Brief #118: PayPal 15.8M Credentials Stolen, Workday Breach, AI Sprawl Risks

Happy Sunday!

It seems we're drowning in our own data - with 61% of security teams overwhelmed by threat intelligence feeds while lacking the skilled analysts to make sense of it all.

In this week's brief:

• Initial Access Brokers are shifting their sights to smaller US companies with weaker defenses, while VPN access becomes their new favorite entry point
• AI adoption is exploding across enterprises, but security teams can only see about 20% of what's actually being used - creating some serious blind spots
• A SOC Lead candidate got rejected mid-interview for not knowing a specific tool, sparking debate about what really matters in security hiring

A quick note before we dive in.

A Quick note

Is security slowing your business growth? Want your security team to actually drive revenue instead of just saying "no" to everything?

I transform security into your secret weapon for winning deals.

Let's fix this.

Book a Free Discovery Call

Industry News

Initial Access Brokers Target US Companies While Shifting Focus to Smaller Organizations

• Initial Access Brokers (IABs) primarily targeted the US (31%) in 2023, while France and Brazil saw increased targeting in 2024, with a 90% increase in accesses for sale across the top 10 targeted countries – suggesting ransomware actors are concentrating on specific geographic regions.

• The manufacturing sector has risen into the top 3 targeted industries in 2024, joining business services and retail, while IABs have shifted focus to smaller organizations with revenue between $5M-$50M (60.5% of all listings), potentially due to their weaker security posture.

• VPN access has surged in 2024 (33% of listings), challenging RDP access (55%) as the preferred access type sold by IABs, with most access listings priced between $500-$3,000, though high-value targets can exceed $10,000.

Threat Actor Offering 15.8 Million PayPal Credentials For Sale

• A threat actor named "Chucky_BF" is advertising a "Global PayPal Credential Dump 2025" containing 15.8 million plain-text password and email combinations with associated PayPal URLs for just $750.

• The 1.1GB dataset likely originated from infostealer malware logs rather than a direct PayPal breach, containing login details collected from infected devices worldwide across multiple email providers.

• The data includes specific PayPal endpoints like /signin and /signup, along with Android-specific URIs, potentially enabling automated credential stuffing attacks against both web and mobile services.

Workday Discloses Data Breach Following Salesforce Attack

• HR giant Workday confirmed a data breach after threat actors gained access to their third-party CRM platform through a social engineering campaign, primarily exposing business contact information such as names, email addresses, and phone numbers.

• The breach is part of a larger campaign linked to the ShinyHunters extortion group targeting Salesforce instances, with attackers using social engineering and voice phishing techniques to trick employees into linking malicious OAuth apps.

• Workday, which serves over 11,000 organizations including more than 60% of Fortune 500 companies, discovered the breach on August 6 and emphasized that no customer tenants or the data within them were accessed during the incident.