ServiceNow has quietly told affected customers that attackers exploited an unauthenticated flaw in one of its API endpoints to pull data from hosted customer instances. The company applied a fix to hosted instances on June 5 that restricts the endpoint to authenticated users, and confirmed attackers had successfully queried customer instance tables, though it did not say what data was taken. ServiceNow instances routinely hold sensitive material such as IT support tickets, employee records, asset inventories, and internal documentation, and support tickets in particular often contain credentials, API tokens, and secrets shared during troubleshooting. ServiceNow has opened support cases with the customers it believes were impacted.
Baker Distributing, one of the largest US wholesalers of heating, cooling, and refrigeration equipment, has been hit by the extortion group ShinyHunters, which stole company data and posted it after the company did not pay. Breach-tracking service Have I Been Pwned has now confirmed 102,935 affected accounts; the gang originally claimed more than 260,000 stolen records pulled from Salesforce and internal SharePoint sites, including HR documents. ShinyHunters has been on a tear this year, breaking into corporate SaaS accounts by tricking IT help desks into resetting credentials. Exposed personal and business data fuels follow-on phishing aimed at Baker's customers and staff.
SailPoint, the identity governance vendor used by many large enterprises, disclosed in a SEC 8-K filing that attackers gained unauthorized access to a subset of its GitHub repositories on April 20. The company's incident response team contained the intrusion the same day. SailPoint says no customer data in production or staging was accessed and its services were not interrupted. The root cause was a vulnerability in a third-party application, which has been remediated. SailPoint notified affected customers directly and says no further customer action is needed. The company has not disclosed what data was actually in the impacted repos.
Woflow, an AI-driven platform that maintains menu and product data for restaurants and merchants on delivery apps, is the next named victim of ShinyHunters' extortion campaign. The group has published over 2 terabytes of files it says came from Woflow, including names, phone numbers, physical addresses, and email addresses. Have I Been Pwned loaded 447,593 unique email addresses from the dump. The exposed data appears to cover both Woflow's direct customers and the end customers of those merchants - so the breach radius is wider than Woflow's own user list, reaching the customers of every business that relies on Woflow's data.
ShinyHunters breached Anodot, an AI-based data anomaly detection platform acquired by Glassbox in late 2025, and stole authentication tokens that connected Anodot to its customers' cloud environments. Using those tokens, the attackers accessed Snowflake data warehouses belonging to over a dozen companies and began exfiltrating data last Friday - timed to the Easter/Passover holiday for maximum dwell time. ShinyHunters also attempted to use the stolen tokens against Salesforce instances but were blocked by AI detection. The group is now extorting affected companies, demanding ransom payments to prevent data release. Anodot's customer list includes Puma, SAP, T-Mobile, and UPS. This is the same playbook ShinyHunters used in the 2025 Snowflake campaign and the Gainsight/Salesforce attacks - breach a trusted integration, not the platform itself.