Scattered LAPSUS$ Hunters admin "Rey," allegedly a 15-year-old named Saif Khader from Jordan, has been named in a report linking him to the group. He denies the claim.

An attack on the app of CRM platform-provider Gainsight led to the data of hundreds of Salesforce customers being compromised, highlighting the ongoing threats posed by third-party software in SaaS environments and illustrating how one data breach can lead to others, cybersecurity pros say.

The post Salesforce: Some Customer Data Accessed via Gainsight Breach appeared first on Security Boulevard.

CrowdStrike fired an insider for selling internal screenshots to Scattered Lapsus$ Hunters for $25,000. Read how the security team detected the activity and protected customers.

Notorious hacking collective Scattered Lapsus$ Hunters takes credit for the breach that affected Salesforce customers’ data, and said it is planning another extortion campaign.

Salesforce is probing unusual activity in Gainsight apps that may have exposed customer data, while ShinyHunters claims a new OAuth-based attack.

The post Salesforce Confirms New Breach Linked to Gainsight Apps appeared first on TechRepublic.

Salesforce is probing unusual activity in Gainsight apps that may have exposed customer data, while ShinyHunters claims a new OAuth-based attack.

The post Salesforce Confirms New Breach Linked to Gainsight Apps appeared first on TechRepublic.

ShinyHunters breached Gainsight apps integrated with Salesforce, claiming access to data from 1000 firms using stolen credentials and compromised tokens.

Salesforce said it’s investigating an incident where hackers compromised some of its customers' data after breaching customer experience company Gainsight.

The information was stolen from a legacy cloud file storage system, not from its payment processing platform.

The post Checkout.com Discloses Data Breach After Extortion Attempt appeared first on SecurityWeek.

ShinyHunters and its affiliate hackers have leaked data from 6 firms, including Qantas and Vietnam Airlines, after claiming to breach 39 companies via a Salesforce vulnerability.

EXPERT PERSPECTIVE — The timing was no coincidence.

As the U.S. federal government ground to a halt at 12:01 a.m. EDT on October 1, 2025, a cybercriminal group calling itself the Crimson Collective chose that precise moment to publicly disclose one of the most significant supply chain compromises in recent memory. The breach of Red Hat's consulting division, affecting approximately 800 organizations, including critical defense contractors and government agencies, represents more than just another data breach; it demonstrates a sophisticated understanding of how to weaponize American politics for maximum strategic impact.

The stolen data from Red Hat’s repositories reads like a VIP list, including the Naval Surface Warfare Centers, SOCOM, DISA, Raytheon, NASA’s Jet Propulsion Laboratory, and even the House of Representatives. But what’s most concerning isn’t just who was targeted; it’s the precision of when the breach occurred.

With large portions of the federal workforce furloughed and key cybersecurity teams across the government operating with sharply reduced staffing, America’s cyber defense apparatus is running at a fraction of its normal capacity. The normal channels for incident response, DIBNet reporting, cross-agency coordination, and threat intelligence fusion have been significantly slowed.

According to the attackers, the breach itself occurred in mid-September. Yet they waited. They established their Telegram channel on September 24th, tested their capabilities with attacks on Nintendo and Claro Colombia, then synchronized their disclosure with the exact moment of maximum U.S. Government incapacity.

Customer Engagement Reports (CERs) are the crown jewels of consulting, providing detailed blueprints that contain network architectures, authentication tokens, API keys, and infrastructure configurations. Red Hat's consultants held the keys to the kingdom for hundreds of organizations. Now those keys are for sale, with an October 10 deadline that arrives while the government may remain partially paralyzed.

The Belgian Centre for Cybersecurity has already issued warnings about the "high risk" to organizations, but the real concern extends far beyond Belgium. The exposed data includes projects with cryptic references that represent not only a compromised project but also a potential entry point into critical defense systems.

What makes this particularly concerning is the nature of consulting engagements. Unlike product vulnerabilities that can be universally patched, consulting deliverables are custom configurations with unique implementations and specific architectural decisions. There's no single patch to fix this. Each affected organization must carry out its own forensic investigation and reestablish the integrity of its security architecture.

The involvement of ShinyHunters, operating their extortion-as-a-service platform, adds another dimension, making this a confederation of cybercriminal groups that share infrastructure, capabilities, and stolen data. The business model is evolving from ransomware-as-a-service to something more insidious: ecosystem exploitation-as-a-service.

ShinyHunters is simultaneously extorting companies and now joining forces with Crimson Collective to monetize the Red Hat breach. They're not attacking individual companies. They're targeting entire supply chains, betting that the interconnected nature of modern IT infrastructure expands their leverage.

The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.

For adversarial nation-states watching from Beijing, Moscow, Tehran, and Pyongyang, this incident provides a masterclass in asymmetric warfare. The shutdown didn't cause the breach, but it created the perfect conditions for maximum impact.

The timing also suggests potential nation-state involvement or direction, even if it is indirect through cutouts. The targets selected, from defense contractors, government agencies, and critical infrastructure, align too perfectly with strategic intelligence collection priorities. Whether Crimson Collective is a pure criminal enterprise or a deniable asset, the effect is the same: America's defense industrial base is exposed at a moment of maximum vulnerability.

The Red Hat breach isn’t a new kind of threat; it’s a familiar playbook executed through new modalities. Our adversaries have long understood how to exploit U.S. vulnerabilities. What’s changed is their precision and timing. They’ve learned to weaponize not only our technical gaps but also our political divisions, striking not when they’re strongest, but when we’re distracted, and increasingly, we’re signaling exactly when that will be.

The October 10 deadline isn't just about ransom payments. It’s about whether America can safeguard its critical infrastructure when government operations themselves are constrained. The answer to that question will extend well beyond Red Hat’s customer base, sending signals to allies and competitors alike about the resilience of America’s digital ecosystem.

Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.

Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.

Read more expert-driven national security insights, perspective and an