CySecurity News - Latest Information Security and Hacking Incidents: Cyber Security

agentic AI AI Risk Management Cloud Governance Cyber defense Cyber Security Data Resilience Identity Protection SaaS security security automation Threat Intelligence

Balancing Rapid Innovation and Risk in the New Era of SaaS Security

The accelerating pace of technological innovation is leaving a growing number of organizations unwittingly exposing their organization to serious security risks as they expand their reliance on SaaS platforms and experiment with emerging agent-based AI algorithms in an effort to thrive in the age of digital disruption. Businesses are increasingly embracing cloud-based services to deliver enterprise software to their employees at breakneck speed.

With this shift toward cloud-delivered services, it has become necessary for them to adopt new features at breakneck speed-often without pausing to implement, or even evaluate, the basic safeguards necessary to protect sensitive corporate information. There has been an unchecked acceleration of the pace of adoption of SaaS, creating a widening security gap that has renewed the urgent need for action from the Information Security community to those who are responsible for managing SaaS ecosystems.

Despite the fact that frameworks such as the NIST Cybersecurity Framework (CSF) have served as a guide for InfoSec professionals for many years, many SaaS teams are only now beginning to use its rigorously defined functions—Govern, Identify, Protect, Detect, Respond, and Recover—particularly considering that NIST 2.0 emphasizes identity as the cornerstone of cyber defenses in a manner unparalleled to previous versions.

Silverfort's identity-security approach is one of many new approaches emerging to help organizations meet these ever-evolving standards against this backdrop, allowing them to extend MFA to vulnerable systems, monitor lateral movements in real-time, and enforce adaptive controls more accurately. All of these developments are indicative of a critical moment for enterprises in which they need to balance relentless innovation with uncompromising security in a SaaS-driven, AI-driven world that is increasingly moving towards a SaaS-first model.

The enterprise SaaS architecture is evolving into expansive, distributed ecosystems built on a multitenant infrastructure, microservices, and an ever-expanding web of open APIs, keeping up with the sheer scale and fluidity of modern operations is becoming increasingly difficult for traditional security models.

The increasing complexity within an organization has led to enterprises focusing more on intelligent and autonomous security measures, making use of behavioral analytics, anomaly detection, and artificial intelligence-driven monitoring to identify threats much in advance of them becoming active.

As opposed to conventional signature-based tools, advanced systems can detect subtle deviations from user behavior in real-time, neutralize risks that would otherwise remain undetected, and map user behavior in a way that will never be seen in the future. Innovators in the SaaS security space, such as HashRoot, are leading the way by integrating AI into the core of SaaS security workflows.

A combination of predictive analytics and intelligent misconfiguration detection in HashRoot's AI Transformation Services can be used to improve aging infrastructures, enhance security postures, and construct proactive defense mechanisms that can keep up with the evolving threat landscape of 2025 and the unpredictable threats ahead of us.

During the past two years, there has been a rapid growth in the adoption of artificial intelligence within enterprise software, which has drastically transformed the SaaS landscape at a rapid pace. According to new research, 99.7 percent of businesses rely on applications with AI capabilities built into them, which demonstrates how the technology is proven to boost efficiency and speed up decision-making for businesses.

There is a growing awareness that the use of AI-enhanced SaaS tools is becoming increasingly common in the workplace, and that these systems have become increasingly integrated in every aspect of the work process. However, as organizations begin to grapple with the sweeping integration of AI into their businesses, a whole new set of risks emerge.

As one of the most pressing concerns arises, a loss of control of sensitive information and intellectual property is a significant concern, raising complex concerns about confidentiality and governance, as well as long-term competitive exposure, as AI models often consume sensitive data and intellectual property.

Meanwhile, the threat landscape is shifting as malicious actors are deploying sophisticated impersonator applications to mimic legitimate SaaS platforms in an attempt to trick users into granting them access to confidential corporate data through impersonation applications. It is even more challenging because AI-related vulnerabilities are traditionally identified and responded to manually—an approach which requires significant resources as well as slowing down the speed at which fast-evolving threats can be countered.

Due to the growing reliance on cloud-based AI-driven software as a service, there has never been a greater need for automated, intelligent security mechanisms. It is also becoming increasingly apparent to CISOs and IT teams that disciplined SaaS configuration management is a critical priority. This is in line with CSF's Protect function under Platform Security, which has a strong alignment with the CSF's Protect function. In the recent past, organizations were forced to realize that they cannot rely solely on cloud vendors for secure operation.

A significant share of cloud-related incidents can be traced back to preventable misconfigurations. Modern risk governance has become increasingly reliant on establishing clear configuration baselines and ensuring visibility across multiple platforms. While centralized tools can simplify oversight, there are no single solutions that can cover the full spectrum of configuration challenges. As a result of the recent development of multi-SaaS management systems, native platform controls and the judgment of skilled security professionals working within the defense-in-depth model, effective protection has become increasingly important.

It is important to recognize that SaaS security is never static, so continuous monitoring is indispensable to protect against persistent threats such as authorized changes, accidental modifications, and gradual drifts from baseline security. It is becoming increasingly apparent that Agentic AI is playing a transformative role here.

By detecting configuration drift at scale, correcting excessive permissions, and maintaining secure settings at a pace that humans alone can never match, it has begun to play a transformative role. In spite of this, configuration and identity controls are not all that it takes to secure an organization. Many organizations continue to rely on what is referred to as an “M&M security model” – a hardened outer shell with a soft, vulnerable center.

Once a valid user credential or API key is compromised, an attacker may be able to pass through perimeter defenses and access sensitive data without getting into the system. A strong SaaS data governance model based on the principles of identifying, protecting, and recovering critical information, including SaaS data governance, is essential to overcoming these challenges. This effort relies on accurate classification of data, which ensures that high-value assets are protected from unauthorised access, field level encryption, and adequate protection when they are copied into environments that are of lower security.

There is now a critical role that automated data masking plays in preventing production data from being leaked into these environments, where security controls are often weak and third parties often have access to the data. In order to ensure compliance with evolving privacy regulations when personal information is used in testing, the same level of oversight is required as it is with production data. This evaluation must also be repeated periodically as policies and administrative practices change in the future.

Within SaaS ecosystems, it is equally important to ensure that data is maintained in a manner that is both accurate and available. Although the NIST CSF emphasizes the need to implement a backup strategy that preserves data, allows precise recovery, and maintains uninterrupted operation, the service provider is responsible for maintaining the reliability of the underlying infrastructure.

Modern SaaS environments require the ability to recover only the affected data without causing a lot of disruption, as opposed to traditional enterprise IT, which often relies on broad rollbacks to previous system states. It is crucial to maintain continuity in an enterprise-like environment by using granular resilience, especially because in order for agentic AI systems to function effectively and securely, they must have accurate, up-to-date information.

Together, these measures demonstrate that safeguarding SaaS environments has evolved into a challenging multidimensional task - one that requires continuous coordination between technology teams, information security leaders, and risk committees in order to ensure that innovation can take place in a secure and scalable manner.

Organizations are increasingly relying on cloud applications to conduct business, which means that SaaS risk management is becoming a significant challenge for security vendors hoping to meet the demands of enterprises. Businesses nowadays need more than simple discovery tools that identify which applications are being used to determine which application is being used.

There is a growing expectation that platforms will be able to classify SaaS tools accurately, assess their security postures, and take into consideration the rapidly growing presence of artificial intelligence assistants, large language model-based applications, which are now able to operate independently across corporate environments, as well as the growing presence of AI assistants. A shift in SaaS intelligence has led to the need for enriched SaaS intelligence, an advanced level of insight that allows vendors to provide services that go beyond basic visibility.

The ability to incorporate detailed application classification, function-level profiling, dynamic risk scoring, and the detection of shadow SaaS and unmanaged AI-driven services can provide security providers with a more comprehensive, relevant and accurate platform that will enable a more accurate assessment of an organization's risks.

Vendors that are able to integrate enriched SaaS application insights into their architectures will be at an advantage in the future. Vendors that are able to do this will be able to gain a competitive edge as they begin to address the next generation of SaaS and AI-related risks. Businesses can close persistent blind spots by using enriched SaaS application insights into their architectures.

In an increasingly artificial intelligence-enabled world, which will essentially become a machine learning-enabled future, it will be the ability of platforms to anticipate emerging vulnerabilities, rather than just responding to them, that will determine which platforms will remain trusted partners in safeguarding enterprise ecosystems in the future.

A company's path forward will ultimately be shaped by its ability to embrace security as a strategic enabler rather than a roadblock to innovation. Using continuous monitoring, identity-centric controls, SaaS-enhanced intelligence, and AI-driven automation as a part of its operational fabric, enterprises are able to modernize at a speed without compromising trust or resilience in their organizations.

It is imperative that companies that invest now, strengthening governance, enforcing data discipline, and demanding greater transparency from vendors, will have the greatest opportunity to take full advantage of SaaS and agentic AI, while also navigating the risks associated with an increasingly volatile digital future.

Amazon Sounds Alarm Over Attack Threatening 300 Million Accounts



 

Phishing Attacks

Account Takeover AI Powered Scams Amazon Scam Alert Consumer Data Protection Cyber Security Cyberthreats Fake Retail Websites Holiday Fraud Risks Online Shopping Safety Phishing Attacks

Amazon Sounds Alarm Over Attack Threatening 300 Million Accounts

In the face of looming Black Friday 2025 frenzy, Amazon has unveiled a warning to its large customer base that is expected to overlap the holiday season's busiest shopping week. The warning warns of a surge in sophisticated scams expected to shadow the holiday season's busiest shopping week. On November 24, the company emailed a security advisory to millions of users, one that Forbes first reported on, warning that cybercriminals are increasingly exploiting the seasonal spike in online purchases by impersonating individuals, using fraudulent advertising, and sending unsolicited messages to elicit personal and financial information from them.

There are approximately 310 million active customers on Amazon, making the retailer a high-value target for attackers looking for easy money during the holiday season, so they outlined five prominent tactics currently used to deceive shoppers, including the use of fake account verification emails and unsolicited phone calls to deceive shoppers.

As Consumer Protection experts, we agree with these concerns; Mr. Mike Andrews, a representative from National Trading Standards, told Metro that scammers have an advantage over consumers when it comes to the weeks leading up to Christmas, knowing that even a small fraction of successful attempts during peak retail activities can yield significant returns.

In a new study published in the journal Cybercrime: Science and Technology, a cybercriminal network has stepped up their impersonation campaigns against global companies such as Netflix, PayPal, and many more, with the use of browser-based notification traps and criminal infrastructures, as well as a variety of other methods for deceiving large numbers of users.

Amidst this background, Amazon’s advisory dated November 24 details how similar tactics have now been employed against Amazon’s own customers, as scammers are attempting to coerce victims into providing them with personal data, financial credentials, and Amazon login information in exchange for money. The fact that such scams aren't new, but they have become more refined and adaptive as they cycle through techniques such as credential-stuffing attacks and malware-assisted account takeovers.

Fraudsters often carry out such operations by posing as customer service personnel or technical support personnel - a similar tactic that the FBI has also warned about in parallel alerts concerning bank-related scams. The underlying mechanics of the deception are essentially the same: attackers send persuasive text messages, emails, or phone calls that push customers to verify activity, or to resolve a supposed issue, resulting in password disclosures or multifactor authentication codes.

A fraudster will immediately reset all of the security settings within an account once he has gained access. He will lock out legitimate users' accounts as soon as he gets access. A recent study by the FBI reveals that there have been an increase in lookalike websites and bogus alerts mimicking delivery updates and promotional offers, as well as misleading third-party advertisements and unsolicited calls masquerading as Amazon support.

These methods are closely related to the patterns outlined in recent FBI investigations. According to FortiGuard Labs, new findings published on November 25 further emphasize the urgency of Amazon's warning. These findings indicate a sharp increase in threats specifically designed for the holiday season, which has already been identified by the researchers.

Over 18,000 domains were recently registered that included the terms "Black Friday," "Christmas," and "Flash Sale," with over 750 of those domains already confirmed to be malicious. In addition, nearly 3,000 of the 19,000 domains that were designed to mimic major retailers, including Amazon, were verified by the report as fraudulent, of which nearly half were identified as frauds. Decoy sites are often created with subtle spelling variations and visual similarities, which can be easily overlooked by shoppers who are rushing through deals while focusing on them.

Among the cyber security experts who warn that the threat landscape is changing at a rapid rate, experts like Anne Cutler of Keeper Security point out that many of the latest scams are driven by artificial intelligence. By doing so, attackers are able to generate convincing order confirmations, spoofed customer service conversations, and highly realistic retailer websites with the aid of artificial intelligence.

A response to these escalating risks has been the adoption by Amazon of stricter digital hygiene guidelines. Amazon has requested that customers rely solely on the Amazon app or website to manage their accounts, enable two-factor authentication or use passkeys to protect their login credentials, and remember that Amazon never solicits your payment or credential information via unsolicited phone calls or email.

There is no doubt that the retailer stressed the importance of these safeguards as cybercriminals intensify their efforts before the busiest shopping season of the year. In the end, Amazon shoppers should also keep in mind that security experts warn that the threat goes well beyond phishing attacks and fraudulent domains; it is also possible to face threats within the broader online marketplace.

A researcher, Mike Andrews, explains that artificial intelligence has made it significantly easier for scammers to manipulate product credibility by creating a large volume of convincing fake reviews on popular platforms like Google, Trustpilot, and Amazon in order to create fake reviews for their products. A growing number of bots are capable of flooding product pages with glowing testimonials, making it more difficult for customers to distinguish genuinely well-rated products from items that have been artificially boosted to mask inferior and even dangerous products.

In addition, Andrews explains that despite the difficulty of quantifying the amount of online reviews that may be misleading, consumers should not rely on them blindly when making purchase decisions. If a high number of reviews appears within a very short period of time, overly vague praise without mentioning product features, or suspiciously generic comments are noticed, it may be a sign that the product is not as good as it sounds.

It is possible to gain additional perspective using services like TheReviewIndex and RateBud that analyze review authenticity. Such manipulations of customer reviews vary in their goals. However, they are often aimed at convincing shoppers to make a purchase for substandard items or to purchase products that may never arrive in their hands.

There is also an aggressive scam that seeks personal information, financial information, or Amazon login credentials through fake messages, advertisements, or phone calls. Moreover, Andrews warns that social media advertisers are becoming increasingly sophisticated when it comes to deceptive advertising, with artificial intelligence (AI) often generating storefronts that mimic small businesses or festive markets using fake images and videos.

Even though these sites sound quite convincing, they often deliver nothing more than cheaply produced goods shipped from overseas, leaving customers disappointed and out of pocket. A surge in seasonal scams, on the other hand, illustrates the importance of taking an active role in one's online security as a shopper. Analysts believe that even simple habits, such as verifying sender addresses, checking URLs, updating passwords, and enabling multi-factor authentication, are enough to prevent the vast majority of attempts to penetrate an online network.

The consumer is also encouraged to inform Amazon and the relevant authorities of suspicious pages or messages, so that they can be dismantled before they spread. Even though cybercriminals are developing their tactics with artificial intelligence (AI) and precision, the best way to stop them is to have an informed public that shop deliberately, questions what might be unexpected, and prioritizes safety over urgency.

Scammers Used Fake WhatsApp Profiles of District Collectors in Kerala



 

Phishing Attacks

Cyber Security Data Digital Scams Identity Thefts Internet Phishing Attacks

Scammers Used Fake WhatsApp Profiles of District Collectors in Kerala

Scammers target government officials

In a likely phishing attempt, over four employees of Kasaragod and Wayanad Collectorates received WhatsApp texts from accounts imitating their district Collectors and asking for urgent money transfers. After that, the numbers have been sent to the cyber police, according to the Collectorate officials.

Vietnam scammers behind the operation

The texts came from Vietnam based numbers but showed the profile pictures of concerned collectors, Inbasekar K in Kasaragod and D R Meghasree.

In one incident, the scammers also shared a Google Pay number, but the target didn't proceed. According to the official, "the employees who received the messages were saved simply because they recognised the Collector’s tone and style of communication."

Two employees from Wayanad received texts, all from different numbers from Vietnam. In the Kasaragod incident, Collector Inbasekar said a lot of employees received the phishing texts on WhatsApp. Two employees reported the incident. No employee lost the money.

Scammers used typical scripts

The scam used a similar script in the two districts. The first text read: Hello, how are you? Where are you currently? In the Wayanad incident, the first massage was sent around 4 pm, and in Kasaragod, around 5:30 pm. When the employee replied, a follow up text was sent: Very good. Please do something urgently. This shows that the scam followed the typical pitches used by scammers.

The numbers have been reported to the cyber police. According to Wayanad officials, "Once the messages were identified as fake, screenshots were immediately circulated across all internal WhatsApp groups." Cyber Unit has blocked both Vietnam-linked and Google Pay numbers.

What needs to be done?

Kasaragod Collector cautioned the public and staff to be careful when getting texts asking for money transfers. Coincidentally, in both the incidents, the texts were sent to staff employed in the Special Intensive Revision of electoral rolls. In this pursuit, the scammers revealed the pressures under which booth-level employees are working.

According to cyber security experts, the fake identity scams are increasingly targeting top government officials. Scammers are exploiting hierarchical structures to trick officials into acting promptly. “Police have urged government employees and the public to avoid responding to unsolicited WhatsApp messages requesting money, verify communication through official phone numbers or email, and report suspicious messages immediately to cybercrime authorities,” the New Indian Express reported.

Gainsight Breach Spread into Salesforce Environments; Scope Under Investigation



 

Salesforce

API Cyber Security Gainsight Google OAuth token compromise Salesforce

Gainsight Breach Spread into Salesforce Environments; Scope Under Investigation

An ongoing security incident at Gainsight's customer-management platform has raised fresh alarms about how deeply third-party integrations can affect cloud environments. The breach centers on compromised OAuth tokens connected with Gainsight's Salesforce connectors, leaving unclear how many organizations touched and the type of information accessed.

Salesforce was the first to flag suspicious activity originating from Gainsight's connected applications. As a precautionary measure, Salesforce revoked all associated access tokens and, for some time, disabled the concerned integrations. The company also released detailed indicators of compromise, timelines of malicious activity, and guidance urging customers to review authentication logs and API usage within their own environments.

Gainsight later confirmed that unauthorized parties misused certain OAuth tokens linked to its Salesforce-connected app. According to its leadership, only a small number of customers have so far reported confirmed data impact. However, several independent security teams-including Google's Threat Intelligence Group-reported signs that the intrusion may have reached far more Salesforce instances than initially acknowledged. These differing numbers are not unusual: supply-chain incidents often reveal their full extent only after weeks of log analysis and correlation.

At this time, investigators understand the attack as a case of token abuse, not a failure of Salesforce's underlying platform. OAuth tokens are long-lived keys that let approved applications make API calls on behalf of customers. Once attackers have them, they can access the CRM records through legitimate channels, and the detection is far more challenging. This approach enables the intruders to bypass common login checks, and therefore Salesforce has focused on log review and token rotation as immediate priorities.

To enhance visibility, Gainsight has onboarded Mandiant to conduct a forensic investigation into the incident. The company is investigating historical logs, token behavior, connector activity, and cross-platform data flows to understand the attacker's movements and whether other services were impacted. As a precautionary measure, Gainsight has also worked with platforms including HubSpot, Zendesk, and Gong to temporarily revoke related tokens until investigators can confirm they are safe to restore.

The incident is similar to other attacks that happened this year, where other Salesforce integrations were used to siphon customer records without exploiting any direct vulnerability in Salesforce. Repeated patterns here illustrate a structural challenge: organizations may secure their main cloud platform rigorously, but one compromised integration can open a path to wider unauthorized access.

But for customers, the best steps are as straightforward as ever: monitor Salesforce authentication and API logs for anomalous access patterns; invalidate or rotate existing OAuth tokens; reduce third-party app permissions to the bare minimum; and, if possible, apply IP restrictions or allowlists to further restrict the range of sources from which API calls can be made.

Both companies say they will provide further updates and support customers who have been affected by the issue. The incident served as yet another wake-up call that in modern cloud ecosystems, the security of one vendor often relies on the security practices of all in its integration chain.

Tor Network to Roll Out New Encryption Algorithm in Major Security Upgrade



 

Tor Network

Algorithm Cyber Security Security Upgrade Tor Network

Tor Network to Roll Out New Encryption Algorithm in Major Security Upgrade

The developers of the Tor network are preparing to replace one of the project’s oldest encryption systems in an effort to defend users against increasingly sophisticated cyberattacks. Tor confirmed that the relay encryption algorithm known as “tor1” will be retired and replaced by a new design called Counter Galois Onion, or CGO. Tor1 has been in use since the early 2000s and encrypts the traffic that travels between the relays that form a user’s circuit inside the Tor network.

Although the system has been widely relied on for more than two decades, researchers say its design now presents several weaknesses, including exposure to so-called “tagging attacks.” These attacks allow an adversary to alter traffic at one relay and then look for predictable patterns further along the circuit that could help trace a user. The algorithm also reuses the same AES keys throughout a circuit and provides only a small authentication field, which Tor developers say has led to a non-negligible probability of forged data passing undetected.

CGO has been designed to eliminate these issues. According to Tor, the new protocol adds forward secrecy to messages, prevents tampering, and brings encryption standards in line with modern cryptography. Tor explained in a technical post that the system ensures that if a message is modified, that message and all subsequent messages in the circuit become unreadable. The Tor Project described the upgrade as an effort to “defend users against a broader class of online attackers and form the basis for more encryption work in the future.”

CGO is already implemented in Arti, Tor’s Rust-based client. A C version is in development to support the current relay infrastructure, since Rust relays are not yet deployed across the network. Developers have not provided a timeline for when CGO will arrive in the Tor Browser, noting that they are still tuning performance for modern processors. They acknowledged that CGO will likely be slower than tor1 initially, though optimizations are ongoing.

The upgrade represents one of the most significant changes to Tor’s core cryptography in years. While the network is widely associated with the dark web and illicit markets, it is also used by journalists, activists and residents of authoritarian states seeking safe access to information. Tor’s history includes involvement from both government research institutions and privacy advocates, and the project continues to position encryption as a key protection against online surveillance.

CISA Warns of Rising Targeted Spyware Campaigns Against Encrypted Messaging Users



 

Personal Data

Android Spyware CISA Cyber Security Cyberattacks Data Hacking data security Hacking WhatsApp Mobile Spyware Personal Data

CISA Warns of Rising Targeted Spyware Campaigns Against Encrypted Messaging Users

The U.S. Cybersecurity and Infrastructure Security Agency has issued an unusually direct warning regarding a series of active campaigns deploying advanced spyware against users of encrypted messaging platforms, including Signal and WhatsApp. According to the agency, these operations are being conducted by both state-backed actors and financially motivated threat groups, and their activity has broadened significantly throughout the year. The attacks now increasingly target politicians, government officials, military personnel, and other influential individuals across several regions.

This advisory marks the first time CISA has publicly grouped together multiple operations that rely on commercial surveillance tools, remote-access malware, and sophisticated exploit chains capable of infiltrating secure communications without alerting the victim. The agency noted that the goal of these campaigns is often to hijack messaging accounts, exfiltrate private data, and sometimes obtain long-term access to devices for further exploitation.

Researchers highlighted multiple operations demonstrating the scale and diversity of techniques. Russia-aligned groups reportedly misused Signal’s legitimate device-linking mechanism to silently take control of accounts. Android spyware families such as ProSpy and ToSpy were distributed through spoofed versions of well-known messaging apps in the UAE. Another campaign in Russia leveraged Telegram channels and phishing pages imitating WhatsApp, Google Photos, TikTok, and YouTube to spread the ClayRat malware. In more technically advanced incidents, attackers chained recently disclosed WhatsApp zero-day vulnerabilities to compromise fewer than 200 targeted users. Another operation, referred to as LANDFALL, used a Samsung vulnerability affecting devices in the Middle East.

CISA stressed that these attacks are highly selective and aimed at individuals whose communications have geopolitical relevance. Officials described the activity as precision surveillance rather than broad collection. Analysts believe the increasing focus on encrypted platforms reflects a strategic shift as adversaries attempt to bypass the protections of end-to-end encryption by compromising the devices used to send and receive messages.

The tactics used in these operations vary widely. Some rely on manipulated QR codes or impersonated apps, while others exploit previously unknown iOS and Android vulnerabilities requiring no user interaction. Experts warn that for individuals considered high-risk, standard cybersecurity practices may no longer be sufficient.

CISA’s guidance urges those at risk to adopt stronger security measures, including hardware upgrades, phishing-resistant authentication, protected telecom accounts, and stricter device controls. The agency also recommends reliance on official app stores, frequent software updates, careful permission auditing, and enabling advanced device protections such as Lockdown Mode on iPhones or Google Play Protect on Android.

Officials stated that the rapid increase in coordinated mobile surveillance operations reflects a global shift in espionage strategy. With encrypted messaging now central to sensitive communication, attackers are increasingly focused on compromising the endpoint rather than the encryption itself—a trend authorities expect to continue growing.

Google Confirms Data Breach from 200 Companies



 

Internet

Cloud Cyber Security Data hack Google Internet

Google Confirms Data Breach from 200 Companies

Google has confirmed that hackers stole data from more than 200 companies after exploiting apps developed by Gainsight, a customer success software provider. The breach targeted Salesforce systems and is being described as one of the biggest supply chain attacks in recent months.

Salesforce said last week that “certain customers’ Salesforce data” had been accessed through Gainsight applications, which are widely used by companies to manage customer relationships at scale. According to Google’s Threat Intelligence Group, more than 200 Salesforce instances were affected, indicating that the attackers targeted the ecosystem strategically rather than going after individual companies one by one. The incident has already raised deep concern across industries that depend heavily on third-party integrations to run core business functions.

A group calling itself Scattered Lapsus$ Hunters, which includes members of the well-known ShinyHunters gang, has claimed responsibility. This collective has previously targeted prominent global firms and leaked confidential datasets online, earning a reputation for bold, high-impact intrusions. In this case, the hackers have published a list of alleged victims, naming companies such as Atlassian, CrowdStrike, DocuSign, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon. Some of these organisations have denied being affected, while others are still conducting internal investigations to determine whether their environments were touched.

This attack underscores a growing reality: compromising a widely trusted application is often more efficient for attackers than breaching a single company. By infiltrating Gainsight’s software, the threat actors gained access to a broad swath of organisations simultaneously, effectively bypassing individual perimeter defences. TechCrunch notes that supply chain attacks remain among the most dangerous vectors because they exploit deeply rooted trust. Once a vendor’s application is subverted, it can become an invisible doorway leading directly into multiple corporate systems.

Salesforce has stated that it is working closely with affected customers to secure environments and limit the impact, while Google continues to analyse the breadth of data exfiltration. Gainsight has not yet released a detailed public statement, prompting experts to call for greater transparency from vendors responsible for critical integrations. Cybersecurity firms advise all companies using third-party SaaS tools to review access permissions, rotate credentials, monitor logs for anomalies, and ensure stronger compliance frameworks for integrated platforms.

The larger picture here reflects an industry-wide challenge. As enterprises increasingly rely on cloud services and SaaS tools, attackers are shifting their attention to these interconnected layers, where a single weak link can expose hundreds of organisations. This shift has prompted analysts to warn that due diligence on app vendors, once considered a formality, must now become a non-negotiable element of cybersecurity strategy.

In light of the attack, experts believe companies will need to adopt a more vigilant posture, treating all integrations as potential threat surfaces, rather than assuming safety through trust. The Gainsight incident serves as a stark reminder that in a cloud-driven world, security is only as strong as the least protected partner in the chain.

Hackers Use Look-Alike Domain Trick to Imitate Microsoft and Capture User Credentials



 

phishing

Cyber Security Fake Domains Login Credentials Microsoft phishing

Hackers Use Look-Alike Domain Trick to Imitate Microsoft and Capture User Credentials

A new phishing operation is misleading users through an extremely subtle visual technique that alters the appearance of Microsoft’s domain name. Attackers have registered the look-alike address “rnicrosoft(.)com,” which replaces the single letter m with the characters r and n positioned closely together. The small difference is enough to trick many people into believing they are interacting with the legitimate site.

This method is a form of typosquatting where criminals depend on how modern screens display text. Email clients and browsers often place r and n so closely that the pair resembles an m, leading the human eye to automatically correct the mistake. The result is a domain that appears trustworthy at first glance although it has no association with the actual company.

Experts note that phishing messages built around this tactic often copy Microsoft’s familiar presentation style. Everything from symbols to formatting is imitated to encourage users to act without closely checking the URL. The campaign takes advantage of predictable reading patterns where the brain prioritizes recognition over detail, particularly when the user is scanning quickly.

The deception becomes stronger on mobile screens. Limited display space can hide the entire web address and the address bar may shorten or disguise the domain. Criminals use this opportunity to push malicious links, deliver invoices that look genuine, or impersonate internal departments such as HR teams. Once a victim believes the message is legitimate, they are more likely to follow the link or download a harmful attachment.

The “rn” substitution is only one example of a broader pattern. Typosquatting groups also replace the letter o with the number zero, add hyphens to create official-sounding variations, or register sites with different top level domains that resemble the original brand. All of these are intended to mislead users into entering passwords or sending sensitive information.

Security specialists advise users to verify every unexpected message before interacting with it. Expanding the full sender address exposes inconsistencies that the display name may hide. Checking links by hovering over them, or using long-press previews on mobile devices, can reveal whether the destination is legitimate. Reviewing email headers, especially the Reply-To field, can also uncover signs that responses are being redirected to an external mailbox controlled by attackers.

When an email claims that a password reset or account change is required, the safest approach is to ignore the provided link. Instead, users should manually open a new browser tab and visit the official website. Organisations are encouraged to conduct repeated security awareness exercises so employees do not react instinctively to familiar-looking alerts.

Below are common variations used in these attacks:

• Letter Pairing: r and n are combined to imitate m as seen in rnicrosoft(.)com.

• Number Replacement: the letter o is switched with the number zero in addresses like micros0ft(.)com.

• Added Hyphens: attackers introduce hyphens to create domains that appear official, such as microsoft-support(.)com.

• Domain Substitution: similar names are created by altering only the top level domain, for example microsoft(.)co.

This phishing strategy succeeds because it relies on human perception rather than technical flaws. Recognising these small changes and adopting consistent verification habits remain the most effective protections against such attacks.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Balancing Rapid Innovation and Risk in the New Era of SaaS Security

Amazon Sounds Alarm Over Attack Threatening 300 Million Accounts