August 2025: SaaS Supply Chain Breaches, Telecom Data Exposures, and Ransomware Campaigns

August 2025 saw a wave of high-impact cyber incidents affecting millions worldwide. SaaS supply chain threats dominated headlines, with the Salesloft Drift and Salesforce integration breaches exposing hundreds of organizations through OAuth token abuse and social engineering. Meanwhile, data exposures at TransUnion and Bouygues Telecom highlighted the risks tied to third-party services and customer databases.

Ransomware actors also remained active, with DaVita and Colt Technology Services facing disruptions, while Akira ransomware ramped up campaigns exploiting SonicWall VPN flaws. Additionally, a joint advisory attributed Salt Typhoon espionage activity to Chinese technology firms, underscoring the role of state-linked ecosystems in global operations.

This article reviews the major cyber attacks of August 2025, outlining key incidents, tactics, and lessons for defenders.

Salesloft Drift Integration Breach Exposed Over 700 Organizations

In August 2025, threat actors exploited Salesloft’s Drift chatbot integration to launch one of the most extensive SaaS supply chain attacks in recent memory. The attackers, tracked as UNC6395, leveraged stolen OAuth tokens to access customer environments across Salesforce, Google Workspace, Slack, and other services. These tokens were originally exfiltrated from Drift’s AWS environment, following a GitHub compromise of Salesloft months earlier.

The attackers used Python automation and Salesforce Bulk APIs to extract large volumes of sensitive data, including account records, support case content, and embedded secrets like API keys. Over 700 organizations were impacted, including Cloudflare, Zscaler, Palo Alto Networks, and PagerDuty. While no vulnerabilities were found in Salesforce itself, the incident underscored risks tied to over-permissive third-party integrations.

Salesloft revoked all Drift tokens on August 20 and took the application offline. The breach remains attributed to UNC6395, with no links to LAPSUS$ or ShinyHunters. Investigation and remediation are ongoing, with Salesloft restoring Salesforce sync under tighter controls.

For a full breakdown of the incident, read our in-depth article: “Salesloft Drift Breach: Everything You Need to Know”.

NSA and NCSC Linked Salt Typhoon’s Espionage Activities to Chinese Tech Firms

A recent attribution marked a major public step in exposing the corporate ecosystem behind China-linked cyber operations.

The U.S. NSA, UK NCSC, and partners from 13 nations announced in August 2025 that three Chinese technology companies – Sichuan Juxinhe, Beijing Huanyu Tianqiong, and Sichuan Zhixin Ruijie – have supported Salt Typhoon’s global espionage campaigns. The firms were tied to China’s Ministry of State Security and the People’s Liberation Army.

Salt Typhoon has compromised government, military, and telecommunications networks worldwide since at least 2021, often exploiting well-known vulnerabilities in edge devices rather than zero-days. The joint advisory highlighted recent abuse of flaws such as CVE-2024-21887 (Ivanti), CVE-2024-3400 (Palo Alto PAN-OS), and multiple Cisco IOS XE issues to gain persistent access, create tunnels, and steal traffic data.

Authorities stressed that many of these weaknesses had long-available fixes, urging organizations to patch promptly, restrict management services, disable unused features like Cisco Smart Install, and monitor for unauthorized changes.

For more information about the threat group, visit the Dark Web Profile of Salt Typhoon

Colt Technology Services Confirmed Data Theft After Warlock Ransomware Attack

UK-based telecommunications provider Colt Technology Services confirmed that customer-related files were stolen during a cyberattack first disclosed on August 12. In their cyber incident update, the company stated that attackers accessed and exfiltrated certain documents, later posting their titles on the dark web.

Colt Technology Services breach post shared on hacker forum (SOCRadar Dark Web News)

The Warlock ransomware group began auctioning what it claims to be one million documents stolen from Colt on the Ramp forum for $200,000. The group alleged the data includes financial records, network architecture details, and customer information. Researchers linked the actors to prior activity through a matching Tox ID found in ransom notes.

Start Monitoring Dark Web Forums with SOCRadar

Incidents like this show how quickly stolen files can surface in criminal marketplaces. Start monitoring Dark Web forums and marketplaces with SOCRadar before your data is sold.

SOCRadar’s Dark Web Monitoring continuously scans underground forums, marketplaces, and leak sites for mentions of your organization, alerting you to exposed data before attackers can exploit it. By detecting these threats early, security teams can act faster to contain risks, notify stakeholders, and harden defenses against follow-on attacks.

See what threat actors post about your business on the dark web (SOCRadar Dark Web Monitoring)

DaVita Ransomware Attack Exposed Data of 2.7 Million Patients

Healthcare provider DaVita confirmed that an early-2025 ransomware attack, claimed by the Interlock group, impacted 2.7 million individuals after the U.S. Department of Health and Human Services published the breach details in August.

The attack encrypted parts of DaVita’s network and led to unauthorized access to its laboratory database, which contained sensitive patient information. The company emphasized that critical dialysis care across its 3,000 clinics and at-home services continued without interruption.

DaVita first disclosed the incident in April, citing temporary operational disruptions as it worked to restore systems. By the second quarter, remediation costs had reached approximately $13.5 million, including increased patient care expenses and third-party investigation support. The responsible ransomware group has not been publicly identified.

Visit Interlock Ransomware’s Dark Web Profile on SOCRadar blog

6.4M Customers’ Data Affected in Bouygues Telecom Breach, Including IBANs

French telecom provider Bouygues Telecom disclosed on August 6, 2025, that a cyberattack compromised the personal data of approximately 6.4 million customers.

The intrusion, detected two days earlier, allowed a third party to access sensitive subscription information, including contact details, contractual records, civil status data, and company information tied to professional clients. Critically, international bank account numbers (IBANs) were also exposed, raising the risk of fraudulent transfers and phishing attempts.

The breach was shared on dark web forums, as flagged by SOCRadar Dark Web News.

The company confirmed that no credit card data or account passwords were involved. Impacted customers were notified via email or SMS and advised to remain vigilant against scams and verify any suspicious banking activity. Bouygues reported the breach to France’s CNIL data protection authority and filed a complaint with judicial authorities, warning of legal penalties for offenders.

The incident highlights ongoing pressure on European telecom providers, following a separate attack on Orange only a week earlier, though Orange reported no customer data loss.

Salesforce Breach Campaign Hit Companies Through Social Engineering

Throughout mid-2025, a large-scale campaign compromised Salesforce environments at over 90 organizations across technology, retail, luxury fashion, aviation, and insurance sectors. Victims included Adidas, Cartier, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas Airways, Allianz Life, Cisco, and others.

The attackers, tracked as UNC6040 and tied to the ShinyHunters collective, relied on social engineering rather than exploiting Salesforce vulnerabilities. Employees were deceived via voice phishing into authorizing malicious OAuth applications, often disguised as Salesforce Data Loader, granting attackers API-level access.

The breaches exposed customer records, loyalty program details, and internal business data, though no payment card or password information was confirmed stolen. Stolen data was linked to extortion attempts, with the group using a Telegram channel called “Scattered LAPSUS$ Hunters” to leak samples and pressure victims. Attribution evolved as infrastructure links pointed to ShinyHunters, but the tactics closely resembled Scattered Spider’s vishing and OAuth abuse, suggesting collaboration.

For more details on the Salesforce breaches and affected companies, read our full breakdown: “Salesforce-Related Data Breach Affecting Multiple Companies”.

SonicWall VPN Flaw Exploited in Akira Ransomware Campaigns

SonicWall warned customers in early August 2025 of active exploitation against its Gen 7 firewalls, after reports suggested ransomware operators were leveraging a potential zero-day in SSLVPN services.

Researchers observed Akira ransomware intrusions beginning July 15, where attackers bypassed Multi-Factor Authentication (MFA) and pivoted to domain controllers within hours of initial compromise.

SonicWall’s follow-up investigation later attributed the incidents to CVE-2024-40766 (CVSS 9.8), a critical SSLVPN access control flaw patched in August 2024. The company stated that in many cases exploitation was possible due to incomplete remediation, particularly when organizations migrated from Gen 6 to Gen 7 firewalls without resetting local user passwords.

Details of CVE-2024-40766 (SOCRadar Labs CVE Radar)

Recently, the Australian Cyber Security Centre also reported a surge in Akira campaigns abusing CVE-2024-40766, underscoring that unpatched and misconfigured systems remain at risk.

For a deeper breakdown of the campaign and exploitation details, see SOCRadar blog: “Akira Exploits SonicWall SSLVPN in Suspected Zero-Day Attacks”.

TransUnion Breach Exposed Personal Data of 4.4 Million Consumers

TransUnion, one of the United States’ three major credit reporting agencies, reported a data breach affecting more than 4.4 million individuals.

The incident stemmed from unauthorized access to a third-party application used in the company’s U.S. consumer support operations. According to the breach notification filed with the Maine attorney general’s office, the exposed information included certain personal data but did not involve credit reports or core credit history.

The company has not disclosed specific data types involved or technical details about the intrusion. No threat actor group has been attributed at this stage. Impacted individuals have been offered two years of free credit monitoring through TransUnion’s myTrueIdentity platform.

Despite the limited scope, the breach underscores the systemic risk posed by third-party applications within critical financial services infrastructure.

Enhance Visibility Across Your Digital Ecosystem with SOCRadar

SOCRadar’s unified platform brings together capabilities such as Supply Chain Intelligence, Dark Web Monitoring, and Cyber Threat Intelligence to give security teams the ultimate advantage against evolving threats.

SOCRadar’s Supply Chain Intelligence module

From detecting stolen credentials or leaked customer records on underground forums, to tracking vendor exposures and monitoring third-party connections, SOCRadar provides real-time alerts and actionable intelligence. With this visibility, organizations can identify risks sooner, prioritize responses, and strengthen resilience against the kinds of attacks that defined August 2025.