8th October 2025
Summary
- Total number of incidents disclosed: 49
- Total number of confirmed breached records: over 1.98 million
- Total number of unconfirmed breached records: 1.5 billion
Welcome to another monthly round-up of monthly cyber attack and data breach news. September 2025 saw 49 publicly reported cyber attacks and data breaches around the globe.
In total, at least 1.98 million records were confirmed to have breached, while attacker claims – particularly those linked to the ongoing Salesforce/Salesloft Drift breach – suggest the true figure may exceed 1.5 billion.
The month’s five largest incidents
Salesforce/Salesloft Drift campaign (multiple organisations)
- Records affected: 1.5 billion (unconfirmed)
- Data: Contact records, support case contents, internal files, OAuth tokens and API credentials
- Cause: Compromise of Salesloft Drift integrations used with Salesforce; stolen tokens leveraged by ShinyHunters
- Status: Confirmed by multiple victims; ongoing investigation across global enterprises and SaaS providers
Stellantis
- Records affected: 18 million (unconfirmed)
- Data: Employee, dealer, and customer details; internal documents and communications
- Cause: OAuth compromise via Salesforce/Salesloft Drift campaign
- Status: Confirmed; investigation ongoing; no financial or highly sensitive data reportedly exposed
FinWise Bank/American First Finance
- Records affected: 689,000
- Data: Full names, personal identifiers and financial account data
- Cause: Insider access – a former employee improperly accessed and exported sensitive data over two years
- Status: Confirmed; class-action lawsuit filed; affected individuals offered credit monitoring
Harrods
- Records affected: 430,000
- Data: Customer names, contact details, loyalty information and co-branded card identifiers
- Cause: Breach of a third-party e-commerce service provider used by Harrods
- Status: Confirmed; no payment card data or passwords exposed. Harrods refused to pay the attackers’ ransom demands and notified the ICO and affected customers.
Kido International (UK)
- Records affected: 8,000 children
- Data: Names, photos, home addresses and family contact details
- Cause: Ransomware data theft by the Radiant group
- Status: Confirmed; law enforcement investigation ongoing; attackers partially withdrew stolen photos following public backlash
Trends in September 2025
- Supply-chain attacks intensified – The Salesforce OAuth compromise expanded its impact across cybersecurity vendors, Cloud providers and major enterprises.
- Operational ransomware returned – Manufacturing and aviation sectors saw renewed disruption attacks, echoing pre-2024 trends.
- Public-sector targeting increased – Government offices in the USA, Panama and the UK faced ransomware or data-theft incidents.
- Child data and education breaches – The Kido International attack highlighted growing risks to childcare and education providers, both in data sensitivity and reputational harm.
- Insider risk resurgence – The FinWise insider case shows that internal access remains a persistent data protection challenge.
Key vulnerabilities exploited
- OAuth token misuse – Attackers exploited token reuse and over-permissioned integrations in third-party CRM connectors (Salesforce/Salesloft Drift).
- Compromised CI/CD pipelines – Attacks like GhostAction and Shai-Hulud demonstrated the persistent risk of automated credential theft and malware propagation through developer ecosystems.
- Unpatched public systems – Ransomware groups continued to exploit exposed RDP servers and outdated VPN appliances in sectors such as government and manufacturing.
- Weak third-party controls – Breaches at vendors such as Harrods’ supplier and Wealthsimple’s software provider underscored the importance of rigorous supplier risk management.
List of data breaches and cyber attacks disclosed in September 2025
| Disclosure Date | Organisation | Country | Sector | Incident Type | Records Affected |
| 02 September 2025 | Evertec/Sinqia S.A. | Brazil | Finance (Fintech) | Supply-chain (credential theft) | Unknown (~$130 m fraud attempt) |
| 03 September 2025 | Bridgestone | USA/Japan | Manufacturing | Cyber attack (operational disruption) | Unknown |
| 03 September 2025 | BeyondTrust | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 04 September 2025 | Chess.com | USA | Online Gaming | Data breach (third-party software) | ~4,500 |
| 04 September 2025 | Bugcrowd | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 05 September 2025 | Wealthsimple | Canada | Finance (Fintech) | Supply-chain (third-party software compromise) | Unknown ( |
| 05 September 2025 | Cato Networks | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 06 September 2025 | Nx via GitHub | Global | Technology (DevOps) | Supply-chain (CI/CD pipeline attack) | Unknown (2,180 accounts) |
| 06 September 2025 | Cloudflare | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 07 September 2025 | CyberArk | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 08 September 2025 | Lovesac | USA | Retail | Data breach (post-ransomware) | Unknown |
| 08 September 2025 | GitHub (Ghost Action) | Global | Software Dev | Supply-chain (malicious app integration) | ~3,325 secrets |
| 08 September 2025 | Agility PR Solutions | Canada | PR Software | Supply-chain (OAuth token compromise) | Unknown |
| 08 September 2025 | Lucid Software | USA | SaaS | Supply-chain (OAuth token compromise) | Unknown |
| 08 September 2025 | Dynatrace | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 09 September 2025 | Elastic | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 10 September 2025 | Jaguar Land Rover | UK | Automotive | Ransomware (production disruption) | Unknown |
| 10 September 2025 | Esker | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 11 September 2025 | Panama Ministry of Economy and Finance | Panama | Government | Ransomware (data theft) | Unknown (1.5 TB data) |
| 11 September 2025 | Fastly | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 12 September 2025 | Google Workspace | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 13 September 2025 | Heap | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 14 September 2025 | HackerOne | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 15 September 2025 | FinWise/ American First Finance | USA | Finance | Insider breach | 689,000 |
| 15 September 2025 | Kering (Gucci/ Balenciaga/ Alexander McQueen) | France | Luxury Retail | Ransomware (data theft) | Unknown |
| 15 September 2025 | JFrog | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 16 September 2025 | SonicWall | USA | Cybersecurity | Data breach (cloud backup) | Unknown ( |
| 16 September 2025 | Megaport | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 17 September 2025 | Multiple victims via Salesforce (known victims listed individually in this table) | Global | Cloud CRM | Supply-chain (OAuth token compromise) | ~1.5 billion (claimed) |
| 17 September 2025 | Collins Aerospace | USA/EU | Aviation Tech | Ransomware (operational disruption) | Unknown |
| 17 September 2025 | Nutanix | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 18 September 2025 | PagerDuty | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 19 September 2025 | Palo Alto Networks | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 20 September 2025 | Pantheon | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 21 September 2025 | Proofpoint | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 22 September 2025 | Stellantis | EU/Global | Automotive | Supply-chain (OAuth token compromise) | Unknown |
| 22 September 2025 | Qualys | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 23 September 2025 | Boyd Gaming | USA | Hospitality/Casino | Cyber attack (data breach) | Unknown |
| 23 September 2025 | Rubrik | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 24 September 2025 | SpyCloud | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 25 September 2025 | Volvo Group | Sweden | Automotive | Supply-chain (ransomware on vendor) | 870,000 |
| 25 September 2025 | Tanium | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 26 September 2025 | Union County, Ohio | USA | Government (Local) | Ransomware (data breach) | ~45,000 |
| 26 September 2025 | Kido International | UK | Education (Childcare) | Ransomware (data theft) | ~8,000 |
| 26 September 2025 | Tenable | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 27 September 2025 | Workday | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 28 September 2025 | Workiva | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
| 29 September 2025 | Harrods | UK | Retail (E-commerce) | Supply-chain (third-party breach) | 430,000 |
| 29 September 2025 | Zscaler | USA | SaaS | Third-party breach → OAuth token compromise → Salesforce data access | Unknown |
Discover your vulnerabilities before attackers do
To avoid falling victim to cyber attacks, it’s critical to understand where you are most vulnerable to attack. Then you can close any security gaps before it’s too late.
Don’t leave your vulnerabilities to chance. Collaborate with a team that understands your risks and delivers actionable solutions.
Contact our penetration testing experts today to discuss your security needs.
About The Author
IT Governance
IT Governance is your one-stop shop for cyber security and IT GRC information, books, documentation toolkits, training, elearning, consultancy, penetration testing, software tools, and more.
0 Comments