September Recap - The Breach Report

What happened: A ransomware attack on the HR software provider Miljödata compromised Volvo’s employee data (as well as data from other clients) in late September.

Impact: Exposed names, government IDs, addresses, and SSNs for some U.S. employees. No payroll or financial data was affected (per company statements).

Lesson: Even your HR vendor must meet the same scrutiny as your core systems — identity and employee data are high-value targets.

Source: Read More

What happened: Stellantis confirmed a data breach linked to the ongoing Salesforce / Salesloft/Drift OAuth token exploitation campaign.

Impact: Internal documents, communications, and personal data of employees, customers, and suppliers were exposed.

Lesson: The “ripple effect” from a single SaaS integration continues to wreak havoc across industries.

Source: Read More

What happened: A data breach was disclosed in early September, traced to a compromised third-party software module tied to the broader Salesforce token campaign.

Impact: Affected <1% of customers; data such as contact details, IDs, and account numbers exposed. No fund loss or password compromise reported.

Lesson: Even carefully regulated financial firms can be undermined by smaller, less visible software dependencies.

Source: Read More

What happened: As part of the Salesloft/Drift OAuth token attack, Cloudflare’s Salesforce instance was breached, exposing customer support data, API tokens, and internal information.

Impact: Sensitive support ticket content, credentials, and internal metadata became exposed.

Lesson: SaaS firms are on the front lines of token-based threats — continuous monitoring and least privilege controls are critical.

Source: Read More

What happened: Attackers compromised Workiva’s systems via the same Salesforce supply-chain exploit, accessing contact records and internal case data.

Impact: Business contacts, support cases, and internal correspondence were stolen.

Lesson: Even sensitive enterprise-software providers are vulnerable to third-party token misuse.

Source: Read More

What happened: WestJet admitted that some passenger information was exposed in a breach from earlier this year.

Impact: Passenger data (names, contact info) was exposed. No payment data involved.

Lesson: The travel and airline sectors remain high-value targets, especially when vendor systems touch customer data.

Source: Read More

What happened: On September 2, DraftKings warned customer accounts may have been accessed via credential stuffing or brute-force attacks, though their systems were not directly breached.

Impact: Names, contact info, phone numbers, DOBs, partial payment card digits, and account activity could be exposed.

Lesson: Credential reuse and weak login defenses continue to be easy gateways into auxiliary data.

Source: Read More

Token & OAuth weaponization — the Salesloft/Drift exploit remains the top vector for cascading breaches.

Vendor domino effects — when one SaaS service falls, many downstream are at risk.

Vendor governance matters — HR, fintech, airline vendors all surfaced in September.

Credential hygiene still critical — DraftKings reminds us that account-level security remains a first line of defense.

Rotate and limit token scopes; enforce token expiration and anomaly alerts.

Contractually require immediate vendor notifications and breach escalation protocols.

Adopt zero-trust principles across SaaS integrations.

Monitor for credential abuse, brute force, and account anomalies continuously.

Encrypt vendor-facing data flows and limit external system access.

OAuth reuse & lateral token escalation — threat actors are increasingly chaining tokens across systems.

Supply-chain cascade risk — one vendor’s breach can ripple across multiple industries.

Credential stuffing / account hijack — still a top vector for attackers in 2025.

Regulated sectors as soft targets — airlines, fintech, HR systems all entered the breach map this month.