OAuth
-
Vercel Finds More Customer Accounts Compromised After Security Incident
Vercel said it found additional customer accounts compromised in a security incident that exposed its internal systems, but did not say how many were affected. The company linked the breach to a compromised Context.ai account used by a Vercel employee.
-
Vercel says breach linked to third-party AI tool exposed limited customer credentials
Vercel said a breach tied to a third-party AI tool exposed access to some internal systems and affected a limited subset of customers. The company said sensitive environment variables were not known to be accessed and urged credential rotation.
-
Microsoft warns OAuth redirect abuse used to deliver malware to government targets
Microsoft warned that phishing campaigns are abusing OAuth redirect features to deliver malware to government and public sector targets, using malicious OAuth apps, ZIP payloads, PowerShell and DLL sideloading. Organizations are advised to limit consent and review app permissions.
-
Microsoft warns of OAuth redirect abuse used to deliver malware to public sector
Microsoft warned that attackers are abusing OAuth redirect features to bypass phishing defenses and direct government and public sector users to attacker controlled domains that deliver malware or intercept credentials.
-
Gainsight says more customers affected as Salesforce revokes Gainsight-linked access tokens
Gainsight said suspicious activity tied to its applications affected more customers than initially reported and that Salesforce revoked related access tokens; the intrusion has been claimed by ShinyHunters while investigators and vendors take containment steps.
-
Salesforce revokes Gainsight app tokens after suspected unauthorized access
Salesforce revoked access tokens and removed Gainsight-published applications from the AppExchange after detecting activity that may have allowed unauthorised access to some customers’ data; investigations attribute the campaign to actors linked to the ShinyHunters group.
-
Researchers warn ‘CoPhish’ uses Microsoft Copilot Studio agents to harvest OAuth tokens
Datadog Security Labs disclosed “CoPhish,” a phishing method that uses Microsoft Copilot Studio agents and legitimate Microsoft-hosted demo pages to deliver fraudulent OAuth consent flows and harvest session tokens; Microsoft says it will address the issue in a future update and both vendors recommend tightening admin privileges and consent policies.
-
Researchers warn spoofed AI sidebars can trick Atlas and Comet users into dangerous actions
Security researchers at SquareX say they can use a malicious browser extension to overlay a fake AI sidebar in Atlas and Comet, tricking users into phishing pages, OAuth theft of Gmail/Drive access, or running commands that install a reverse shell.
-
FBI warns of UNC6040 and UNC6395 hackers targeting Salesforce to steal data and extort victims
The FBI has issued a FLASH alert about UNC6040 and UNC6395 hacking groups that are compromising Salesforce environments to steal data and extort victims, releasing IOCs to aid defense efforts across organizations and multiple cloud platforms.
-
Palo Alto Networks says Salesforce data exposed in breach tied to Salesloft Drift supply-chain attack
Palo Alto Networks disclosed a data breach linked to a broader Salesloft Drift supply-chain attack that exposed customer data in its Salesforce CRM. The incident involved OAuth token abuse, mass exfiltration of Salesforce records, and credential harvesting, prompting token revocation, Drift disablement, and guidance for customers to review logs and rotate secrets.
