What Is Identity Theft Insurance (And Do I Really Need It)?
A clear-eyed look at how identity theft happens today, what insurance actually helps with, and where prevention still matters most.
Blog
/
Threat Matrix: August 2025
Threat Matrix: August 2025
The latest news from the digital underbelly and how to protect your business
Welcome to the August edition of Upfort’s Threat Matrix! Hackers unleashed a wave of attacks against major organizations by impersonating Salesforce IT support. We’ll detail who got hit, how the attacks unfolded, and how to protect your business.
But the Salesforce attacks weren’t the only mischief that digital rogues from around the world were up to. We detail it all in this month’s edition of Threat Matrix.
Want to know how protected your company really is? Take two minutes to complete our interactive cybersecurity checklist or get a free cybersecurity risk assessment to uncover exploitable vulnerabilities in your network.
Hackers target Salesforce accounts in data extortion attacks
Google’s Threat Analysis Group (TAG) has identified an active data extortion campaign in which hackers are targeting Salesforce accounts through malicious OAuth applications. The attackers aim to gain persistent access to sensitive business data and use it for blackmail or further exploitation.
Once access is granted via OAuth permissions, the hackers can exfiltrate files, contact lists, emails, and more—without needing to steal login credentials. Google attributed the campaign to a threat actor it tracks as APT group “Exotic Lily,” which has ties to financially motivated cybercriminal operations.
This campaign is part of a broader trend where OAuth abuse is becoming a stealthy, permission-based vector for long-term data theft, particularly in cloud environments like Salesforce that serve as central repositories for customer and operational data.
How to protect your business: Audit OAuth app permissions regularly, restrict the use of third-party integrations, and monitor cloud platforms for unusual data access behaviors.
Farmers Insurance breach exposes data of 11 million people
Farmers Insurance has disclosed a massive data breach impacting 11 million people, after hackers gained unauthorized access to a third-party system powered by Salesforce. The attack, revealed in filings with the Maine Attorney General, exposed sensitive customer data stored in a cloud-based CRM platform.
The stolen data includes names, addresses, phone numbers, dates of birth, and partial Social Security numbers—valuable information for identity theft and phishing, even in the absence of passwords or financial details.
The breach occurred between April 25 and May 11, 2024, and is part of a broader wave of Salesforce-related intrusions affecting multiple organizations. Farmers says it has since secured the system, notified law enforcement, and is offering free identity protection services to those affected.
How to protect your business: Vet and monitor third-party vendors for security compliance. Implement strong access controls, regularly audit data sharing practices, and encrypt sensitive information—even in cloud platforms—to reduce breach impact.
Silk Typhoon targets North American orgs via cloud platforms
Microsoft has issued a warning about a Chinese nation-state threat group known as Silk Typhoon, which is actively targeting North American organizations by exploiting cloud-based platforms for reconnaissance and persistence.
Rather than relying on malware, Silk Typhoon is leveraging legitimate cloud services and tools to blend in with normal activity. Tactics include abusing Microsoft Entra ID (formerly Azure Active Directory), SharePoint, and Exchange to gather intelligence and maintain access over extended periods.
The group’s stealthy behavior—avoiding traditional malware and living off the land—makes detection significantly harder and increases the risk of prolonged, undetected access to sensitive business operations.
How to protect your business: Monitor cloud activity for unusual behavior, enforce least-privilege access, regularly review logs, and adopt cloud-native detection tools that flag identity abuse and lateral movement.
DaVita ransomware attack exposed data of nearly 27 million people
DaVita, one of the largest kidney care providers in the U.S., has disclosed a ransomware attack that compromised sensitive personal data of 26.7 million individuals. According to regulatory filings, attackers accessed names, contact information, Social Security numbers, medical billing data, and insurance details.
The breach occurred in late 2023 but was only recently confirmed and disclosed. DaVita stated that the incident stemmed from an attack on a file transfer system used to move sensitive data internally and with partners—similar to past attacks exploiting tools like MOVEit and GoAnywhere MFT.
While DaVita says it has contained the threat, notified law enforcement, and begun contacting affected individuals, this remains one of the largest healthcare breaches to date, with widespread implications for identity theft and medical fraud.
How to protect your business: Vet secure file transfer solutions thoroughly. Encrypt sensitive data in transit and at rest. Enforce least-privilege access controls and monitor file activity for unusual patterns or downloads.
Cyber insurers may limit payouts for breaches tied to unpatched CVEs
Cyber insurers are increasingly considering policy changes that reduce or deny payouts for breaches tied to known but unpatched vulnerabilities (CVEs), according to a new report by Moody’s Ratings.
The shift comes in response to soaring breach costs and repeated attacks exploiting long-known flaws. By tightening contract terms, insurers aim to incentivize better cyber hygiene and reduce payouts in avoidable breach scenarios. One example: a policy might exclude coverage if the victim failed to patch a CVE rated critical more than 90 days after its disclosure.
As more underwriters adopt this stance, it’s likely that businesses will face greater pressure to keep software updated and maintain vulnerability management programs to remain insurable.
How to protect your business: Prioritize patch management and vulnerability scanning. Track CVE disclosures, automate remediation workflows, and document patch timelines to stay compliant with insurance requirements.
AI website builder ‘Lovable’ increasingly abused for malicious activity
Threat actors are exploiting the AI-powered website builder Lovable to spin up convincing phishing and malware sites. According to a new report from Netcraft, Lovable has been used to host fake login pages, cryptocurrency scams, and malicious redirects—often cloaked with realistic design and domain structures.
Because Lovable makes it easy for anyone to generate a polished website in seconds, cybercriminals are now using it as a low-effort tool for launching fraud campaigns at scale. Many of the malicious sites identified were designed to impersonate popular brands or mimic secure portals to trick users into entering sensitive information.
The abuse highlights a growing challenge: generative AI tools, while powerful and accessible for legitimate users, are also being turned into an infrastructure layer for cybercrime. The rapid scalability of these platforms makes detection and takedown more difficult.
How to protect your business: Train employees to scrutinize URLs, even on professional-looking websites. Use browser isolation, phishing-resistant MFA, and DNS-based filtering to limit exposure to malicious web pages.
FBI and Cisco warn of Russian attacks exploiting 7-year-old Cisco flaw
The FBI and Cisco Talos are warning that Russian state-backed hackers are actively exploiting a 7-year-old vulnerability in Cisco networking gear to launch espionage and cyberattack campaigns.
The attackers, linked to Russia’s APT28 (also known as Fancy Bear), are targeting CVE-2017-6742—a flaw in Cisco’s SNMP protocol handling. This vulnerability, patched in 2017, allows remote attackers to execute code or crash devices by sending specially crafted SNMP packets.
While a fix has been available for years, many legacy systems remain unpatched, giving threat actors an easy foothold into government and enterprise networks. The FBI notes that this specific campaign is ongoing, and targets include U.S. critical infrastructure.
How to protect your business: Audit network hardware for outdated firmware. Apply vendor patches promptly, restrict SNMP access, and monitor for suspicious traffic to vulnerable devices.
Pharma firm Inotiv says ransomware attack impacted operations
Contract research organization Inotiv has confirmed a ransomware attack that disrupted business operations and potentially exposed sensitive data. In a regulatory filing, the company revealed that the attack began on July 17 and involved unauthorized access to certain corporate systems.
While the full scope of the breach is still under investigation, Inotiv says it proactively shut down parts of its network to contain the incident. Some laboratory and administrative systems were temporarily taken offline, affecting day-to-day functions across its pharmaceutical development services.
The company has engaged third-party cybersecurity experts and notified law enforcement. It has not yet disclosed whether any personal or client data was compromised, or whether the attackers made specific demands.
How to protect your business: Ensure regular backups are stored offline and tested for recovery. Segment internal networks, enforce least-privilege access, and conduct phishing simulations to reduce the chance of ransomware entry.
Business Council of New York State discloses data breach affecting 47,000 people
The Business Council of New York State has reported a data breach that impacted nearly 47,000 individuals. In a filing with the Maine Attorney General’s office, the organization said the breach occurred between May 1 and May 10, 2024, and was tied to unauthorized access of its email environment.
Exposed data includes names, Social Security numbers, and potentially other personal information belonging to members and associated individuals. The Council said it discovered the breach on May 10 and immediately secured its email systems and launched an investigation with external cybersecurity experts.
Notifications are now being sent to impacted individuals, and the Council is offering complimentary identity protection services to those affected.
How to protect your business: Secure email environments with multi-factor authentication, monitor for unauthorized access, and train employees to spot phishing attempts that can lead to credential compromise.
Massive Allianz Life data breach impacts 11 million people
Allianz Life has confirmed a significant data breach impacting the majority of its 1.4 million customers, as well as financial professionals and employees, after attackers exploited a third-party cloud-based CRM platform.
The breach, which occurred on July 16, involved a threat actor using social engineering to gain unauthorized access to personal data. According to filings with the Maine Attorney General, the exposed data includes names and other personally identifiable information (PII), though the total number of affected individuals has yet to be finalized.
While Allianz Life says it found no evidence that its internal systems were compromised, it has notified the FBI and is beginning to alert affected individuals. The breach is part of a broader wave of cyberattacks targeting the insurance sector in 2025.
How to protect your business: Limit data exposure in third-party platforms, monitor for unauthorized access, and educate employees to spot social engineering tactics that often precede breaches.
HR giant Workday discloses data breach amid Salesforce attacks
Workday, a leading human resources software provider, has confirmed a data breach tied to the wave of cyberattacks targeting third-party platforms like Salesforce. The breach stemmed from unauthorized access to a customer relationship management (CRM) system used by Workday and impacted some customers’ data.
The compromised system, which was managed by a third-party vendor, exposed personal information including names, email addresses, job titles, and other work-related details. Workday emphasized that no internal systems or core services were affected.
This incident follows a growing trend of cybercriminals exploiting third-party integrations to access sensitive enterprise data, reinforcing the importance of scrutinizing vendors’ security postures—even among well-established platforms.
How to protect your business: Review the security of integrated third-party platforms, limit data exposure in external systems, and implement continuous access monitoring across your software stack.
