Major Cybersecurity Breaches and Incidents: A Running Timeline

This page is a structured log of major publicly disclosed cybersecurity breaches and incidents, organised by date. Unlike aggregate statistics reports, it names specific organisations, documents the attack vectors used, and records the confirmed scale of each event — based only on information that has been officially disclosed.

CyberSanso includes only incidents confirmed by the affected organisation, a named security research firm, or a regulatory body. Threat actor announcements and unverified dark web listings alone are not sufficient. Contact us using the sidebar email if you identify an error or important omission.

2025-2026: Named Incidents (Selected)

June 2026 — Klue (SaaS Supply Chain)
Competitive intelligence platform Klue detected unauthorised access on June 12 2026. Attackers used a compromised legacy credential to obtain OAuth tokens for third-party platforms including Salesforce, gaining trusted access to connected customer environments. CrowdStrike engaged for investigation. Attribution to ShinyHunters via Telegram claim remains unverified. Source: SOCRadar, ThreatLocker, Obsidian Security, Huntress, June 2026.

April 2026 — Vercel (SaaS OAuth Supply Chain)
Vercel disclosed a security incident on April 19 2026 traced to a Lumma Stealer malware infection at Context.ai (a third-party OAuth app) in approximately February 2026. Attackers inherited valid OAuth tokens and accessed Vercel internal systems, exfiltrating customer API keys and source code. Mandiant engaged. Source: Trend Micro analysis, April 21 2026; Obsidian Security.

August 2025 — Salesloft-Drift (SaaS Supply Chain, 700+ organisations)
Attackers exploited OAuth tokens from Salesloft’s Drift chatbot integration between August 8-18 2025, accessing over 700 organisations’ Salesforce CRM environments. Data exfiltrated included customer contacts, opportunity records, and stored credentials including AWS keys. Persistent refresh tokens were used — MFA was not a barrier. Google revoked Drift Email integration OAuth tokens after confirming Google Workspace access. FINRA issued a formal cybersecurity alert to member firms. Source: ReliaQuest, Obsidian Security, FINRA cybersecurity alert, August 2025.

November 2025 — Gainsight (SaaS Supply Chain)
Customer success platform Gainsight was reported as another SaaS supply chain compromise using the same OAuth token playbook, reportedly affecting 200+ Salesforce instances. Attribution to ShinyHunters unverified independently. Source: Cyber Defense Magazine, January 2026 analysis.

Source Standards and How to Use This Timeline

Source requirements for inclusion:
Official disclosure from the affected organisation (press releases, SEC 8-K filings, regulatory notifications).
Named security research firms with public attribution: Mandiant, CrowdStrike, ReliaQuest, Obsidian Security, Trend Micro, Unit 42, and equivalent named organisations.
Regulatory alerts from named authorities: CISA, FINRA, NCSC, BSI, and sector regulators.
Court filings and law enforcement disclosures where public.

What we exclude: Incidents reported only by anonymous sources. Unverified threat-actor claims (Telegram, dark web listings) without independent confirmation. Claimed breaches where neither the affected organisation nor a named researcher has independently confirmed. Attribution to specific threat actors is noted only where a named security organisation has made the attribution publicly.

Update process: CyberSanso aims to publish a verified entry within 48-72 hours of a publicly confirmed major incident, once sufficient reliable detail is available. Time-sensitive entries are marked with the date last verified.

The defining 2025-2026 pattern: SaaS supply chain breaches represent the most significant incident pattern of this period, with Unit 42 data showing SaaS-relevant cases growing from 6% of IR investigations in 2022 to 23% in 2025. The consistent methodology: compromise a trusted third-party integration, inherit its OAuth tokens, access every downstream environment that trusted the integration. The Salesloft-Drift case demonstrated a blast radius 10 times larger than an equivalent direct platform attack.

Publishing unverified breach claims about named organisations causes real harm if wrong or exaggerated. CyberSanso requires independent confirmation — from a named security research firm, a regulatory authority, or the organisation itself — before adding any incident. Threat actor Telegram announcements are noted as claims but are not treated as confirmed until verified independently.

In August 2025, attackers accessed the Drift chatbot integration connected to Salesloft and exploited its persistent OAuth refresh tokens to access CRM data across more than 700 organisations between August 8-18 2025. The breach is significant because: the attackers never needed a password or MFA bypass; the blast radius was 10x larger than a direct Salesforce attack; and FINRA issued a formal alert, making it the most publicly documented SaaS supply chain case of 2025. Source: ReliaQuest, Obsidian Security, FINRA cybersecurity alert.

The MOVEit Transfer breach in May-June 2023 was a SQL injection vulnerability in Progress Software's file transfer application exploited by the Cl0p ransomware group. Hundreds of organisations globally were affected including US federal agencies, UK government contractors, and large enterprises. It differs from the 2025-2026 SaaS OAuth pattern in that it was a software vulnerability exploited across many deployments, not a trust-relationship abuse targeting connected integrations.

CyberSanso aims to publish a verified entry within 48-72 hours of a publicly confirmed major incident, once sufficient reliable detail is available from named sources. We do not publish speculative entries. If a breach you are researching is not listed here, it may be that independent confirmation was not yet publicly available at our last review, or it did not meet our materiality threshold. Flag omissions using the contact link in the sidebar.

A CVE tracker logs software vulnerabilities: specific code flaws assigned an identifier and severity score. This breach timeline logs actual incidents: real events where an organisation's data or systems were compromised, regardless of whether the vector was a CVE-tracked vulnerability. The Salesloft-Drift breach involves no CVE — it exploited a design characteristic of OAuth integrations rather than a software bug. Both types of tracking are necessary; they capture different things.