SaaS Breach Info Center
Learn How — And How Often — SaaS Data Breaches Occur
As SaaS adoption grows, the risk for breaches that threaten business operations and the security of highly sensitive data escalates. The SaaS Breach Info Center is your go-to source for the latest news and insights on SaaS-related data breaches and security insights.
2024
April 6, 2024
Healthcare and Public Health (HPH)
The U.S. Department of Health and Human Services (HHS) warns that hackers are using social engineering tactics to target IT help desks in the HPH sector. Posing as financial department employees, they use stolen credentials to convince IT to enroll their devices in MFA, gaining access to redirect bank transactions and corporate resources. Read more about these healthcare-targeted social engineering attacks.
April 6, 2024
McDonald’s
McDonald’s experienced a global technology outage attributed to a third-party provider during a configuration change. Although this outage wasn’t directly caused by a cybersecurity event, it emphasizes how third-party changes can make an organization’s technical infrastructure more vulnerable. Learn the importance of enhanced third-party visibility for risk prevention.
February 2, 2024
Cloudflare-Atlassian
Cloudflare disclosed that a nation-state actor stole Cloudflare credentials and an access token from a recent Okta compromise to gain unauthorized access to its Atlassian server in November 2023. Attackers accessed some documentation and a limited amount of source code before being stopped. Learn how attackers exploited Okta as an attack vector.
February 1, 2024
Blackbaud
The FTC mandates that software supplier Blackbaud delete any personal customer data it doesn’t require, as part of a settlement stemming from charges of lax security that allowed a hacker to access a customer’s Blackbaud-hosted database, move across multiple Blackbaud-hosted environments and create new admin accounts. This resulted in millions of its customers’ PII being affected. Read more about the FTC’s proposed action against Blackbaud.
January 26, 2024
Mercedes-Benz
An employee’s authentication token was found in a public GitHub repository, with potential to grant unauthorized access to Mercedes’ GitHub Enterprise server. This exposed private source code repositories containing intellectual property, Microsoft Azure and AWS keys, and a Postgres database. Mercedes has since removed the API token and public repository. Learn more about this inadvertent source code exposure.
January 25, 2024
Microsoft (Midnight-Blizzard)
A nation-state backed hacking group compromised Microsoft’s corporate networks, targeting other organizations like HPE in a malicious campaign. Password spraying attacks were used to exploit a non-MFA-enabled test OAuth application account with elevated privileges, enabling lateral spread across corporate Office 365 environments. See how hackers exploited this over-privileged legacy account as an attack vector.
January 24, 2024
Mother of All Breaches (MOAB)
26 billion records, stemming from previous leaks and breaches, were exposed online, revealing user data from LinkedIn, X, and other platforms, including sensitive information from government organizations in the U.S., Brazil, Germany, and more. Attackers could use this data for cyberattacks, phishing schemes, and other attack mechanisms. Learn more about this major data leak impacting several organizations.
2023
December 12,2023
ESO Solutions
ESO Solutions, a data and software provider, has disclosed that a ransomware attack has compromised data belonging to 2.7 million patients. The attack occurred when an unauthorized third party gained access to its computer system containing sensitive customer data. Read more about this ransomware attack.
November 30, 2023
Qlik Sense
Arctic Wolf Labs reported on a new CACTUS Ransomware campaign which exploits recently disclosed security vulnerabilities of Qlik Sense, a cloud analytics and business intelligence platform. In the attacks, a successful exploitation of the flaws is followed by the abuse of the Qlik Sense Scheduler service to spawn processes that are designed to download additional tools with the goal of establishing persistence and setting up remote control. See more details about the CACTUS Ransomware campaign.
November 2, 2023
Mr. Cooper Group
Mortgage giant, Mr. Cooper Group, experienced a cybersecurity incident from an unauthorized third party gaining access to certain technology systems. Mr. Cooper has since shut down specific systems which will prevent it from processing customer payments temporarily. Read more about Mr. Cooper’s cyberattack.
October 20, 2023
Okta
Threat actors used stolen credentials to access Okta’s support case management system (likely a SaaS provider) where HAR files that contain session cookies are stored, moving attackers to target Okta’s customer base. Learn more about the Okta HAR breach and admin account takeovers.
October 13, 2023
Equifax
Equifax was fined $13.4 million for a preventable 2017 data breach affecting nearly 147.9 million customers, due to hackers exploiting a flaw in an open web app. A company-wide audit revealed that insufficient patch and configuration controls, as well as a lack of proactive patching when updates became available, contributed to the breach. Read more about how poor security posture led hackers to exploit customer PII.
October 4, 2023
Sony Interactive Entertainment
Personal information of almost 6,800 employees and family members have been exposed in a hack by Cl0p, a ransomware group after hackers exploited a vulnerability in MOVEit Transfer. Learn more about this vulnerability that has affected countless organizations this year.
September 25, 2023
OpenSea
A third-party breach leaks OpenSea’s API key data. This is the third breach for the popular NFT marketplace with sensitive data stolen. Learn how attackers gained admin rights to a third-party account used to provision customer access.
September 18, 2023
Retool
A dual phishing trap led an employee into handing over their credentials and an OTP token, activating a Google Workspace session. The employee’s Google Authenticator cloud sync feature allowed elevated access to its internal systems. See how threat actors overtook 27+ Retool cloud clients.
September 13, 2023
MGM and Caesars
Both casino giants experienced a cyberattack that resulted in widespread outages across internal networks, ATMs, slot machines, digital room key cards, and electronic payment systems. Voice phishing tactics were used to initially access an MGM employee’s account. After initial entry, attackers gained admin rights and proceeded to deploy a ransomware attack. Learn how hackers exploited Okta as an access vector.
September 4, 2023
Okta
Attackers are hijacking highly-privileged Okta Super Administrator accounts, gaining access to and abusing identity federation features, elevating privileges, and removing 2FA protections, warns Okta. See how to keep your Okta tenant secure from identity access manipulation.
July 21, 2023
Roblox
In 2020, Roblox suffered a third-party security issue that compromised PII of nearly 4,000 Roblox developer accounts and past conference attendees. The gaming platform only revealed full details this week. Learn more about Roblox’s data leak.
July 10, 2023
Hospital Corporation of America
A 3rd party external storage location for an unnamed software was compromised, causing Hospital Corporation of America’s data breach. PII of 11 million patients were posted for sale on an online forum. Learn about this healthcare-industry record breaking breach.
June 2, 2023
MOVEit Transfer
Malicious actors have exploited a critical SQL injection vulnerability in MOVEit Transfer’s web app that allowed unauthenticated access to the file transfer tool’s database. British Airways, the BBC, payroll service Zellis, the Canadian province of Nova Scotia, and UK retailer Boots had data leaked and stolen through the attacks. The bug is tracked as CVE-2023-34362 and a patch has been released to customers. Get details about the MOVEit supply chain attack.
May 30, 2023
Casepoint
Legal SaaS platform Casepoint, used by several arms of the U.S. government, investigates a data breach after files were leaked to the dark web. Ransomware gang BlackHat allegedly stole 2TB of company data and attorney files, and had claimed responsibility over the Colonial Pipeline cyberattack. Learn more about this ransomware attack.
May 10, 2023
Dragos
A criminal group gained access to Dragos’ SharePoint cloud services and contract management system. While the unnamed threat actors were able to download and access a small amount of data typically exclusive to customers, they were unable to compromise Dragos’ network or cybersecurity platform. Dragos credits its role-based access control (RBAC) rules for helping prevent the group from accessing its IT helpdesk, financial systems, and other sensitive data. See how Dragos’ security controls reduced the attack surface of this incident.
April 28, 2023
Santa Clara Health Plan (SCHP)
Santa Clara Health Plan (SCHP) experienced a data breach that impacted 276,993 individuals due to a vulnerability in Fortra’s GoAnywhere file transfer solution, which was previously exploited in the NationsBenefits ransomware attack disclosed on April 13, 2023. SCHP’s vendor NationsBenefits was the point of entry for this breach. Learn about the mass cyberattack against 130 organizations.
April 27, 2023
Salesforce
Salesforce confirmed misconfiguration vulnerabilities (first identified by KrebsOnSecurity) that have resulted in numerous Salesforce customers’ sensitive data being exposed. Organizations affected include the State of Vermont and the District of Columbia’s Health websites. Get the details on this Salesforce misconfiguration vulnerability.
April 13, 2023
NationsBenefits
Florida-based technology company NationsBenefits reported that more than 7,000 members had their personal information stolen in a late Jan. 2022 ransomware attack on software company Fortra. NationsBenefits used Fortra’s SaaS solution GoAnywhere to store members’ data. See more about the ransomware attack.
April 11, 2023
Iowa Medicaid
Between June 30 and July 5, 2022, Iowa Medicaid experienced a data breach caused by their third-party vendor, Telligen. Approximately 20,800 Iowa Medicaid members had their data compromised. The data breach included names, Medicaid details, and other sensitive information. Read more about the Iowa Medicaid breach.
April 3, 2023
Capita
London-based professional services firm Capita reported a cyber incident affecting access to its internal Microsoft 365 apps. The event led to service disruptions with an undisclosed number of clients. At this time, Capita does not believe customer, supplier, or employee data has been compromised. See more about the Capita incident.
March 29, 2023
Toyota Italy
Toyota Italy accidentally leaked sensitive marketing data for more than a year. This included exposed credentials to its Salesforce Marketing Cloud and Mapbox’s API tokens. Read more details about the data leak.
March 24, 2023
ChatGPT
OpenAI was forced to take ChatGPT offline after a user exploited an open-source library bug. That same bug may have exposed the personal data and chat queries of 1.2% of ChatGPT Plus subscribers who were active during the nine-hour window before ChatGPT went offline. Dive into ChatGPT’s first major breach.
March 22, 2023
UC San Diego Health
Health provider UC San Diego Health reported that the unauthorized use of analytics tools by their technology vendor, Solv Health, was responsible for a data breach. Individuals who used UCSD’s scheduling site from Sept.13 – Dec. 22, 2022, may have been affected. Exposed data may include names, dates of birth, IP addresses, email addresses, third-party cookies, reason for visit, and insurance type. Uncover the details about the UCSD Health breach.
March 20, 2023
Ferrari
Ferrari confirmed a ransomware attack was responsible for a data breach that exposed customer details including names, addresses, emails, and phone numbers. No payment information or details of Ferrari cars owned or ordered had been stolen. Discover more about the Ferrari ransomware attack.
March 16, 2023
AT&T
AT&T notified 9 million customers that their customer proprietary network information (CPNI) was compromised due to a third party vendor breach. Exposed data includes first names, wireless account numbers, wireless phone numbers and email addresses. Read more about the AT&T breach.
March 9, 2023
DC Health Link
DC Health Link, the health insurance marketplace for the District of Columbia, confirmed a breach exposing the personal data of 56,000 members, including staff of the U.S. House of Representatives. The original attack vector was an open, exposed database and hacker was able to connect to the database software without verification. Get the details of the DC Health Link breach.
March 2, 2023
The U.S. Federal Reserve
The U.S. Federal Reserve canceled a Zoom video conference after it was hijacked by a participant who displayed pornographic images. This was likely the result of improper security configuration of guest access and user permissions. Learn more about the Zoom porn bombing incident.
February 27, 2023
LastPass
LastPass confirmed that the same attacker from previous breaches stole valid credentials from a senior DevOps engineer, targeted their home computer, and exploited a vulnerable third party media software package. This enabled remote code execution and keylogger malware to be implanted. Attackers achieved access to the company data vault and decryption keys, exfiltrating customer vault backups stored in AWS S3 buckets. Get the full scope of this LastPass breach.
February 21, 2023
Activision
Hackers stole Activision’s content roadmap for Call of Duty and employee data by infiltrating the company’s Slack channel through an SMS phishing scheme. The targeted employee, part of the HR department, had access to sensitive staff data. Read how threat actors breached Activision.
February 17, 2023
U.S. Marshals Service
The U.S. Marshals Service suffered a ransomware security breach that compromised PII of fugitives, staff, and third parties. Federal agencies are required to report major incidents to Congress within seven days of identification. See how Marshal Service was attacked.
February 10, 2023
Pepsi Bottling Ventures
Pepsi Bottling Ventures discovered a data breach that included Social Security numbers and login credentials. It’s unclear whether the stolen data pertains to customers or employees — and if PepsiCo was also affected. Dive into the PBV breach specifics.
January 26, 2023
U.S. Federal Civilian Executive Branch (FCEB)
Several U.S. federal agencies fell victim to a phishing scam that lured targets into logging into their bank accounts. Threat actors used AnyDesk and ScreenConnect as portable executables, which ran without admin privilege. Learn more about the phishing scam.
January 19, 2023
PayPal
PayPal reported a credential-stuffing attack, in which hackers leveraged username and password pairs sourced from previous data leaks. The company detected and mitigated the attack, but the hackers may have exfiltrated some sensitive data from the 35,000 compromised accounts. Discover the PayPal attack details.
January 7, 2023
CircleCI
CircleCI confirmed a data breach that stemmed from an employee’s laptop becoming infected with malware. The threat actor stole a valid MFA SSO session, allowing exfiltration of data that included customer environment variables, tokens, and keys. CircleCI’s antivirus software did not detect the malware. Learn how the CircleCI breach happened — and how to prevent similar attacks.
January 4, 2023
A database of over 200 million Twitter users went public, originally scraped by exploiting an API vulnerability that was previously exposed from June 2021 to January 2022. Get the Twitter data leak details.
2022
December 31, 2022
Slack
Slack experienced a cyberattack where a limited number of employee tokens was stolen to gain access to the company’s externally hosted GitHub repository and private source code. Learn the details behind the Slack attack.
December 22, 2022
LastPass
LastPass released an updated statement confirming that customers’ 256 bit AES encrypted password data had been looted. The hacker was also able to copy a backup of customer vault data that includes both unencrypted data, encrypted fields like usernames and passwords, and form-filled data. Read how LastPass attackers accessed password vaults.
December 1, 2022
AstraZeneca
In 2021, a developer accidentally left their Salesforce Cloud login credentials exposed in a GitHub repo. Fast forward to 2022, security researchers found the repo, logged in, and stumbled upon sensitive data. PII was not exposed. Read more about the AstraZeneca data exposure.
November 30, 2022
LastPass
LastPass notified its customers that an unauthorized party had accessed certain elements of customers’ information within a third party cloud storage service shared with GoTo (formerly LogMeIn). See how the Aug. 2022 hacking incident allowed exfiltration of encrypted customer data.
November 1, 2022
Dropbox
Dropbox suffered a data breach of their internal GitHub code repositories that included API keys. Dropbox employees were targeted with phishing emails that led them to an imitation CircleCI login page and also prompted them to enter a One-Time Password (OTP). Learn how the Dropbox attacker accessed a GitHub repo.
October 28, 2022
Twilio
Twilio disclosed a second breach by 0ktapus hackers where an employee was socially engineered through voice phishing (vishing). The Twilio employee provided their corporate credentials, enabling the attacker to access customer contact information for a “limited number” of customers. Read about Twilio’s second 0ktapus incident.
October 18, 2022
Verizon
Verizon alerted customers of a cyberattack that granted third party actors access to their accounts. The breach exposed the last four digits of customers’ credit cards to make payments on their prepaid accounts, and potentially enabled attackers to process unauthorized SIM card changes on prepaid lines. Learn more about the Verizon attack.
September 19, 2022
Rockstar Games
Video game publisher Rockstar Games experienced a data leak similar to the Uber hack below. Threat actors allegedly gained access to the company’s internal Slack messages and early code for their unannounced Grand Theft Auto video game sequel by gaining access to an employee’s login credentials. Read more about the Rockstar Games leak.
September 15, 2022
Uber
Uber fell victim to an MFA fatigue attack, which sends repeated sign-in approval notifications to an employee via SMS in hopes that endless notifications prompt them to complete the verification. The ride-sharing company attributes the attack to the cyber extortion group LAPSUS$. Discover how hackers found a way into Uber.
August 25, 2022
LastPass
LastPass experienced a security incident in which the threat actor gained access to its development environment for a 4-day period. It was contained immediately and no vault data or master passwords were compromised. Users were not asked to take any further action. In response to this incident, LastPass decommissioned the development environment and rebuilt it from scratch while further hardening developer machines, processes and authentication mechanisms. See the details of the Aug. 2022 LastPass breach.
August 10, 2022
Cisco
Cisco confirmed a breach of its corporate network where the attacker used voice phishing to convince an employee to accept MFA push notifications. They ultimately succeeded in gaining access to the company’s VPN and stealing an unspecified number of files from its network. Learn more about the Cisco breach.
August 7, 2022
Twilio
Twilio disclosed that hackers had accessed user data following 0ktapus, a sophisticated social engineering attack. Twilio identified 163 customers, including secure-communications provider Signal, whose data was accessed without authorization for a limited time. Read how Twilio customer data was exposed.
July 26, 2022
Okta
Group-IB analysts discovered that hackers targeted and stole 10,000 Okta user credentials and 5,441 MFA codes to carry out several sophisticated supply-chain attacks. Group-IB made its research on 0ktapus publicly available when Signal reported that 1,900 of their user accounts were hacked. Get the full details behind 0ktapus.
July 7, 2022
Marriott
Marriott suffered a data breach in its BWI Airport Marriott property near Baltimore. The hacker initiated a social engineering attack on a hotel staff member who unwittingly granted access to the property’s network, resulting in the theft of 300-400 customer credit card numbers. Read about Marriott’s recent security incident.
June 29, 2022
OpenSea
NFT giant OpenSea suffered a data breach after an employee of Customer.io, the company’s email delivery vendor, misused their privileged access to download and share email addresses of OpenSea’s 1.8 million users and newsletter subscribers with an unauthorized external party. Learn more about OpenSea phishing attack.
May 17, 2022
Costa Rica Government
Nearly 30 Costa Rican government institutions were hit in a wave of cyber attacks in May. The Russian-based hackers demanded $10 million which went unpaid. In response, the Conti ransomware group released 97% of 672 GB data. Read how Costa Rica was attacked.
April 12, 2022
GitHub
GitHub’s security team traced a breach to stolen OAuth user tokens issued to two third party integrators, Heroku and Travis-CI, to download data from private repositories belonging to dozens of organizations, including GitHub subsidiary npm. Attackers focused on exfiltrating PII to gain entry to other infrastructure and critical resources. Discover how GitHub repos were breached.
April 7, 2022
Cash App
Information of 8.2 million Cash App users was released by a former employee who accessed customer financial reports as an act of revenge against the company after their termination. A class action lawsuit was filed against the mobile payments company over “negligent” behavior. Read more about the Cash App attack.
April 4, 2022
Mailchimp
Mailchimp confirmed a data breach after malicious actors accessed an internal company tool used by the company’s customer support and account administration teams. After a successful social engineering attack, the hackers exported audience data, targeting customers in the cryptocurrency and finance sectors. Learn how hackers breached Mailchimp.
March 22, 2022
Microsoft
Microsoft confirmed that it was breached hours after LAPSUS$, a cyber extortion group, published a torrent file containing Bing, Bing Maps, and Cortana source code. Read how LAPSUS$ stole Microsoft source code.
March 18, 2022
HubSpot
HubSpot confirmed that over two dozen of its portals were subject to a data breach that compromised several of its clients’ data in the cryptocurrency space. Malicious actors compromised a Hubspot employee account used for customer support to extract contract details. This data breach affected companies like BlockFi, Swan Bitcoin, NYDIG, and Circle. Get details behind the HubSpot breach.
February 14, 2022
GiveSendGo
GiveSendGo was breached by politically motivated threat actors that released the personal information of 92,000 donors to the Freedom Convoy, an activist group of truck haulers based in Canada that protested COVID restrictions. The fundraising site was then redirected to another site that condemned the truckers — a case of a DDoS attack. Read more about the GiveSendGo attack.
February 4, 2022
News Corporation (News Corp)
Mass media and publishing giant News Corporation (News Corp) reported that it was the target of a persistent cyberattack that allowed an unauthorized third party to access personnel and journalists’ emails and business documents, which contained personal information. See how the WSJ and NY Post were attacked.
February 1, 2022
Oittaking and Mabanaft Group
German oil companies Oittaking and Mabanaft Group endured a cyberattack that threatened the gas supply of nearly 2,000 German Shell stations alone. Oittaking declared force majeure, which excuses the company from meeting contractual obligations in an extraordinary event that is beyond its control, for most of its supply activities. Read how Oittaking and Mabanaft Group operations were disrupted.
January 21, 2022
Okta
Okta experienced a breach by LAPSUS$, a cyber extortion group, which chose to publish a screenshot that establishes their alleged access. LAPSUS$ accessed two active customer tenants in the Okta environment and had control for 25 consecutive minutes. See the details on the Okta breach.
January 20, 2022
Crypto.com
Crypto.com admitted that hackers stole $36.45 million worth of cryptocurrency by bypassing its 2FA system. This incident led to the introduction of the company’s Worldwide Account Protection Program (WAPP) that would reimburse “qualifying users” in “select markets” with up to $250,000 after unauthorized withdrawals. Learn more about Crypto.com’s bitcoin and Ether heist.
January 18, 2022
International Committee of the Red Cross
The International Committee of the Red Cross (ICRC) experienced a breach that resulted in the data of more than 515,000 vulnerable people being compromised. The attack was highly targeted, using a piece of code that had been written purely to be executed on the ICRC’s servers. Read more on the Red Cross cyber attack.
January 6, 2022
FlexBooker
Online appointment company FlexBooker discovered a second data breach originating from its AWS account that exposed personal files belonging to 3.7 million users, which were distributed to the dark web. Get the details on FlexBooker’s data compromise.
2024
February 2, 2024
Cloudflare
Cloudflare disclosed that a nation-state actor stole Cloudflare credentials and an access token from a recent Okta compromise to gain unauthorized access to its Atlassian server in November 2023. Attackers accessed some documentation and a limited amount of source code before being stopped. Learn how attackers exploited Okta as an attack vector.
January 26, 2024
Mercedes-Benz
An employee’s authentication token was found in a public GitHub repository, with potential to grant unauthorized access to Mercedes’ GitHub Enterprise server. This exposed private source code repositories containing intellectual property, Microsoft Azure and AWS keys, and a Postgres database. Mercedes has since removed the API token and public repository. Learn more about this inadvertent source code exposure.
January 24, 2024
Mother of All Breaches (MOAB)
26 billion records, stemming from previous leaks and breaches, were exposed online, revealing user data from LinkedIn, X, and other platforms, including sensitive information from government organizations in the U.S., Brazil, Germany, and more. Attackers could use this data for cyberattacks, phishing schemes, and other attack mechanisms. Learn more about this major data leak impacting several organizations.
2023
December 12, 2023
ESO Solutions
ESO Solutions, a data and software provider, has disclosed that a ransomware attack has compromised data belonging to 2.7 million patients. The attack occurred when an unauthorized third party gained access to its computer system containing sensitive customer data. Read more about this ransomware attack.
November 30, 2023
Qlik Sense
Arctic Wolf Labs reported on a new CACTUS Ransomware campaign which exploits recently disclosed security vulnerabilities of Qlik Sense, a cloud analytics and business intelligence platform. In the attacks, a successful exploitation of the flaws is followed by the abuse of the Qlik Sense Scheduler service to spawn processes that are designed to download additional tools with the goal of establishing persistence and setting up remote control. See more details about the CACTUS Ransomware campaign.
November 2, 2023
Mr. Cooper Group
Mortgage giant, Mr. Cooper Group, experienced a cybersecurity incident from an unauthorized third party gaining access to certain technology systems. Mr. Cooper has since shut down specific systems which will prevent it from processing customer payments temporarily. Read more about Mr. Cooper’s cyberattack.
October 20, 2023
Okta
Threat actors used stolen credentials to access Okta’s support case management system (likely a SaaS provider) where HAR files that contain session cookies are stored, moving attackers to target Okta’s customer base. Learn more about the Okta HAR breach and admin account takeovers.
October 13, 2023
Equifax
Equifax was fined $13.4 million for a preventable 2017 data breach affecting nearly 147.9 million customers, due to hackers exploiting a flaw in an open web app. A company-wide audit revealed that insufficient patch and configuration controls, as well as a lack of proactive patching when updates became available, contributed to the breach. Read more about how poor security posture led hackers to exploit customer PII.
October 4, 2023
Sony Interactive Entertainment
Personal information of almost 6,800 employees and family members have been exposed in a hack by Cl0p, a ransomware group after hackers exploited a vulnerability in MOVEit Transfer. Learn more about this vulnerability that has affected countless organizations this year.
September 25, 2023
OpenSea
A third-party breach leaks OpenSea’s API key data. This is the third breach for the popular NFT marketplace with sensitive data stolen. Learn how attackers gained admin rights to a third-party account used to provision customer access.
September 18, 2023
Retool
A dual phishing trap led an employee into handing over their credentials and an OTP token, activating a Google Workspace session. The employee’s Google Authenticator cloud sync feature allowed elevated access to its internal systems. See how threat actors overtook 27+ Retool cloud clients.
September 13, 2023
MGM and Caesars
Both casino giants experienced a cyberattack that resulted in widespread outages across internal networks, ATMs, slot machines, digital room key cards, and electronic payment systems. Voice phishing tactics were used to initially access an MGM employee’s account. After initial entry, attackers gained admin rights and proceeded to deploy a ransomware attack. Learn how hackers exploited Okta as an access vector.
September 4, 2023
Okta
Attackers are hijacking highly-privileged Okta Super Administrator accounts, gaining access to and abusing identity federation features, elevating privileges, and removing 2FA protections, warns Okta. See how to keep your Okta tenant secure from identity access manipulation.
July 21, 2023
Roblox
In 2020, Roblox suffered a third-party security issue that compromised PII of nearly 4,000 Roblox developer accounts and past conference attendees. The gaming platform only revealed full details this week. Learn more about Roblox’s data leak.
July 10, 2023
Hospital Corporation of America
A 3rd party external storage location for an unnamed software was compromised, causing Hospital Corporation of America’s data breach. PII of 11 million patients were posted for sale on an online forum. Learn about this healthcare-industry record breaking breach.
June 2, 2023
MOVEit Transfer
Malicious actors have exploited a critical SQL injection vulnerability in MOVEit Transfer’s web app that allowed unauthenticated access to the file transfer tool’s database. British Airways, the BBC, payroll service Zellis, the Canadian province of Nova Scotia, and UK retailer Boots had data leaked and stolen through the attacks. The bug is tracked as CVE-2023-34362 and a patch has been released to customers. Get details about the MOVEit supply chain attack.
May 30, 2023
Casepoint
Legal SaaS platform Casepoint, used by several arms of the U.S. government, investigates a data breach after files were leaked to the dark web. Ransomware gang BlackHat allegedly stole 2TB of company data and attorney files, and had claimed responsibility over the Colonial Pipeline cyberattack. Learn more about this ransomware attack.
May 10, 2023
Dragos
A criminal group gained access to Dragos’ SharePoint cloud services and contract management system. While the unnamed threat actors were able to download and access a small amount of data typically exclusive to customers, they were unable to compromise Dragos’ network or cybersecurity platform. Dragos credits its role-based access control (RBAC) rules for helping prevent the group from accessing its IT helpdesk, financial systems, and other sensitive data. See how Dragos’ security controls reduced the attack surface of this incident.
April 28, 2023
Santa Clara Health Plan (SCHP)
Santa Clara Health Plan (SCHP) experienced a data breach that impacted 276,993 individuals due to a vulnerability in Fortra’s GoAnywhere file transfer solution, which was previously exploited in the NationsBenefits ransomware attack disclosed on April 13, 2023. SCHP’s vendor NationsBenefits was the point of entry for this breach. Learn about the mass cyberattack against 130 organizations.
April 27, 2023
Salesforce
Salesforce confirmed misconfiguration vulnerabilities (first identified by KrebsOnSecurity) that have resulted in numerous Salesforce customers’ sensitive data being exposed. Organizations affected include the State of Vermont and the District of Columbia’s Health websites. Get the details on this Salesforce misconfiguration vulnerability.
April 13, 2023
NationsBenefits
Florida-based technology company NationsBenefits reported that more than 7,000 members had their personal information stolen in a late Jan. 2022 ransomware attack on software company Fortra. NationsBenefits used Fortra’s SaaS solution GoAnywhere to store members’ data. See more about the ransomware attack.
April 11, 2023
Iowa Medicaid
Between June 30 and July 5, 2022, Iowa Medicaid experienced a data breach caused by their third-party vendor, Telligen. Approximately 20,800 Iowa Medicaid members had their data compromised. The data breach included names, Medicaid details, and other sensitive information. Read more about the Iowa Medicaid breach.
April 3, 2023
Capita
London-based professional services firm Capita reported a cyber incident affecting access to its internal Microsoft 365 apps. The event led to service disruptions with an undisclosed number of clients. At this time, Capita does not believe customer, supplier, or employee data has been compromised. See more about the Capita incident.
March 29, 2023
Toyota Italy
Toyota Italy accidentally leaked sensitive marketing data for more than a year. This included exposed credentials to its Salesforce Marketing Cloud and Mapbox’s API tokens. Read more details about the data leak.
March 24, 2023
ChatGPT
OpenAI was forced to take ChatGPT offline after a user exploited an open-source library bug. That same bug may have exposed the personal data and chat queries of 1.2% of ChatGPT Plus subscribers who were active during the nine-hour window before ChatGPT went offline. Dive into ChatGPT’s first major breach.
March 22, 2023
UC San Diego Health
Health provider UC San Diego Health reported that the unauthorized use of analytics tools by their technology vendor, Solv Health, was responsible for a data breach. Individuals who used UCSD’s scheduling site from Sept.13 – Dec. 22, 2022, may have been affected. Exposed data may include names, dates of birth, IP addresses, email addresses, third-party cookies, reason for visit, and insurance type. Uncover the details about the UCSD Health breach.
March 20, 2023
Ferrari
Ferrari confirmed a ransomware attack was responsible for a data breach that exposed customer details including names, addresses, emails, and phone numbers. No payment information or details of Ferrari cars owned or ordered had been stolen. Discover more about the Ferrari ransomware attack.
March 16, 2023
AT&T
AT&T notified 9 million customers that their customer proprietary network information (CPNI) was compromised due to a third party vendor breach. Exposed data includes first names, wireless account numbers, wireless phone numbers and email addresses. Read more about the AT&T breach.
March 9, 2023
DC Health Link
DC Health Link, the health insurance marketplace for the District of Columbia, confirmed a breach exposing the personal data of 56,000 members, including staff of the U.S. House of Representatives. The original attack vector was an open, exposed database and hacker was able to connect to the database software without verification. Get the details of the DC Health Link breach.
March 2, 2023
The U.S. Federal Reserve
The U.S. Federal Reserve canceled a Zoom video conference after it was hijacked by a participant who displayed pornographic images. This was likely the result of improper security configuration of guest access and user permissions. Learn more about the Zoom porn bombing incident.
February 27, 2023
LastPass
LastPass confirmed that the same attacker from previous breaches stole valid credentials from a senior DevOps engineer, targeted their home computer, and exploited a vulnerable third party media software package. This enabled remote code execution and keylogger malware to be implanted. Attackers achieved access to the company data vault and decryption keys, exfiltrating customer vault backups stored in AWS S3 buckets. Get the full scope of this LastPass breach.
February 21, 2023
Activision
Hackers stole Activision’s content roadmap for Call of Duty and employee data by infiltrating the company’s Slack channel through an SMS phishing scheme. The targeted employee, part of the HR department, had access to sensitive staff data. Read how threat actors breached Activision.
February 17, 2023
U.S. Marshals Service
The U.S. Marshals Service suffered a ransomware security breach that compromised PII of fugitives, staff, and third parties. Federal agencies are required to report major incidents to Congress within seven days of identification. See how Marshal Service was attacked.
February 10, 2023
Pepsi Bottling Ventures
Pepsi Bottling Ventures discovered a data breach that included Social Security numbers and login credentials. It’s unclear whether the stolen data pertains to customers or employees — and if PepsiCo was also affected. Dive into the PBV breach specifics.
January 26, 2023
U.S. Federal Civilian Executive Branch (FCEB)
Several U.S. federal agencies fell victim to a phishing scam that lured targets into logging into their bank accounts. Threat actors used AnyDesk and ScreenConnect as portable executables, which ran without admin privilege. Learn more about the phishing scam.
January 19, 2023
PayPal
PayPal reported a credential-stuffing attack, in which hackers leveraged username and password pairs sourced from previous data leaks. The company detected and mitigated the attack, but the hackers may have exfiltrated some sensitive data from the 35,000 compromised accounts. Discover the PayPal attack details.
January 7, 2023
CircleCI
CircleCI confirmed a data breach that stemmed from an employee’s laptop becoming infected with malware. The threat actor stole a valid MFA SSO session, allowing exfiltration of data that included customer environment variables, tokens, and keys. CircleCI’s antivirus software did not detect the malware. Learn how the CircleCI breach happened — and how to prevent similar attacks.
January 4, 2023
A database of over 200 million Twitter users went public, originally scraped by exploiting an API vulnerability that was previously exposed from June 2021 to January 2022. Get the Twitter data leak details.
2022
December 31, 2022
Slack
Slack experienced a cyberattack where a limited number of employee tokens was stolen to gain access to the company’s externally hosted GitHub repository and private source code. Learn the details behind the Slack attack.
December 22, 2022
LastPass
LastPass released an updated statement confirming that customers’ 256 bit AES encrypted password data had been looted. The hacker was also able to copy a backup of customer vault data that includes both unencrypted data, encrypted fields like usernames and passwords, and form-filled data. Read how LastPass attackers accessed password vaults.
December 1, 2022
AstraZeneca
In 2021, a developer accidentally left their Salesforce Cloud login credentials exposed in a GitHub repo. Fast forward to 2022, security researchers found the repo, logged in, and stumbled upon sensitive data. PII was not exposed. Read more about the AstraZeneca data exposure.
November 30, 2022
LastPass
LastPass notified its customers that an unauthorized party had accessed certain elements of customers’ information within a third party cloud storage service shared with GoTo (formerly LogMeIn). See how the Aug. 2022 hacking incident allowed exfiltration of encrypted customer data.
November 1, 2022
Dropbox
Dropbox suffered a data breach of their internal GitHub code repositories that included API keys. Dropbox employees were targeted with phishing emails that led them to an imitation CircleCI login page and also prompted them to enter a One-Time Password (OTP). Learn how the Dropbox attacker accessed a GitHub repo.
October 28, 2022
Twilio
Twilio disclosed a second breach by 0ktapus hackers where an employee was socially engineered through voice phishing (vishing). The Twilio employee provided their corporate credentials, enabling the attacker to access customer contact information for a “limited number” of customers. Read about Twilio’s second 0ktapus incident.
October 18, 2022
Verizon
Verizon alerted customers of a cyberattack that granted third party actors access to their accounts. The breach exposed the last four digits of customers’ credit cards to make payments on their prepaid accounts, and potentially enabled attackers to process unauthorized SIM card changes on prepaid lines. Learn more about the Verizon attack.
September 19, 2022
Rockstar Games
Video game publisher Rockstar Games experienced a data leak similar to the Uber hack below. Threat actors allegedly gained access to the company’s internal Slack messages and early code for their unannounced Grand Theft Auto video game sequel by gaining access to an employee’s login credentials. Read more about the Rockstar Games leak.
September 15, 2022
Uber
Uber fell victim to an MFA fatigue attack, which sends repeated sign-in approval notifications to an employee via SMS in hopes that endless notifications prompt them to complete the verification. The ride-sharing company attributes the attack to the cyber extortion group LAPSUS$. Discover how hackers found a way into Uber.
August 25, 2022
LastPass
LastPass experienced a security incident in which the threat actor gained access to its development environment for a 4-day period. It was contained immediately and no vault data or master passwords were compromised. Users were not asked to take any further action. In response to this incident, LastPass decommissioned the development environment and rebuilt it from scratch while further hardening developer machines, processes and authentication mechanisms. See the details of the Aug. 2022 LastPass breach.
August 10, 2022
Cisco
Cisco confirmed a breach of its corporate network where the attacker used voice phishing to convince an employee to accept MFA push notifications. They ultimately succeeded in gaining access to the company’s VPN and stealing an unspecified number of files from its network. Learn more about the Cisco breach.
August 7, 2022
Twilio
Twilio disclosed that hackers had accessed user data following 0ktapus, a sophisticated social engineering attack. Twilio identified 163 customers, including secure-communications provider Signal, whose data was accessed without authorization for a limited time. Read how Twilio customer data was exposed.
July 26, 2022
Okta
Group-IB analysts discovered that hackers targeted and stole 10,000 Okta user credentials and 5,441 MFA codes to carry out several sophisticated supply-chain attacks. Group-IB made its research on 0ktapus publicly available when Signal reported that 1,900 of their user accounts were hacked. Get the full details behind 0ktapus.
July 7, 2022
Marriott
Marriott suffered a data breach in its BWI Airport Marriott property near Baltimore. The hacker initiated a social engineering attack on a hotel staff member who unwittingly granted access to the property’s network, resulting in the theft of 300-400 customer credit card numbers. Read about Marriott’s recent security incident.
June 29, 2022
OpenSea
NFT giant OpenSea suffered a data breach after an employee of Customer.io, the company’s email delivery vendor, misused their privileged access to download and share email addresses of OpenSea’s 1.8 million users and newsletter subscribers with an unauthorized external party. Learn more about OpenSea phishing attack.
May 17, 2022
Costa Rica Government
Nearly 30 Costa Rican government institutions were hit in a wave of cyber attacks in May. The Russian-based hackers demanded $10 million which went unpaid. In response, the Conti ransomware group released 97% of 672 GB data. Read how Costa Rica was attacked.
April 12, 2022
GitHub
GitHub’s security team traced a breach to stolen OAuth user tokens issued to two third party integrators, Heroku and Travis-CI, to download data from private repositories belonging to dozens of organizations, including GitHub subsidiary npm. Attackers focused on exfiltrating PII to gain entry to other infrastructure and critical resources. Discover how GitHub repos were breached.
April 7, 2022
Cash App
Information of 8.2 million Cash App users was released by a former employee who accessed customer financial reports as an act of revenge against the company after their termination. A class action lawsuit was filed against the mobile payments company over “negligent” behavior. Read more about the Cash App attack.
April 4, 2022
Mailchimp
Mailchimp confirmed a data breach after malicious actors accessed an internal company tool used by the company’s customer support and account administration teams. After a successful social engineering attack, the hackers exported audience data, targeting customers in the cryptocurrency and finance sectors. Learn how hackers breached Mailchimp.
March 22, 2022
Microsoft
Microsoft confirmed that it was breached hours after LAPSUS$, a cyber extortion group, published a torrent file containing Bing, Bing Maps, and Cortana source code. Read how LAPSUS$ stole Microsoft source code.
March 18, 2022
HubSpot
HubSpot confirmed that over two dozen of its portals were subject to a data breach that compromised several of its clients’ data in the cryptocurrency space. Malicious actors compromised a Hubspot employee account used for customer support to extract contract details. This data breach affected companies like BlockFi, Swan Bitcoin, NYDIG, and Circle. Get details behind the HubSpot breach.
February 14, 2022
GiveSendGo
GiveSendGo was breached by politically motivated threat actors that released the personal information of 92,000 donors to the Freedom Convoy, an activist group of truck haulers based in Canada that protested COVID restrictions. The fundraising site was then redirected to another site that condemned the truckers — a case of a DDoS attack. Read more about the GiveSendGo attack.
February 4, 2022
News Corporation (News Corp)
Mass media and publishing giant News Corporation (News Corp) reported that it was the target of a persistent cyberattack that allowed an unauthorized third party to access personnel and journalists’ emails and business documents, which contained personal information. See how the WSJ and NY Post were attacked.
February 1, 2022
Oittaking and Mabanaft Group
German oil companies Oittaking and Mabanaft Group endured a cyberattack that threatened the gas supply of nearly 2,000 German Shell stations alone. Oittaking declared force majeure, which excuses the company from meeting contractual obligations in an extraordinary event that is beyond its control, for most of its supply activities. Read how Oittaking and Mabanaft Group operations were disrupted.
January 21, 2022
Okta
Okta experienced a breach by LAPSUS$, a cyber extortion group, which chose to publish a screenshot that establishes their alleged access. LAPSUS$ accessed two active customer tenants in the Okta environment and had control for 25 consecutive minutes. See the details on the Okta breach.
January 20, 2022
Crypto.com
Crypto.com admitted that hackers stole $36.45 million worth of cryptocurrency by bypassing its 2FA system. This incident led to the introduction of the company’s Worldwide Account Protection Program (WAPP) that would reimburse “qualifying users” in “select markets” with up to $250,000 after unauthorized withdrawals. Learn more about Crypto.com’s bitcoin and Ether heist.
January 18, 2022
International Committee of the Red Cross
The International Committee of the Red Cross (ICRC) experienced a breach that resulted in the data of more than 515,000 vulnerable people being compromised. The attack was highly targeted, using a piece of code that had been written purely to be executed on the ICRC’s servers. Read more on the Red Cross cyber attack.
January 6, 2022
FlexBooker
Online appointment company FlexBooker discovered a second data breach originating from its AWS account that exposed personal files belonging to 3.7 million users, which were distributed to the dark web. Get the details on FlexBooker’s data compromise.