Threat Briefing: September 19, 2025

Recent cybersecurity incidents highlight the growing sophistication of social engineering and the risks of insider threats. Attackers used fake Facebook alerts in FileFix campaigns to spread StealC malware, while ShinyHunters exfiltrated 1.5 billion Salesforce records by abusing stolen OAuth tokens. FinWise Bank reported an insider-driven breach impacting 689,000 individuals, and ChatGPT’s calendar integration was exploited to steal emails through malicious invites. Meanwhile, Microsoft dismantled RaccoonO365, a credential-theft service that was targeting 9,000 victims every day.

• ShinyHunters Claims Theft of 1.5B Salesforce Records via Drift OAuth Breach – The hacking group ShinyHunters reportedly stole 1.5 billion Salesforce records from 760 companies by exploiting compromised Drift OAuth tokens. Major tech firms were among the targets, with stolen data including sensitive support tickets. The breach raises concerns about cascading cyberattacks across interconnected environments. BleepingComputer
• Insider Breach at FinWise Bank Exposes 689,000 Records – FinWise Bank disclosed a May 2024 breach in which a former employee accessed American First Finance data, impacting 689,000 individuals. Affected customers are being offered free credit monitoring while litigation against the bank is underway. SecurityWeek
• ChatGPT Calendar Integration Exploited for Email Theft – A vulnerability in ChatGPT’s calendar integration allows attackers to exfiltrate emails by sending crafted invites containing a “jailbreak prompt.” Victims can be tricked into approving malicious AI-driven actions, exposing sensitive data without ever directly accepting the invite. SecurityWeek
• New FileFix Variant Delivers StealC Malware via Multilingual Phishing – A recent FileFix campaign leverages multilingual phishing sites to trick users into running a malicious PowerShell script. The attack delivers the StealC information stealer by exploiting browser file uploads and manipulating the clipboard. The Hacker News
• Microsoft and Cloudflare Take Down RaccoonO365 Credential-Stealing Service – Microsoft and Cloudflare disrupted RaccoonO365, a phishing tool operated by Nigerian national Joshua Ogundipe. The service targeted Microsoft accounts, stealing credentials from 9,000 email addresses daily and generating over $100,000 through 100 subscriptions across 94 countries. The Record from Recorded Future News