company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Telegram

Dataprivacy

loading..
loading..
loading..

Warning: Just One sticker could have exposed your Telegram secret messages

Cyber security firm Shielder disclosed the now-patched error recognized in the Telegram messaging app which could have exposed photos, videos of Telegram users ...

17-Feb-2021
2 min read

No content available.

Related Articles

loading..

Telecommunication

1.3M Orange Belgium customers exposed. Hackers stole SIM data & PUK codes. The W...

On August 20, 2025, **Orange Belgium** disclosed a significant cyberattack impacting **850,000 customers**, approximately one-third of its subscriber base in Belgium and Luxembourg. The breach, detected in late July, exposed sensitive personal data including : - Full names and telephone numbers - SIM card serial numbers - Tariff plan details - **PUK (Personal Unblocking Key) codes**—critical for SIM card recovery Notably, the company confirmed that **passwords, email addresses, and financial data** were not compromised, as these are stored on separate, isolated systems. The breach primarily affected a customer management database, though operational services remained uninterrupted. ## **Attack Methodology and Threat Actor Analysis** ### **Exploited Vulnerabilities** The intrusion has been attributed to **Warlock**, an emerging ransomware gang exploiting a chain of SharePoint Server vulnerabilities known as **ToolShell**. These vulnerabilities, patched by Microsoft in July 2025, allow authentication bypass and remote code execution (RCE). Trend Micro researchers noted that Warlock used HTTP POST requests to upload webshells, followed by lateral movement using Group Policy abuse and credential theft. ### **Data Exfiltration & Extortion** Warlock claims to have exfiltrated data without encrypting systems—a trend increasingly common among ransomware groups focusing on extortion. Orange Belgium refused to pay a ransom, leading to the data being published on dark web leak sites. The group’s tactics mirror those of **[LockBit](https://www.secureblink.com/cyber-security-news/lock-bit-ransomware-s-claim-against-the-us-federal-reserve-hack) 3.0**, whose source code was leaked in 2023. ## **Orange’s Response and Criticisms** Orange Belgium’s incident response included: - Immediate isolation of affected systems and security hardening - Notification to regulatory authorities (Belgian Data Protection Authority) and judicial bodies - Customer alerts via SMS and email with recommendations for vigilance However, cybersecurity experts criticized the response: - **Inti De Ceukelaire** (Chief Hacker at Intigriti) accused Orange of downplaying risks like **SIM swapping** and number theft, relying on a "corporate PR playbook" rather than proactive measures. - Customers expressed frustration over the lack of tangible support (e.g., SIM card replacements) and emphasis on users self-managing risks. ## **Historical Context: Orange’s Cybersecurity Challenges** This incident is the third major cyberattack against Orange subsidiaries in 2025: | **Date** | **Target** | **Threat Actor** | **Impact** | **Source** | |----------------|------------------|------------------|----------------------------------------------------------------------------|------------| | February 2025 | Orange Romania | HellCat/Rey | 6.5GB of employee data, partial payment cards, and 380,000 email addresses | | | July 2025 | [Orange Group](https://www.secureblink.com/cyber-security-news/orange-hacked-291-m-customers-at-risk-as-france-s-telecom-giant-collapses) (France) | Unidentified | Operational disruptions; no data confirmed stolen | | | July 2025 | Orange Belgium | Warlock | 850,000 customer records with SIM/PUK codes | | These incidents highlight **systemic vulnerabilities** in Orange’s infrastructure, including: - **Third-party access points** (e.g., partner portals in the Romania breach) - **Delayed patching** of critical software (e.g., SharePoint vulnerabilities) - **Inconsistent security protocols** across subsidiaries ## **Broader Telecom Sector Threats** The Orange Belgium breach occurred amid a global surge in telecom-targeted attacks: - **Telefónica Peru**: Breached by "Dedale" group, impacting 1 million customers. - **U.S. Carriers (Verizon, AT&T)**: Infiltrated by China-linked **Salt Typhoon** seeking wiretap information. - **Colt Technology Services**: Targeted by Warlock in parallel attacks, disrupting customer portals and APIs. Regulatory bodies like the **FCC** are tightening cybersecurity requirements for critical communications infrastructure, emphasizing **Zero Trust frameworks** and mandatory incident reporting.

loading..   21-Aug-2025
loading..   3 min read
loading..

Salesforce

ShinyHunters

Allianz Life hit by Salesforce breach—1.1M customers exposed in a social enginee...

The **Allianz Life Insurance Company of North America**—the U.S. arm of global financial powerhouse Allianz SE—has become the [latest victim](https://www.secureblink.com/cyber-security-news/1-4-m-allianz-life-customers-exposed-in-massive-shiny-hunters-crm-hack) in a string of **social engineering attacks targeting cloud platforms**. On **July 16, 2025**, attackers tied to the **ShinyHunters collective** infiltrated a third-party customer relationship management (CRM) platform used by the insurer. By the time the breach was detected and contained the following day, data belonging to most of Allianz’s **1.4 million U.S. customers** had been siphoned. In the weeks since, investigators have pieced together a clearer picture. Roughly **1.1 million unique individuals** were affected, though attackers exfiltrated nearly **2.8 million records**—a figure inflated by duplicates, partner contacts, and non-customer entries. Even so, the breach ranks among the most significant in the U.S. insurance sector’s history. ## From Alarm to Clarity Early disclosures were vague, with Allianz confirming only that a “majority” of customers were impacted. Independent researchers quickly identified ShinyHunters, a prolific data-theft and extortion crew that has been active since 2020. Their preferred method is not technical exploitation but the **manipulation of human behavior**. Subsequent investigation confirmed that attribution. The Allianz incident mirrors a campaign tracked by Google’s Threat Analysis Group as **UNC6040**, in which attackers impersonate IT staff or vendors over the phone, tricking employees into approving **malicious Salesforce connected apps** or installing doctored versions of the Salesforce **Data Loader** tool. With OAuth tokens secured, criminals gain legitimate high-level access to Salesforce environments and quietly export massive datasets. Crucially, no Salesforce software vulnerability was exploited. As Salesforce emphasized, this was **consent theft through social engineering**, not a flaw in the platform. ## What Was Stolen Analysis of the leaked trove by *Have I Been Pwned* and *BleepingComputer* revealed a wealth of sensitive personal data: * **Full names, dates of birth, physical addresses, phone numbers, and email addresses** * In many cases, **Social Security numbers or tax identification numbers** Although Allianz clarified that only about **1.1 million unique individuals** were exposed, the data is rich enough to fuel widespread identity theft, targeted phishing, and financial fraud. ## A Broader Campaign The Allianz breach is part of a wider 2025 campaign exploiting **Salesforce trust relationships** rather than corporate networks themselves. Other victims include **Pearson, Google, LVMH, and the Internet Archive**. For Allianz, the distinction matters: the company’s **internal systems were not breached**. But its Salesforce-hosted CRM environment contained everything attackers needed to build detailed profiles of customers, policyholders, and advisors. The case underscores the **third-party risk problem**—even the strongest internal defenses can be undermined by a weak link in the supply chain. ## ShinyHunters and the Web of Attribution ShinyHunters claimed responsibility, but researchers noted overlaps with **Scattered Spider** and remnants of **Lapsus\$**. Whether this was direct collaboration or opportunistic branding remains uncertain. What is clear is the shared playbook: **voice phishing, OAuth token abuse, and large-scale exfiltration**. This blurring of lines reflects the evolving cybercrime ecosystem, where attribution is less about neat labels and more about **fluid alliances and shared tactics**. ## Allianz’s Response To its credit, Allianz acted quickly once the breach was discovered. Within 24 hours, it contained the intrusion, notified the **FBI** and relevant state attorneys general, and began customer notifications. The insurer is offering **24 months of identity protection and credit monitoring** through Kroll. While some argue that two years is insufficient given the permanence of Social Security numbers, it aligns with regulatory expectations. The Allianz incident reinforces a hard truth: **modern cyberattacks increasingly target people, not systems**. Firewalls and intrusion detection systems can’t defend against an employee pressured into approving a malicious app or clicking “allow” under the guise of IT support.

loading..   19-Aug-2025
loading..   4 min read
loading..

Social Engineering

Workday’s third‑party CRM breach exposed contact data, heightening social engine...

Major breaches rarely begin at the heart of a platform. More often, they creep in through the overlooked edges — the integrations, partner tools, and customer systems that orbit the core. Workday, a dominant force in enterprise HR serving thousands of companies and tens of millions of users, has now confirmed such a breach. The incident bypassed its tenant environments and instead originated in a third-party customer relationship database tied to its go-to-market operations. The stolen data was primarily contact information—names, email addresses, phone numbers—seemingly mundane, yet exactly the raw material attackers weaponize for convincing social engineering, spear‑phishing, and voice‑phishing campaigns at scale. In a telling disclosure nuance, the breach notice was initially shielded from search engines with a “noindex” directive, limiting organic discoverability even as the implications for enterprise defenders were immediate: the weakest link may not be the fortress, but the side gate. Workday stated there was no indication its customer tenants or the data within them were accessed. That assurance matters; tenant environments typically house HR master records, payroll, benefits, and sensitive PII and PHI governed under strict controls. But the attack path via an external CRM underscores a reality of modern SaaS estates: trust boundaries blur when adjacent systems—owned by vendors, partners, or integrators—hold enough identity and relationship context to bootstrap an intrusion. Contact databases, enrichment pipelines, and marketing automation stacks often sit outside the zero‑trust rigor applied to core systems, yet they are rich in signals attackers can use to convincingly impersonate support, executives, vendors, or IT. ## From contact data to compromise Contact records become attack ammunition when paired with basic tradecraft. With accurate names, roles, org hierarchies, and work emails or phone numbers, a threat actor can stage high‑fidelity pretexts that slip past human skepticism and automated filters. Voice‑phishing (vishing) can defeat MFA through real‑time relay or prompt bombing. Email phishing can land initial tokens via OAuth consent grants. SMS can drive victims to adversary‑in‑the‑middle pages that capture sessions. Even if the initial breach yields no credentials or tokens, the harvested contact graph is the social substrate required to orchestrate targeted intrusion attempts that look natural in corporate workflows. In parallel attack campaigns observed across the industry, groups have leveraged access to third‑party CRM or support platforms to enumerate high‑value targets, seed believable communications, and escalate toward administrative control in core SaaS tenants. The playbook is consistent: mine contact lists, masquerade as trusted internal or vendor personas, pressure or trick staff into handing over approval flows, and then pivot to cloud consoles, file stores, and identity providers. Once inside, attackers can create persistence through app registrations, API keys, and conditional access gaps that survive password resets. ## Why third‑party CRM systems are prime targets CRM platforms aggregate the customer and prospect universe, centralize conversations, and often integrate with identity tooling for convenience. They connect to email, calendaring, support desks, and data enrichment services. They are also widely administered by sales ops, marketing ops, or external partners with broad permissions and API automations. This makes them a high‑ROI target: compromise one privileged CRM integration or admin identity, and an adversary gains visibility and credibility across thousands or millions of relationship endpoints. Moreover, CRM data typically falls outside the strictest compliance categories, so it may not benefit from the encryption, key management, step‑up authentication, and privileged access monitoring that guard crown‑jewel HR or finance systems. The result is a dangerous asymmetry: data that appears low-sensitivity in isolation becomes high-impact when used to socially engineer access to truly sensitive systems. ## Disclosure signals towards the optics of containment The presence of a “noindex” tag on the disclosure page—effectively muting search visibility—raises questions about balancing transparent risk communication against the desire to limit reputational harm or opportunistic attacker attention. In practice, defenders at customer organizations need timely, discoverable details to tune detection rules, update allowlists and blocklists, and brief employees on specific pretext risks. Even when incident scopes are limited, maximizing clarity accelerates downstream defensive action: who is affected, what data types were involved, what pretexts are likely, and what countermeasures should be prioritized. Workday’s statement that customer tenants were not implicated is encouraging, yet the gray zone remains: any overlap between CRM contact datasets and tenant user populations creates an avenue for inbound social engineering that targets the very administrators and payroll personnel who can authorize sensitive changes. For large enterprises, even a small percentage of successful pretexting attempts can lead to material exposure. The Workday incident’s core lesson is not about a catastrophic system failure; it’s about how convenience mechanisms and adjacent data ecosystems reshape the attack surface. Identity remains the control plane of the cloud. When attackers gain the means to convincingly impersonate trusted actors, they can exploit the human interface of identity approvals. There is a discrete parallel in a separate incident involving security flaws in a major carmaker’s dealership portal, where a researcher demonstrated how two authentication bugs allowed creation of a high‑privilege admin account, user impersonation, and sweeping access across interconnected dealer systems. While the domains differ—CRM exposure versus dealership IT—the connective tissue is the failure of authentication and authorization guardrails at integration boundaries. In one, contact data fuels social entry; in the other, broken auth enables direct privilege escalation. Both show how centralized, convenience‑oriented platforms become leverage points for broad compromise when trust is misplaced or controls are lax. ## When Convenience Becomes a Single Point of Failure The Workday breach is a case study in how modern enterprise risk concentrates not only in core systems but in the connective tissue that surrounds them. Third‑party CRMs, support desks, and partner portals possess just enough identity context to prime an attack, and just enough integration reach to amplify it. The parallel from the dealership portal world—where two simple authentication flaws unlocked national‑level access—illustrates the same structural hazard: convenience layers can quietly become systemic single points of failure.

loading..   18-Aug-2025
loading..   6 min read