saas - TrustStrike Labs

breach

2026-05-12

Identity governance vendor SailPoint discloses GitHub repository breach - third-party app flaw to blame

SailPoint, the identity governance vendor used by many large enterprises, disclosed in a SEC 8-K filing that attackers gained unauthorized access to a subset of its GitHub repositories on April 20. The company's incident response team contained the intrusion the same day. SailPoint says no customer data in production or staging was accessed and its services were not interrupted. The root cause was a vulnerability in a third-party application, which has been remediated. SailPoint notified affected customers directly and says no further customer action is needed. The company has not disclosed what data was actually in the impacted repos.

sailpoint identity github supply-chain saas

Check: If you use SailPoint (IdentityNow, IdentityIQ, or related products), check whether you received a direct notification dated after April 20, 2026, and review the scope details in your account portal.
Affected: SailPoint customers who received a direct breach notification dated on or after April 20, 2026. The company has not publicly disclosed which products, repositories, or customer subsets were specifically named in the notifications. No customer data in production or staging environments was accessed per SailPoint's SEC filing.
Fix: Follow guidance in your direct SailPoint notification. As a precaution, rotate any API tokens or service-account credentials issued for SailPoint integration over the past 12 months. Review SailPoint integration audit logs for unexpected activity from April onward. Ask SailPoint for the name of the third-party application whose flaw caused the intrusion - your organization may use it elsewhere.

breach

2026-05-11

AI merchant data platform Woflow leaked - 447,000 records exposed in ShinyHunters extortion

Woflow, an AI-driven platform that maintains menu and product data for restaurants and merchants on delivery apps, is the next named victim of ShinyHunters' extortion campaign. The group has published over 2 terabytes of files it says came from Woflow, including names, phone numbers, physical addresses, and email addresses. Have I Been Pwned loaded 447,593 unique email addresses from the dump. The exposed data appears to cover both Woflow's direct customers and the end customers of those merchants - so the breach radius is wider than Woflow's own user list, reaching the customers of every business that relies on Woflow's data.

shinyhunters extortion supply-chain saas food-delivery

Check: Check whether your restaurant chain, merchant operations, or delivery integrations rely on Woflow to maintain menu, product, or location data, and review customer service tickets for phishing referencing Woflow-handled records.
Affected: Direct Woflow customers (restaurant chains, merchant networks, delivery-app operators) and the end consumers of those merchants. Leaked fields confirmed by HIBP include names, email addresses, phone numbers, and physical addresses - 447,593 unique email addresses total. No passwords or payment details have been reported in the published dataset.
Fix: If you are a Woflow customer, contact your account team for the official IoC list and impacted-record scope. Notify your own customers if their data was passed through Woflow. Apply stricter inbound filtering for phishing impersonating restaurant brands, delivery platforms, or order confirmations. Rotate any API keys or shared credentials your team exchanged with Woflow integrations in the past 18 months.

breach

2026-04-07

ShinyHunters breach SaaS integrator Anodot, steal auth tokens to raid Snowflake customers - 12+ companies hit

ShinyHunters breached Anodot, an AI-based data anomaly detection platform acquired by Glassbox in late 2025, and stole authentication tokens that connected Anodot to its customers' cloud environments. Using those tokens, the attackers accessed Snowflake data warehouses belonging to over a dozen companies and began exfiltrating data last Friday - timed to the Easter/Passover holiday for maximum dwell time. ShinyHunters also attempted to use the stolen tokens against Salesforce instances but were blocked by AI detection. The group is now extorting affected companies, demanding ransom payments to prevent data release. Anodot's customer list includes Puma, SAP, T-Mobile, and UPS. This is the same playbook ShinyHunters used in the 2025 Snowflake campaign and the Gainsight/Salesforce attacks - breach a trusted integration, not the platform itself.

shinyhunters snowflake anodot saas supply-chain token-theft extortion

Check: Audit every third-party SaaS integration connected to your Snowflake, Salesforce, or other cloud data platforms. Identify which ones hold active authentication tokens with read access to your data.
Affected: Any organization using Anodot (now Glassbox) integrations connected to Snowflake, Salesforce, S3, or Amazon Kinesis. Broader risk: any company with SaaS-to-SaaS integrations that use long-lived OAuth tokens or API keys.
Fix: Revoke and rotate all authentication tokens for Anodot/Glassbox integrations immediately. Review Snowflake query logs for unusual data access patterns since late March. Enable network policies to restrict Snowflake access by IP. Audit all third-party integrations for least-privilege access - most SaaS connectors have broader permissions than they need. Monitor for ShinyHunters extortion communications.