Summary

  • Total number of incidents disclosed: 49

  • Total number of confirmed breached records: over 1.98 million

  • Total number of unconfirmed breached records: 1.5 billion

Welcome to another monthly round-up of monthly cyber attack and data breach news. September 2025 saw 49 publicly reported cyber attacks and data breaches around the globe.

In total, at least 1.98 million records were confirmed to have breached, while attacker claims – particularly those linked to the ongoing Salesforce/Salesloft Drift breach – suggest the true figure may exceed 1.5 billion.

The month’s five largest incidents

Salesforce/Salesloft Drift campaign (multiple organisations)

  • Records affected: 1.5 billion (unconfirmed)

  • Data: Contact records, support case contents, internal files, OAuth tokens and API credentials

  • Cause: Compromise of Salesloft Drift integrations used with Salesforce; stolen tokens leveraged by ShinyHunters

  • Status: Confirmed by multiple victims; ongoing investigation across global enterprises and SaaS providers

Stellantis

  • Records affected: 18 million (unconfirmed)

  • Data: Employee, dealer, and customer details; internal documents and communications

  • Cause: OAuth compromise via Salesforce/Salesloft Drift campaign

  • Status: Confirmed; investigation ongoing; no financial or highly sensitive data reportedly exposed

FinWise Bank/American First Finance

  • Records affected: 689,000

  • Data: Full names, personal identifiers and financial account data

  • Cause: Insider access – a former employee improperly accessed and exported sensitive data over two years

  • Status: Confirmed; class-action lawsuit filed; affected individuals offered credit monitoring

Harrods

  • Records affected: 430,000

  • Data: Customer names, contact details, loyalty information and co-branded card identifiers

  • Cause: Breach of a third-party e-commerce service provider used by Harrods

  • Status: Confirmed; no payment card data or passwords exposed. Harrods refused to pay the attackers’ ransom demands and notified the ICO and affected customers.

Kido International (UK)

  • Records affected: 8,000 children

  • Data: Names, photos, home addresses and family contact details

  • Cause: Ransomware data theft by the Radiant group

  • Status: Confirmed; law enforcement investigation ongoing; attackers partially withdrew stolen photos following public backlash

Trends in September 2025

  • Supply-chain attacks intensified – The Salesforce OAuth compromise expanded its impact across cybersecurity vendors, Cloud providers and major enterprises.

  • Operational ransomware returned – Manufacturing and aviation sectors saw renewed disruption attacks, echoing pre-2024 trends.

  • Public-sector targeting increased – Government offices in the USA, Panama and the UK faced ransomware or data-theft incidents.

  • Child data and education breaches – The Kido International attack highlighted growing risks to childcare and education providers, both in data sensitivity and reputational harm.

  • Insider risk resurgence – The FinWise insider case shows that internal access remains a persistent data protection challenge.

Key vulnerabilities exploited

  • OAuth token misuse – Attackers exploited token reuse and over-permissioned integrations in third-party CRM connectors (Salesforce/Salesloft Drift).

  • Compromised CI/CD pipelines – Attacks like GhostAction and Shai-Hulud demonstrated the persistent risk of automated credential theft and malware propagation through developer ecosystems.

  • Unpatched public systems – Ransomware groups continued to exploit exposed RDP servers and outdated VPN appliances in sectors such as government and manufacturing.

  • Weak third-party controls – Breaches at vendors such as Harrods’ supplier and Wealthsimple’s software provider underscored the importance of rigorous supplier risk management.

List of data breaches and cyber attacks disclosed in September 2025

Disclosure DateOrganisationCountrySectorIncident TypeRecords Affected
02 September 2025Evertec/Sinqia S.A.BrazilFinance (Fintech)Supply-chain (credential theft)Unknown (~$130 m fraud attempt)
03 September 2025BridgestoneUSA/JapanManufacturingCyber attack (operational disruption)Unknown
03 September 2025BeyondTrustUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
04 September 2025Chess.comUSAOnline GamingData breach (third-party software)~4,500
04 September 2025BugcrowdUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
05 September 2025WealthsimpleCanadaFinance (Fintech)Supply-chain (third-party software compromise)Unknown (<1% clients)
05 September 2025Cato NetworksUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
06 September 2025Nx via GitHubGlobalTechnology (DevOps)Supply-chain (CI/CD pipeline attack)Unknown (2,180 accounts)
06 September 2025CloudflareUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
07 September 2025CyberArkUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
08 September 2025LovesacUSARetailData breach (post-ransomware)Unknown
08 September 2025GitHub (Ghost Action)GlobalSoftware DevSupply-chain (malicious app integration)~3,325 secrets
08 September 2025Agility PR SolutionsCanadaPR SoftwareSupply-chain (OAuth token compromise)Unknown
08 September 2025Lucid SoftwareUSASaaSSupply-chain (OAuth token compromise)Unknown
08 September 2025DynatraceUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
09 September 2025ElasticUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
10 September 2025Jaguar Land RoverUKAutomotiveRansomware (production disruption)Unknown
10 September 2025EskerUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
11 September 2025Panama Ministry of Economy and FinancePanamaGovernmentRansomware (data theft)Unknown (1.5 TB data)
11 September 2025FastlyUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
12 September 2025Google WorkspaceUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
13 September 2025HeapUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
14 September 2025HackerOneUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
15 September 2025FinWise/ American First FinanceUSAFinanceInsider breach689,000
15 September 2025Kering (Gucci/ Balenciaga/ Alexander McQueen)FranceLuxury RetailRansomware (data theft)Unknown
15 September 2025JFrogUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
16 September 2025SonicWallUSACybersecurityData breach (cloud backup)Unknown (<5% customers)
16 September 2025MegaportUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
17 September 2025Multiple victims via Salesforce (known victims listed individually in this table)GlobalCloud CRMSupply-chain (OAuth token compromise)~1.5 billion (claimed)
17 September 2025Collins AerospaceUSA/EUAviation TechRansomware (operational disruption)Unknown
17 September 2025NutanixUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
18 September 2025PagerDutyUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
19 September 2025Palo Alto NetworksUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
20 September 2025PantheonUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
21 September 2025ProofpointUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
22 September 2025StellantisEU/GlobalAutomotiveSupply-chain (OAuth token compromise)Unknown
22 September 2025QualysUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
23 September 2025Boyd GamingUSAHospitality/CasinoCyber attack (data breach)Unknown
23 September 2025RubrikUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
24 September 2025SpyCloudUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
25 September 2025Volvo GroupSwedenAutomotiveSupply-chain (ransomware on vendor)870,000
25 September 2025TaniumUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
26 September 2025Union County, OhioUSAGovernment (Local)Ransomware (data breach)~45,000
26 September 2025Kido InternationalUKEducation (Childcare)Ransomware (data theft)~8,000
26 September 2025TenableUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
27 September 2025WorkdayUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
28 September 2025WorkivaUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown
29 September 2025HarrodsUKRetail (E-commerce)Supply-chain (third-party breach)430,000
29 September 2025ZscalerUSASaaSThird-party breach → OAuth token compromise → Salesforce data accessUnknown

Click here for August 2025’s data breaches and cyber attacks

Discover your vulnerabilities before attackers do

To avoid falling victim to cyber attacks, it’s critical to understand where you are most vulnerable to attack. Then you can close any security gaps before it’s too late.

Don’t leave your vulnerabilities to chance. Collaborate with a team that understands your risks and delivers actionable solutions.

Contact our penetration testing experts today to discuss your security needs.

Book your free scoping session