has invested in 800+ software startups. Formal notification letters are being mailed to all impacted individuals with complimentary credit monitoring services. Insight Partners confirmed the incident in February 2025 and data theft in April 2025 following investigation.

11. Red Hat data breach escalates as ShinyHunters joins extortion

Enterprise software giant Red Hat is being extorted by ShinyHunters gang with samples of stolen customer engagement reports leaked. The Crimson Collective initially claimed to have stolen nearly 570GB of compressed data across 28,000 internal development repositories. Approximately 800 Customer Engagement Reports (CERs) were stolen, containing sensitive customer network and infrastructure information. Red Hat confirmed the breach affected its GitLab instance used solely for Red Hat Consulting engagements. ShinyHunters released samples of stolen CERs for major companies including Walmart, HSBC, Bank of Canada, and American Express. The threat actors set an October 10th deadline for ransom payment before publicly leaking the data. ShinyHunters operates as an extortion-as-a-service, taking 25-30% revenue share from other threat actors' attacks. Red Hat has not responded to extortion attempts, and the company was contacted but did not provide additional comments.

12. Salesforce refuses to pay ransom over widespread data theft attacks

Salesforce confirmed it will not negotiate with or pay ransom to threat actors behind massive data theft attacks. Threat actors claimed to have stolen nearly 1 billion data records from 39 companies using Salesforce instances. Targeted companies include major brands: FedEx, Disney, Home Depot, Marriott, Google, Cisco, Toyota, McDonald's, and others. Two separate attack campaigns occurred in 2025 using social engineering and stolen OAuth tokens. The first campaign used social engineering to trick employees into connecting malicious OAuth applications to Salesforce. The second campaign exploited stolen SalesLoft Drift OAuth tokens to access customer CRM environments. ShinyHunters claimed to have stolen approximately 1.5 billion data records for over 760 companies. The threat actors' data leak site has been shut down, with domain nameservers suggesting possible FBI seizure.

13. Prosper Data Breach Exposes 17 Million Customers' Personal Info

The Prosper data breach, disclosed in October 2025, exposed the personal information of approximately 17.6 million customers and loan applicants. The breach was detected on September 2, 2025, involving unauthorized access to company databases containing confidential and proprietary data. The stolen data includes highly sensitive personally identifiable information (PII) such as names, email addresses, physical addresses, dates of birth, Social Security numbers, government-issued IDs, employment status, credit status, income levels, IP addresses, and browser user-agent details. Despite the substantial data exposure, there is no evidence yet that attackers accessed customer accounts or funds, and Prosper’s customer-facing operations remained uninterrupted. The company is actively investigating the incident, working with law enforcement and cybersecurity experts, and plans to offer free credit monitoring to affected individuals once the investigation determines the full scope of impacted data. This breach poses significant risks of identity theft, phishing, and financial fraud due to the nature of the stolen information.

14. American Airlines subsidiary Envoy confirms Oracle data theft attack

Envoy Air, a regional airline carrier owned by American Airlines, confirmed that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. The company stated that no sensitive or customer data was affected, with only a limited amount of business information and commercial contact details potentially compromised. The breach was part of a larger campaign by the Clop ransomware gang exploiting a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite systems since early August 2025. Upon learning of the incident, Envoy immediately began an investigation and contacted law enforcement. The Clop gang is now leaking what they claim to be stolen data from Envoy on their data leak site. Oracle initially stated the attacks exploited vulnerabilities patched in July, but later disclosed it was a zero-day flaw. CrowdStrike and Mandiant revealed that Clop exploited the flaws in early August to breach systems and deploy malware. Google's threat intelligence team believes dozens of organizations were affected by this campaign.

15. Auction giant Sotheby's says data breach exposed financial information

Major international auction house Sotheby's disclosed a data breach incident where threat actors stole sensitive information, including financial details. The hack was detected on July 24, 2025, and the investigation took two months to determine the type of data stolen and individuals impacted. According to a filing submitted to Maine's AG office, the exposed data includes full names, Social Security numbers (SSNs), and financial account information. The total number of impacted individuals remains undisclosed, with the filing mentioning only two persons in Maine and two in Rhode Island. Sotheby's confirmed that the incident impacted employees, not customers, contrary to initial reports. The company immediately launched an investigation in cooperation with leading data protection experts and law enforcement upon discovery. All security protocols were activated, and the Spanish Data Protection Agency and relevant authorities were notified. Sotheby's customers who received breach notifications are provided 12-month free identity protection and credit monitoring through TransUnion.

16. Clothing giant MANGO discloses data breach exposing customer info

Spanish fashion retailer MANGO sent data breach notifications to customers on October 14, 2025, warning that its marketing vendor suffered a compromise exposing personal data. The exposed data includes customers' first names, country, postal codes, email addresses, and telephone numbers used in marketing campaigns. MANGO specified that last names, banking information, credit card data, IDs, passports, or account credentials were not compromised in the incident. The company noted that its corporate infrastructure and IT systems remain unaffected, with business operations continuing normally. All security protocols were activated upon learning of the data breach at the unnamed marketing service provider. The Spanish Data Protection Agency (AEPD) and relevant authorities have been notified about the breach. A dedicated email address (personaldata@mango.com) and telephone hotline (900 150 543) were established to support concerned customers. No ransomware groups have announced MANGO on their extortion portals, leaving the attackers' identity unknown.

17. Capita to pay £14 million for data breach impacting 6.6 million people

The UK's Information Commissioner's Office (ICO) fined Capita £14 million ($18.7 million) for a 2023 data breach that exposed personal information of 6.6 million people. The breach occurred on March 22, 2023, when a Capita employee downloaded a malicious file giving hackers access to the internal network. Despite detecting the breach within 10 minutes, Capita failed to isolate the infected device for 58 hours, allowing attackers to move laterally and access sensitive databases. Between March 29-30, 2023, nearly one terabyte of data was exfiltrated before ransomware was deployed on March 31. The Black Basta ransomware gang claimed the attack and threatened to leak stolen files unless ransom was paid. The stolen data impacts hundreds of Capita clients, including 325 pension scheme providers in the UK. Capita was fined for poor access controls, delayed response to security alerts, operating an understaffed Security Operations Center, and failing to perform regular penetration testing. The ICO initially set the fine at £45 million but reduced it after Capita accepted liability and implemented security improvements.

18. Toys “R” Us Canada warns customers' info leaked in data breach

Toys “R” Us Canada reported a data breach but did not disclose the number of affected customers. The exposed information included customer names, physical addresses, email addresses, and phone numbers, while account passwords, payment details, and other confidential data were confirmed to be safe. In response, the company engaged third-party cybersecurity experts to investigate the incident, strengthened its IT security systems, and notified relevant Canadian privacy regulators.

19. Hackers steal medical records and financial data from 1.2M patients in massive healthcare breach

The breach at SimonMed Imaging affected approximately 1.2 million + patients, with estimates up to around 1,275,669 individuals. The types of data exposed included full names, addresses, dates of birth, driver’s license/government ID numbers, financial account/payment details, health insurance information, medical record numbers, dates of service, diagnoses and treatment information, prescribed medications, and raw imaging scans. response, SimonMed reset passwords, enforced multifactor authentication, implemented endpoint detection & response monitoring, removed third-party vendor direct access to its systems, restricted inbound/outbound traffic, engaged cybersecurity experts, notified law enforcement, and offered complimentary credit monitoring and identity theft protection to affected individuals.

20. Gmail data leak: Infostealer malware dumps 183 million email passwords online; here’s how to check and protect your gmail

A database containing approximately 183 million email addresses and corresponding plain-text passwords, primarily linked to Gmail accounts, was leaked online following an infostealer malware incident. The compromised data included only email IDs and passwords, with no financial or personal identification details reported. The credentials were subsequently added to the Have I Been Pwned database on October 21, 2025, to help affected users identify if their accounts were exposed. The incident was traced to malware infections on individual devices rather than a direct breach of Google’s systems.

21. Gerar data breach exposes over 500 GB of youth records

The Brazilian non-profit organization Gerar suffered a major data breach in which attackers claimed to have stolen approximately 546 GB of sensitive data. The compromised information includes names, taxpayer identification numbers, addresses, contact details, educational records, family income data, and scanned documents such as military service forms, medical records, internship contracts, and identity cards. This breach potentially exposes thousands of youth participants to risks of identity theft and fraud. As of now, Gerar has not publicly disclosed any mitigation measures or response actions, and there is no confirmation of law enforcement involvement or user protection steps being taken.

22. Fake LastPass death claims used to breach password vaults

LastPass has warned of a new phishing campaign by the group CryptoChameleon, using fake death and inheritance claims to steal user credentials. Attackers send emails saying a family member requested emergency vault access, even attaching fake death certificates for credibility. Victims are directed to spoofed recovery sites like lastpassrecovery[.]com to enter their master passwords. Some attackers also impersonate LastPass staff through phone calls. The campaign now targets both passwords and passkeys, showing evolving social engineering tactics. LastPass urges users to ignore suspicious inheritance requests, verify URLs, and enable multi-factor authentication for protection.