Chipotle Mexican Grill, Inc.
October 9, 2025
•[ phishing, social engineering, data leak ]
Chipotle Mexican Grill disclosed unauthorized access to employee Workday payroll accounts between October 9 and October 26, 2025. Attackers used phishing and social engineering to access accounts and alter payroll information. State breach notices identified 31 affected employees in Maine and 2 in New Hampshire; the company has not disclosed a nationwide total, and state figures represent only partial reporting.
Aflac
June 12, 2025
•[ social engineering, data leak ]
Threat actor Scattered Spider (UNC3944/0ktapus) used social-engineering to gain access to Aflacs U.S. network, accessing internal application servers that stored personal and claims data; no ransomware deployed and scope of exfiltration undetermined.
Keir Giles (UK academic)
May 22, 2025
•[ social engineering, phishing, data leak ]
Targeted social-engineering campaign impersonating U.S. State Department tricked Keir Giles into generating app-specific passwords, allowing a nation-state actor to access his Gmail account data stored on Google servers; no evidence of intrusion into affiliated institutional networks.
Co-op (The Co-operative Group)
April 22, 2025
•[ data leak, social engineering ]
6.5M member records stolen following a social-engineering-enabled breach; AD password-hash database also taken; Co-op temporarily shut down some IT systems.
Pillsbury Winthrop Shaw Pittman LLP
April 1, 2025
•[ social engineering, data leak, personally identifiable information ]
Global law firm Pillsbury Winthrop Shaw Pittman reported that in April 2025 a sophisticated social-engineering attack allowed an intruder to gain limited access to its internal systems. The attacker convinced a single user to grant access and then rapidly downloaded a set of documents containing sensitive personal information, including names, Social Security numbers, addresses, birthdates, and some financial account details for thousands of people. Pillsbury stated that the activity was quickly detected and blocked, and it subsequently bolstered its security controls and notified affected individuals, with public disclosure occurring on November 6, 2025. The breach has since led to class-action litigation alleging inadequate safeguards and delayed notification.
Undisclosed European drone manufacturer
March 25, 2025
•[ phishing, social engineering, malware ]
North Korean operators approached European defense engineers with fake job offers, delivering loaders that sideloaded ScoringMathTea and BinMergeLoader/MISTPEN to exfiltrate proprietary UAV designs and manufacturing know-how. Intelligence-collection focus; campaign targets several firms rather than one discrete victim record.
Pump.fun X account
February 26, 2025
•[ account takeover, social engineering, cryptocurrency scam ]
The official X account of Pump.fun was hijacked on February 26, 2025, and used to promote a fake governance token named PUMP and other scam cryptocurrencies, misleading users and causing financial harm before the fraudulent posts were removed and access was restored.
Charles County Public Schools
February 26, 2025
•[ social engineering, account compromise, payroll fraud ]
Caller convinced staff to reset MFA, accessed employee email and Oracle accounts, and attempted payroll change (stopped).
Urban One, Inc.
February 13, 2025
•[ ransomware, social engineering, data leak ]
Ransomware group Cactus gained access to Urban Ones internal HR and payroll servers via social-engineering intrusion beginning February 2025, exfiltrating employee PII and financial data; company confirmed breach and notified affected staff.
Insight Partners
January 16, 2025
•[ ransomware, social engineering, data leak ]
On January 16, 2025, Insight Partners detected a cyberattack following a social engineering intrusion first traced to October 2024. Attackers exfiltrated sensitive files related to funds, management companies, portfolio companies, banking and tax records, and personally identifiable data of employees, partners, and investors. More than 12,000 individuals were affected. The incident escalated into a ransomware attack, with systems partially encrypted before containment. No named threat group has been identified, but the actor is criminal and financially motivated.
Coinbase users
December 1, 2024
•[ phishing, social engineering ]
Between December 2024 and January 2025, criminal phishing campaigns impersonating Coinbase support stole approximately $65 million in cryptocurrency from hundreds of users worldwide. Attackers used fake login pages, wallet-draining scripts, and social-engineering messages to capture credentials and bypass two-factor authentication. Coinbase confirmed that its own systems were not breached.
