2023 SaaS Breaches

June 2, 2023

MOVEit Transfer

Malicious actors have exploited a critical SQL injection vulnerability in MOVEit Transfer’s web app that allowed unauthenticated access to the file transfer tool’s database. British Airways, the BBC, payroll service Zellis, the Canadian province of Nova Scotia, and UK retailer Boots had data leaked and stolen through the attacks. The bug is tracked as CVE-2023-34362 and a patch has been released to customers. Get details about the MOVEit supply chain attack.

May 30, 2023

Casepoint

Legal SaaS platform Casepoint, used by several arms of the U.S. government, investigates a data breach after files were leaked to the dark web. Ransomware gang BlackHat allegedly stole 2TB of company data and attorney files, and had claimed responsibility over the Colonial Pipeline cyberattack. Learn more about this ransomware attack.

May 10, 2023

Dragos

A criminal group gained access to Dragos’ SharePoint cloud services and contract management system. While the unnamed threat actors were able to download and access a small amount of data typically exclusive to customers, they were unable to compromise Dragos’ network or cybersecurity platform. Dragos credits its role-based access control (RBAC) rules for helping prevent the group from accessing its IT helpdesk, financial systems, and other sensitive data. See how Dragos’ security controls reduced the attack surface of this incident.

April 28, 2023

Santa Clara Health Plan (SCHP)

Santa Clara Health Plan (SCHP) experienced a data breach that impacted 276,993 individuals due to a vulnerability in Fortra’s GoAnywhere file transfer solution, which was previously exploited in the NationsBenefits ransomware attack disclosed on April 13, 2023. SCHP’s vendor NationsBenefits was the point of entry for this breach. Learn about the mass cyberattack against 130 organizations.

April 27, 2023

Salesforce

Salesforce confirmed misconfiguration vulnerabilities (first identified by KrebsOnSecurity) that have resulted in numerous Salesforce customers’ sensitive data being exposed. Organizations affected include the State of Vermont and the District of Columbia’s Health websites. Get the details on this Salesforce misconfiguration vulnerability.

April 13, 2023

NationsBenefits

Florida-based technology company NationsBenefits reported that more than 7,000 members had their personal information stolen in a late Jan. 2022 ransomware attack on software company Fortra. NationsBenefits used Fortra’s SaaS solution GoAnywhere to store members’ data. See more about the ransomware attack.

April 11, 2023

Iowa Medicaid

Between June 30 and July 5, 2022, Iowa Medicaid experienced a data breach caused by their third-party vendor, Telligen. Approximately 20,800 Iowa Medicaid members had their data compromised. The data breach included names, Medicaid details, and other sensitive information. Read more about the Iowa Medicaid breach.

April 3, 2023

Capita

London-based professional services firm Capita reported a cyber incident affecting access to its internal Microsoft 365 apps. The event led to service disruptions with an undisclosed number of clients. At this time, Capita does not believe customer, supplier, or employee data has been compromised. See more about the Capita incident.

March 29, 2023

Toyota Italy

Toyota Italy accidentally leaked sensitive marketing data for more than a year. This included exposed credentials to its Salesforce Marketing Cloud and Mapbox’s API tokens. Read more details about the data leak.

March 24, 2023

ChatGPT

OpenAI was forced to take ChatGPT offline after a user exploited an open-source library bug. That same bug may have exposed the personal data and chat queries of 1.2% of ChatGPT Plus subscribers who were active during the nine-hour window before ChatGPT went offline. Dive into ChatGPT’s first major breach.

March 22, 2023

UC San Diego Health

Health provider UC San Diego Health reported that the unauthorized use of analytics tools by their technology vendor, Solv Health, was responsible for a data breach. Individuals who used UCSD’s scheduling site from Sept.13 – Dec. 22, 2022, may have been affected. Exposed data may include names, dates of birth, IP addresses, email addresses, third-party cookies, reason for visit, and insurance type. Uncover the details about the UCSD Health breach.

March 20, 2023

Ferrari

Ferrari confirmed a ransomware attack was responsible for a data breach that exposed customer details including names, addresses, emails, and phone numbers. No payment information or details of Ferrari cars owned or ordered had been stolen. Discover more about the Ferrari ransomware attack.

March 16, 2023

AT&T

AT&T notified 9 million customers that their customer proprietary network information (CPNI) was compromised due to a third party vendor breach. Exposed data includes first names, wireless account numbers, wireless phone numbers and email addresses. Read more about the AT&T breach.

March 9, 2023

DC Health Link

DC Health Link, the health insurance marketplace for the District of Columbia, confirmed a breach exposing the personal data of 56,000 members, including staff of the U.S. House of Representatives. The original attack vector was an open, exposed database and hacker was able to connect to the database software without verification. Get the details of the DC Health Link breach.

March 2, 2023

The U.S. Federal Reserve

The U.S. Federal Reserve canceled a Zoom video conference after it was hijacked by a participant who displayed pornographic images. This was likely the result of improper security configuration of guest access and user permissions. Learn more about the Zoom porn bombing incident.

February 27, 2023

LastPass

LastPass confirmed that the same attacker from previous breaches stole valid credentials from a senior DevOps engineer, targeted their home computer, and exploited a vulnerable third party media software package. This enabled remote code execution and keylogger malware to be implanted. Attackers achieved access to the company data vault and decryption keys, exfiltrating customer vault backups stored in AWS S3 buckets. Get the full scope of this LastPass breach.

February 21, 2023

Activision

Hackers stole Activision’s content roadmap for Call of Duty and employee data by infiltrating the company’s Slack channel through an SMS phishing scheme. The targeted employee, part of the HR department, had access to sensitive staff data. Read how threat actors breached Activision.

February 17, 2023

U.S. Marshals Service

The U.S. Marshals Service suffered a ransomware security breach that compromised PII of fugitives, staff, and third parties. Federal agencies are required to report major incidents to Congress within seven days of identification. See how Marshal Service was attacked.

February 10, 2023

Pepsi Bottling Ventures

Pepsi Bottling Ventures discovered a data breach that included Social Security numbers and login credentials. It’s unclear whether the stolen data pertains to customers or employees — and if PepsiCo was also affected. Dive into the PBV breach specifics.

January 26, 2023

U.S. Federal Civilian Executive Branch (FCEB)

Several U.S. federal agencies fell victim to a phishing scam that lured targets into logging into their bank accounts. Threat actors used AnyDesk and ScreenConnect as portable executables, which ran without admin privilege. Learn more about the phishing scam.

January 19, 2023

PayPal

PayPal reported a credential-stuffing attack, in which hackers leveraged username and password pairs sourced from previous data leaks. The company detected and mitigated the attack, but the hackers may have exfiltrated some sensitive data from the 35,000 compromised accounts. Discover the PayPal attack details.

January 7, 2023

CircleCI

CircleCI confirmed a data breach that stemmed from an employee’s laptop becoming infected with malware. The threat actor stole a valid MFA SSO session, allowing exfiltration of data that included customer environment variables, tokens, and keys. CircleCI’s antivirus software did not detect the malware. Learn how the CircleCI breach happened — and how to prevent similar attacks.

January 4, 2023

Twitter

A database of over 200 million Twitter users went public, originally scraped by exploiting an API vulnerability that was previously exposed from June 2021 to January 2022. Get the Twitter data leak details.