Phishing Archives

Google Salesforce Breach: ShinyHunters, OAuth Token Compromise, and Data Theft via Drift

Posted on September 2, 2025September 2, 2025 by Srishti Chaubey

Last month, Google issued an advisory, a little bit for your well-being, more for saving their own… face. They declared that their Salesforce instances got breached by a threat actor by the name of UNC6040, who is also known by the alias ShinyHunters. Contact details of small and medium businesses were stolen, though Google insists no passwords were taken.

A few days later, the scope widened. Google warned that OAuth tokens tied to the Drift platform were also compromised, including the Drift Email integration. OAuth tokens allow apps to connect without passwords, so if stolen, attackers can access connected services until revoked.

In response, Google revoked all OAuth tokens granted to Drift Email and disabled the integration between Google Workspace and Salesloft Drift pending further investigation.

Attack Technique

The breach wasn’t just a simple data grab. Attackers used:

A fake Okta Phishing Panel to steal credentials.
Vishing (voice phishing) calls to trick users into giving MFA codes.
Salesforce Data Loader abuse– Once authenticated, they linked actor-controlled apps through Salesforce’s “Connected Apps” functionality. Victims were told to enter a “connection code,” giving attackers full access to extract large volumes of data.

What’s Next for Victims

According to Google, ShinyHunters is likely to:

Demand ransom payments in Bitcoin.
Launch a data leak site (DLS) to pressure victims into compliance.

Links to Other Groups

ShinyHunters is no stranger to large-scale breaches. Past victims include PowerSchool, Oracle Cloud, the Snowflake data-theft campaign, AT&T, NitroPDF, Wattpad, and MathWay.

We are also noticing a partnership between Shinyhunters and Scattered Spider in recent years. Additionally, a new alias, Sp1d3rHunters, has been surfacing.

We have to start wondering whether this new partnership will also play a role in the doomsday for Google users in the coming days. Additionally, Google has discovered links to the infamous “The Com” group.

Whether these alliances will escalate into broader attacks against Google’s user base remains to be seen, but defenders should be prepared.

Recommendation

Google also issued a Mitigation list:

Adhere to the Principle of Least Privilege, Especially for Data Access Tools
Manage Access to Connected Applications Rigorously
Enforce IP-Based Access Restrictions
Leverage Advanced Security Monitoring and Policy Enforcement
Revoke and Rotate Credentials
Harden Access Controls
Investigate for Compromise and Scan for Exposed Secrets

Speaking of being prepared, I’d recommend getting PureAUTH and avoiding the whole phishing, vishing, social engineering fiasco altogether, but you do you. Keep entering those passwords and MFA, only to get scammed and phished. Your choice 🙂

Rampant Multi-Redirection Phishing Attacks: The Monday Morning Trap

Posted on August 12, 2025August 12, 2025 by Srishti Chaubey

It’s Monday morning. You open your laptop, sip your coffee, log into Outlook…and before the caffeine even kicks in; you’ve been phished.

Best case? Your security team catches it, your boss gets an email, and you’re sentenced to the dreaded “mandatory security training” (because who doesn’t love an extra two hours of compliance videos?).

Worst case? You’ve just unlocked the front door for an attacker, handing them the keys to your organization’s most valuable data.

Either way… not a great start to the week.

Why Multi-Redirection Phishing Is Spreading Like Wildfire

You receive a link, either by email or SMS. You click it, and it takes you to Outlook.com, where you enter your valid credentials. The attacker, meanwhile, is running a man-in-the-middle attack script, such as Evilginx, to intercept those credentials and relay it to Outlook.com in real time.

As a wanna-be phishing proof solution, Outlook notices the login attempt from an unusual device or location and steps up authentication by asking for MFA.

The attacker is ready for it. They forward the MFA challenge straight back to you.

You approve the request, clicking the correct number, or entering the TOTP code, and relax, basking in the illusion of safety that MFA provides.

After completing the MFA challenge, the attacker has full access to your Outlook account. They can steal data, move laterally through the network, and steal even more. Cool… for the attacker perhaps. You’re now in trouble, even though you thought you did everything right.

The Problem: MFA Alone Won’t Save You

Multi-factor authentication adds friction for attackers, but it doesn’t stop phishing kits built to capture both credentials and MFA tokens in real time. If your defense still depends on passwords, you’re already behind.

How PureID Changes the Game

No passwords. No MFA prompts. No phishing risk.

PureID’s PureAUTH removes passwords entirely, replacing them with certificate-based access that attackers can’t phish, steal, or reuse.

Zero Trust, Passwordless: No credentials to intercept = no successful phishing.
Credential Stuffing Becomes Impossible: No password means nothing to steal in the first place.
Billions Saved: Reduced breach costs, downtime, and compliance fallout.

Don’t wait for the next breach. Go passwordless. Secure your organization with PureAuth. #GoPasswordless

Luxury Meets Liability: Dior Client Info Leaked in Major Cyber Breach

Posted on May 23, 2025May 23, 2025 by Srishti Chaubey

Imagine this: You get a message from Dior. It’s exclusive. Personalized. A once-in-a-lifetime offer. You click. Just like that, your personal data is now in a scammer’s hands.

This isn’t fiction. It’s unfolding in real time. This occurs when luxury brands are hacked, and the Dior client information leak is one of the largest data breaches this year. Names, phone numbers, addresses, and purchase history of Dior’s high-end clientele are now compromised.

The House of Dior is dealing with much more than brand reputation damage. Legal examination, customer mistrust, and phishing risks now engulf the legendary brand.

What Occurred: Dior Data Breach Timeline

In one of the biggest data breaches this year, Dior—synonymous with elegance and trust—fell victim to a cyberattack that exposed the personal information of its high-end clientele.

The breach, confirmed on May 7, targeted Dior’s Fashion and Accessories division. The compromised data includes:

Names
Gender
Phone numbers
Email and mailing addresses
Transaction history

Passwords and payment details were housed in a different database and remained unaffected. Affected regions include South Korea and China.

Dior confirmed that cybersecurity specialists were summoned immediately. But the harm had already been inflicted.

Legal Consequences: Dior in Trouble in South Korea

Dior reported the breach to South Korea’s Personal Information Protection Commission (PIPC).
However, Dior did not report to the Korea Internet and Security Agency (KISA), which is legally required under Korean law.
This oversight has resulted in political fallout and the potential for financial penalties.

In China, Dior also confirmed that a data breach compromised its list of high-end customers.

The consequences could severely damage Dior’s reputation with its most loyal and highest-spending customers.

The New Threat: Phishing Scams, False Coupons, and Brand Imitation

The real threat is just beginning.

With personal data now in circulation, cybercriminals are exploiting Dior’s trusted name to launch highly targeted phishing campaigns. Think:

Fake coupon codes
Phony marketing emails
Bogus password reset prompts

Dior’s prestige—its very brand equity—has become the perfect bait. Customers are much more likely to click on exclusive deals. These targeted phishing attacks are not only likely but inevitable.

The Core Problem: Traditional Trust Models Are Broken

Despite Dior’s high-end image and multi-layered security, the breach reveals a critical flaw: reliance on traditional perimeter-based defenses.

Once inside, attackers had access to sensitive customer information.
Zero Trust protocols were not in place.
Internal systems treated all access as legitimate by default—a dangerous assumption.

Dior’s Wake-Up Call

The Dior client info leak happened not just due to malicious actors but also due to outdated security thinking. Dior’s breach isn’t just a PR crisis. Outdated security thinking lies at the root of this strategic failure.

In luxury, trust isn’t just a value—it’s the product. And that trust now demands Zero Trust architecture.

Dior learned the hard way that sleek branding does not guarantee impenetrable systems. Its failure to comply with legal reporting requirements and its slow response endangered both customers and its reputation.

The cost? Legal sanctions, lost customer trust, and front-page headlines. This is not just negative press but a strategic failure.

Zero Trust is the New Luxury

Zero Trust is no longer a buzzword. It is the future of cybersecurity, especially for brands that trade on exclusivity and customer confidence.

PureAuth exemplifies this approach:

Never stores Personal Identifiable Information.
Verification is continuous, with no backdoors.
Attackers cannot exploit urgency or impersonation to bypass controls.

In a world where phishing emails and counterfeit Dior sales can fool even sophisticated customers, Zero Trust is not optional. It is essential.

PureAuth does not secure passwords. PureAuth secures people.

Read Also

The £650M Mistake: M&S Breach Breakdown