November 2025: Coupang Breach, Balancer $120M Hack, Gainsight Token Abuse, Eurofiber GLPI Incident & More

November 2025 brought another wide mix of high-impact cyber incidents, ranging from one of South Korea’s largest-ever data exposures to major disruptions in Japan’s beverage industry and a significant Web3 theft.

Supply-chain weaknesses, token abuse within interconnected SaaS ecosystems, and delayed breach notifications also shaped several of this month’s developments. Alongside large-scale data compromises affecting universities, municipalities, and social services, threat actors continued to exploit identity paths and trusted integrations across cloud environments.

Here are the major cyberattacks of November 2025.

Qilin Ransomware Disruption at Asahi Exposed Data of More Than 1.5 Million Individuals

Asahi confirmed that a ransomware attack identified on September 29, 2025 disrupted operations across multiple facilities in Japan and resulted in potential exposure of personal information belonging to more than 1.5 million customers.

The incident forced the company to halt digital order processing and temporarily rely on manual methods while systems were isolated and investigated. Preliminary findings showed that attackers had already encrypted data and accessed information hosted in affected servers before containment began.

Qilin later claimed responsibility for the intrusion, though Asahi did not confirm the group’s demands.

Dark Web Profile: Qilin (Agenda) Ransomware

The exposed data primarily involved individuals who had contacted Asahi’s customer service centers and included names, contact details, addresses, and gender. The company also reported possible exposure of information tied to approximately 107,000 current and former employees, 168,000 employee family members, and over 114,000 external contacts.

Only a limited set of employee-related data on compromised laptops was confirmed as accessed, and no credit card information was involved. The company also noted that the impact was limited to systems managed in Japan and that European subsidiaries were unaffected.

Coupang Breach Exposed Data from 33.7 Million Customer Accounts

In late November 2025, Coupang disclosed that a data breach originating months earlier had exposed information from approximately 33.7 million customer accounts. Initial findings showed unauthorized access to roughly 4,500 accounts on November 18, but subsequent investigation revealed that the intrusion likely began in June through an overseas server.

Exposed data included names, contact information, shipping addresses, and limited order history. Payment information, passwords, and login credentials were not affected.

Authorities reported that the attacker bypassed Coupang’s authentication process by exploiting long-valid token signing keys used within its login infrastructure. Analysis indicated that these keys had not been rotated or invalidated after a responsible employee left the company, enabling continued misuse.

Investigators noted that internal authentication procedures and key management practices appeared to be contributing factors.

South Korean agencies launched a joint inquiry to determine whether Coupang violated requirements under the Personal Information Protection Act. Coupang notified affected customers and warned of potential scams leveraging exposed contact information while cooperating with national regulators and law enforcement.

Gainsight Token Abuse Led to Widespread Access Across Salesforce Customer Environments

The compromise involving Gainsight’s Salesforce integration emerged in November 2025 after Salesforce detected unusual activity tied to the app’s access tokens. Early assessments suggested that more than 200 Salesforce organizations, and potentially many more, were affected.

The incident did not involve a flaw in Salesforce itself; instead, attackers leveraged valid tokens issued to Gainsight, allowing them to perform API actions within customer environments through permissions the app already possessed.

Investigators connected the activity to Scattered LAPSUS$ Hunters, a group known for targeting cloud ecosystems and abusing identity pathways.

Dark Web Profile: Scattered LAPSUS$ Hunters

The group claimed that access originated from earlier attacks involving Salesloft and Drift integrations, enabling them to obtain authentication tokens and pivot into Gainsight-linked environments. Once operational, the actors used the tokens to read and synchronize data accessible to the app, leading to exposure of customer records, activity details, and other objects stored in affected Salesforce instances.

Further details on the incident can be found in SOCRadar’s analysis: “What You Need To Know About Gainsight Breach”.

Pajemploi Data Breach Exposed Personal Information of Approximately 1.2 Million Childcare Workers

France’s Pajemploi service, part of the URSSAF network responsible for managing social security contributions, reported on November 14, 2025 that unauthorized access to its systems resulted in the exposure of personal information belonging to roughly 1.2 million childcare employees. The agency stated it detected the breach the same day and acted quickly to contain the intrusion and prevent further lateral movement.

An internal investigation found that the compromised data included full names, birthplaces, postal addresses, Social Security Numbers, Pajemploi identifiers, accreditation numbers, and the names of victims’ banking institutions. The attackers did not access IBANs, phone numbers, email addresses, or account passwords. Operations also remained unaffected, and investigators saw no signs of ransomware deployment.

No group has claimed responsibility, and Pajemploi has not indicated receiving any extortion demands. The service notified CNIL, ANSSI, and impacted individuals, warning them to stay alert to potential phishing attempts, as attackers may pair exposed data with information from other breaches. The incident affected childcare providers registered with Pajemploi but did not impact their employers.

SOCRadar’s Dark Web Monitoring: Your Early-Warning System for Leaks, Threat Actor Activity & Underground Threats

As threat actors continue to trade stolen data, recruit insiders, and coordinate campaigns across underground forums and Telegram channels, timely visibility is essential. SOCRadar’s Dark Web Monitoring provides real-time insight into these hidden ecosystems – tracking actor chatter, exposed credentials, leaked datasets, and mentions of your organization long before they escalate into active compromise.

SOCRadar Dark Web Monitoring module

With automated detection, enriched context, and analyst-ready intelligence, Dark Web Monitoring helps security teams answer critical questions early: What information about us is circulating? Which actors are targeting our industry? Has a vendor or integration partner shown up in a new leak? 

This level of visibility enables faster triage, stronger defensive decisions, and proactive containment, especially as token abuse, supply-chain intrusions, and extortion-driven breaches continue to surge.

Eurofiber GLPI Breach Raised Supply Chain Risks for French Customers

Eurofiber confirmed in November that attackers had compromised its GLPI service-management platform, exposing operational data used to support customers in France.

A threat actor known as ByteToBreach claimed responsibility, stating they had copied the full GLPI database – an environment that contains configuration details, ticket histories, internal documents, and credentials tied to customer networks.

According to the actor’s posts, the intrusion stemmed from a vulnerability in an outdated GLPI version and was carried out through a slow SQL-injection process. The dataset reportedly includes SSH keys, VPN configurations, API tokens, and infrastructure documentation, creating potential downstream risks for organizations that rely on Eurofiber-managed access paths.

Threat actor’s post about the Eurofiber breach (SOCRadar Dark Web News)

Eurofiber said the impact was limited to its French operations, with environments in other countries running on separate platforms.

A more detailed breakdown of the breach is available in SOCRadar’s blog: “Eurofiber Breach – What You Need to Know”.

IndonesianFoods Spam Campaign Flooded npm With More Than 150,000 Automated Packages

A large-scale spam operation known as IndonesianFoods drew attention in November 2025 after researchers observed tens of thousands of auto-generated packages appearing in the npm registry. While the campaign did not distribute traditional malware, its sheer volume, exceeding 150,000 packages, created widespread ecosystem noise and raised long-term supply chain concerns.

One npm profile displays 12,850 spam packages

The uploads followed a recognizable pattern that combined Indonesian names with food terminology, allowing analysts to link the activity across multiple fake maintainer accounts.

The packages were largely empty Next.js templates, but each contained automation scripts capable of generating new projects, updating metadata, and publishing continuously without human involvement. Investigators believe the actor was attempting to exploit reward mechanisms tied to package creation and updates, using high-frequency publishing to inflate activity metrics.

Although no malicious payloads have been identified, the tooling enables rapid dependency-chain growth, making future harmful updates difficult to detect amid the volume.

Additional context and recommendations are available in SOCRadar’s analysis: “IndonesianFoods Spam Campaign”.

Synnovis Began Sending Notifications for 2024 Ransomware Breach

Synnovis confirmed in November 2025 that it finally began notifying NHS organizations about data stolen during the June 2024 ransomware attack that severely disrupted pathology services in London and the South East.

The Qilin-linked intrusion caused major operational delays, including thousands of canceled appointments and procedures, and attackers later released roughly 400GB of patient-related data after Synnovis declined to pay a ransom.

Qilin’s victim listing of Synnovis

The provider said the extended notification timeline stemmed from the disorganized nature of the exfiltrated files, which investigators described as unstructured, fragmented, and difficult to classify. Cybersecurity specialists spent more than a year reconstructing the dataset to identify which NHS data controllers were affected.

The prolonged delay drew criticism from industry experts, who highlighted concerns with data governance and response preparedness, particularly given that the breach may have impacted close to one million patients.

Balancer Hack Drains Over $120 Million Through Smart Contract Flaw

Balancer suffered one of November’s most damaging Web3 incidents after an attacker exploited a flaw in its v2 smart contracts, draining more than $120 million across multiple chains.

The issue stemmed from weak access controls in the manageUserBalance function, which allowed the attacker to impersonate any account and trigger unauthorized withdrawals.

Before executing the main theft, the operator manipulated balances through a series of swaps, likely leveraging rounding quirks, to maximize the impact. Because Balancer v2 pools rely on shared contract infrastructure, the vulnerability cascaded across the ecosystem, affecting both Balancer-managed pools and projects built on top of them.

Researchers also noted that the malicious contract contained leftover debug lines typically removed before deployment, suggesting the exploit code may have been generated or adapted with minimal refinement.

Miljödata Breach Exposed Data of More Than 1.5 Million Individuals Across Sweden

A cyberattack on Miljödata, an HR and work-management IT provider used by nearly 80% of Swedish municipalities, resulted in the exposure of information linked to up to 1.5 million people. Threat actor DataCarry leaked a 224 MB archive on the dark web, containing personal data for at least 870,000 individuals, now indexed by Have I Been Pwned.

Sweden’s privacy authority IMY has launched a GDPR investigation, noting concerns around Miljödata’s security controls and data-handling practices. While the attack did not involve ransomware, the scale of the exposure highlights how centralized municipal service providers can become high-impact targets.

Miljödata breach details (HIBP)

1.2 Million Donor Records Reportedly Stolen in University of Pennsylvania Breach

The University of Pennsylvania launched an investigation after attackers accessed internal systems using a compromised PennKey SSO account in early November 2025. The incident became public when mass emails were sent to alumni and students from spoofed“@upenn.edu” addresses.

According to the attackers, the breach exposed information on over 1.2 million donors and community members. With the stolen credentials, they accessed systems including Salesforce Marketing Cloud, VPN, Qlik, SAP, SharePoint, and Box. A 1.7 GB dataset later posted online allegedly contained contact details, demographic attributes, donation history, and wealth estimates.

The threat actors continued sending emails to more than 700,000 recipients even after the compromised account was disabled. They claimed they did not seek a ransom and instead targeted high-value donor databases.

Strengthen Your Security Posture with SOCRadar XTI

The events of November highlight how quickly attack surfaces evolve across cloud ecosystems, SaaS integrations, critical infrastructure, and decentralized platforms. SOCRadar’s Extended Threat Intelligence (XTI) platform brings these domains together, giving organizations a unified way to understand exposures, track emerging threats, and respond with confidence.

SOCRadar’s ASM module, Digital Footprint

With modules spanning Cyber Threat Intelligence, Dark Web Monitoring, Brand Protection, Attack Surface Management, Threat Hunting, Identity & Access Intelligence, and access to extensive breach datasets, SOCRadar provides the context organizations need to connect external threat activity with internal risk.

Whether you’re tracking high-risk CVEs, evaluating vendor incidents, monitoring impersonation attempts, or investigating leaked credentials, SOCRadar offers deep visibility and automation to support faster, more informed defensive decisions.