bleepingcomputer.com By Lawrence Abrams August 25, 2025 -
U.S. insurance giant Farmers Insurance has disclosed a data breach impacting 1.1 million customers, with BleepingComputer learning that the data was stolen in the widespread Salesforce attacks.

Farmers Insurance is a U.S.-based insurer that provides auto, home, life, and business insurance products. It operates through a network of agents and subsidiaries, serving more than 10 million households nationwide.

The company disclosed the data breach in an advisory on its website, saying that its database at a third-party vendor was breached on May 29, 2025.

"On May 30, 2025, one of Farmers' third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor's databases containing Farmers customer information (the "Incident")," reads the data breach notification on its website.

"The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor. After learning of the activity, Farmers immediately launched a comprehensive investigation to determine the nature and scope of the Incident and notified appropriate law enforcement authorities."

The company says that its investigation determined that customers' names, addresses, dates of birth, driver's license numbers, and/or last four digits of Social Security numbers were stolen during the breach.

Farmers began sending data breach notifications to impacted individuals on August 22, with a sample notification [1, 2] shared with the Maine Attorney General's Office, stating that a combined total of 1,111,386 customers were impacted.

While Farmers did not disclose the name of the third-party vendor, BleepingComputer has learned that the data was stolen in the widespread Salesforce data theft attacks that have impacted numerous organizations this year.

BleepingComputer contacted Farmers with additional questions about the breach and will update the story if we receive a response.

The Salesforce data theft attacks
Since the beginning of the year, threat actors classified as 'UNC6040' or 'UNC6240' have been conducting social engineering attacks on Salesforce customers.

During these attacks, threat actors conduct voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company's Salesforce instances.

Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email.

The extortion demands come from the ShinyHunters cybercrime group, who told BleepingComputer that the attacks involve multiple overlapping threat groups, with each group handling specific tasks to breach Salesforce instances and steal data.

"Like we have said repeatedly already, ShinyHunters and Scattered Spider are one and the same," ShinyHunters told BleepingComputer.

"They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake."

Other companies impacted in these attacks include Google, Cisco, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.

The Central Criminal Police and the Office of the Prosecutor General have initiated an international search for a Moroccan citizen suspected of last year unlawfully accessing and downloading data from a customer card system managed by Allium UPI.

Allium UPI is the parent company of the Apotheka pharmacy chain.

Based on evidence collected in the criminal proceedings, 25-year-old Moroccan citizen Adrar Khalid is suspected of illegally downloading data from the Allium UPI database, in February 2024.

Reemo Salupõld, head of the investigation group at the Central Criminal Police's cybercrime bureau, said there is reason to suspect that Khalid gained access to the database by logging in with an account that came with administrator privileges. How the suspect came to obtain the password for that account is still under investigation.

Salupõld said: "Regardless of how long and complex a password is, this case clearly shows that this is no longer sufficient on its own today. Cybercriminals are finding increasingly ingenious ways to access accounts, which is why we recommend everyone use two-factor authentication – this adds an extra layer of protection that can be crucial if a password does get leaked or ends up in the wrong hands."

The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.

Sophos was brought in to investigate the attack and believe the threat actors exploited a chain of older SimpleHelp vulnerabilities tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 to breach the system.

SimpleHelp is a commercial remote support and access tool commonly used by MSPs to manage systems and deploy software across customer networks.

The report by Sophos says that the threat actors first used SimpleHelp to perform reconnaissance on customer systems, such as collecting information about the MSP's customers, including device names and configuration, users, and network connections.

The threat actors then attempted to steal data and deploy decryptors on customer networks, which were blocked on one of the networks using Sophos endpoint protection. However, the other customers were not so lucky, with devices encrypted and data stolen for double-extortion attacks.

Sophos has shared IOCs related to this attack to help organizations better defend their networks.

MSPs have long been a valuable target for ransomware gangs, as a single breach can lead to attacks on multiple companies. Some ransomware affiliates have specialized in tools commonly used by MSPs, such as SimpleHelp, ConnectWise ScreenConnect, and Kaseya.

This has led to devastating attacks, including REvil's massive ransomware attack on Kaseya, which impacted over 1,000 companies.

New details have emerged about a phishing campaign targeting Chrome browser extension developers that led to the compromise of at least thirty-five extensions to inject data-stealing code, including those from cybersecurity firm Cyberhaven.

The new Brain Cipher ransomware operation has begun targeting organizations worldwide, gaining media attention for a recent attack on Indonesia's temporary National Data Center.

Car maker Hyundai Motor Europe suffered a Black Basta ransomware attack, with the threat actors claiming to have stolen three terabytes of corporate data.

MongoDB is warning that its corporate systems were breached and that customer data was exposed in a cyberattack that was detected by the company earlier this week.

International logistics giant DP World has confirmed that data was stolen during a cyber attack that disrupted its operations in Australia earlier this month. However, no ransomware payloads or encryption was used in the attack.

The Rhysida ransomware group says it's behind the highly disruptive October cyberattack on the British Library, leaking a snippet of stolen data in the process.

A low-res image shared to its leak site appears to show a handful of passport scans, along with other documents, some of which display the format of HMRC employment documents.

Nobody would even suspect the mining malware was merely a mask, masquerading behind an intricate modular framework that supports both Linux and Windows. The amount of effort that went into creating the framework is truly remarkable, and its disclosure was quite astonishing.

Scammers are hacking websites powered by WordPress and placing phishing pages inside hidden directories. We share some statistics and tips on recognizing a hacked site.

Siemens Energy has confirmed that data was stolen during the recent Clop ransomware data-theft attacks using a zero-day vulnerability in the MOVEit Transfer platform.

A DLL named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process, was used in recent deployments of a backdoor that we dubbed “Gopuram” and had been tracking internally since 2020.

A new ransomware gang named 'Money Message' has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor.

The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL.

Web hosting giant GoDaddy says it suffered a breach where unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment in a multi-year attack.

We have analyzed more than 800 IT job ads and resumes on the dark web. Here is what the dark web job market looks like.

The Vice Society ransomware gang has claimed responsibility for the November 2022 cyberattack that forced the University of Duisburg-Essen (UDE) to reconstruct its IT infrastructure, a process that's still ongoing.

We used our internal automated system for monitoring open-source repositories and discovered two other malicious Python packages in the PyPI.