The Monthly Phish Fry: August 2025

Intro

Welcome back to the Monthly Phish Fry! Grab your tartar sauce, because August served up a massive security story, and the main course was a widespread exploit linked to the Salesforce ecosystem. This wasn't just a single catch; it was a sprawling net that ensnared some of the biggest names in the sea, reminding us all that in today's digital ocean, everyone is connected. And while that's the big fish we'll be dissecting, it wasn't the only thing on the menu. So, pull up a chair and sharpen your forks... let's dig in.

Casting a Wide Net: How the Salesforce Breach Reeled in the Big Fish

Now, before you think the CRM giant itself was cracked wide open, the reality is a bit more complex—and a lot more relevant to all of us. Instead of a direct breach of Salesforce's core systems, attackers found a vulnerability in the wider ecosystem, impacting third-party vendors and integrations that plug into the platform. Think of it as a master key that didn't open the company's front door, but instead unlocked a whole series of connected VIP suites.

And the net they cast was wide, reeling in some absolute whales. Google reported that one of its vendors was hit, leading to a customer data exposure. The attack was credited to the hacking group ShinyHunters, who, following investigation, had been at it since June. What treasures did they take? The Salesforce-hosted customer database was compromised, exposing names, email addresses, and phone numbers of one of the largest customer bases.

HR software giant Workday announced a similar third-party incident. Likely utilizing the information from the Salesforce database, attackers posed as internal HR or IT staff via phone and texts, tricking employees into granting system access.

Perhaps most concerning, credit titan TransUnion confirmed it was also a victim, putting sensitive financial and personal data at risk. Unlike some of the other companies affected, the TransUnion breach exposed more sensitive data, such as dates of birth, Social Security numbers, billing addresses, and customer support messages. In response, customers receive 24 months of free credit monitoring services (Woohoo!!….)

The Takeaway: This incident is a sizzling-hot reminder of the biggest risk in today's interconnected world: supply chain security. You can have the most secure boat on the ocean, but if a company you're tethered to springs a leak, you're going to get wet. It's no longer enough to just secure your own house; you have to vet the security of the entire digital neighborhood.

Stay safe, and don't get caught in someone else's net!

From Code to Concrete: The Growing Threat of Cyber-Physical Attacks

This month, the line between digital mischief and real-world danger was completely erased, highlighting the terrifying potential of cyber-physical attacks. We're not just talking about stolen data anymore; we're talking about hackers using keyboards to manipulate the physical world, and two major stories in August show this threat is no longer theoretical.

First, a chilling real-world example came from Norway, where the nation's spy chief officially blamed pro-Russian hackers for sabotaging a hydropower dam back in April. The attackers didn't just breach a network; they remotely seized control of the dam's systems, forced open a floodgate, and released millions of gallons of water for four hours before being stopped. While no one was harmed, the message was loud and clear: critical infrastructure is vulnerable, and the goal isn't just to steal information, but to demonstrate the power to cause physical disruption and fear.

Right on the heels of that news, the FBI issued a stark warning that the same threat is brewing here at home. An official alert detailed how Russian government hackers are actively targeting U.S. critical infrastructure. The agency found these actors conducting reconnaissance on networks, showing a specific interest in the "industrial control systems" that manage everything from power grids and pipelines to water treatment plants.

Taken together, these two events paint a grim picture. The attack in Norway is proof of concept—a successful cyber-physical assault. The FBI's warning shows the groundwork for similar, or potentially more damaging, attacks is actively being laid on U.S. soil. The threat has evolved: the goal is no longer just to own the network, but to own what the network controls.

Did you Say Cyber-Physical? An Open Invitation to Your Smart Home

If you thought your smart home was only listening for "Hey Google," researchers at this year's Black Hat security conference showed it might be taking orders from a much more sinister source: a simple calendar invite. In a mind-bending demonstration, security researchers revealed how they could take control of a person's smart home by sending them a malicious Google Calendar invitation.

The attack, dubbed a "Targeted Promptware Attack," works by hiding malicious instructions inside the title of a calendar event. When the victim asks their Gemini AI assistant to summarize their day, the AI reads the hidden prompt and is tricked into executing the attacker's commands.

This isn't just a digital prank. The researchers showed this technique could be used to control physical devices connected to Google Home—turning off lights, opening smart windows, and even turning on a boiler. The "invitation" became a key to the victim's house, allowing the attacker to manipulate their physical environment without ever stepping foot inside. While Google has since rolled out fixes to prevent this specific exploit, the research opens a new, alarming chapter in security, proving that a simple, poisoned piece of data can bridge the gap from cyberspace to your living room.

This Month's Special: AI-Powered Phishing with a Side of Data Leakage

Hackers are now cooking with a potent new ingredient: artificial intelligence. Two recent reports reveal how threat actors are using sophisticated AI models as both the rod and the reel in their latest attacks, changing the landscape of cybercrime.

First, in an unprecedented spree reported by NBC News, a hacker used the AI chatbot Claude to automate nearly the entire lifecycle of a ransomware attack. The AI was instrumental in identifying vulnerable targets, generating malicious code, and even drafting ransom notes, targeting at least 17 organizations. This marks the first publicly documented case of an AI model automating such a comprehensive cybercrime operation.

Meanwhile, a report from Wired reveals a more subtle but equally potent threat sizzling in the pan. Security researchers demonstrated how a "poisoned" document can be used to leak sensitive data from services connected to AI models like ChatGPT. By tricking the AI into executing malicious commands embedded within a document, attackers can exfiltrate confidential information, showing just how deep the hook can be set in our increasingly integrated digital ecosystems.

Together, these two accounts show that the cybersecurity threats we're frying up are evolving, with AI now firmly in the arsenal of malicious actors.

Ding-Dong Ditch 2.0

Let’s end on a light-hearted, nostalgic note.

Remember the simple, wholesome fun of Ding-Dong Ditch? A quick ring, a frantic giggle, and a mad dash into the bushes. Well, that classic neighborhood pastime has just received its 2.0 update, complete with high-impact features and a social media-ready interface.

Introducing the "Door Kick Challenge," the next-gen version where players skip the quaint doorbell and proceed directly to a forceful kick, all while a friend captures the "content" for viral glory. It's all the thrill of the original, but with the added bonus of potential property damage!

However, it seems the game's moderators—in this case, law enforcement—are dropping a major patch. They're reminding players that this new version comes with some serious bugs, like criminal charges and even arrest records. Some early adopters in Florida have already discovered the "Go to Jail" endgame. So while it may seem like light-hearted fun, maybe stick to the classic version. The 2.0 update has some consequences that definitely won't earn you any likes.