September 10th – This Week’s Top Cybersecurity and Dark Web Stories

Jaguar Land Rover Scrambles to Recover from Cyberattack

British automotive manufacturer Jaguar Land Rover (JLR) is working to restore its global operations after a cyberattack forced the company to disconnect critical systems, disrupting both manufacturing and retail activity.

In a notice, the company confirmed it had taken immediate action in response to the incident: “JLR has been impacted by a cyber incident. We took immediate action to mitigate its impact by proactively shutting down our systems,” a JLR spokesperson said.

“We are now working at pace to restart our global applications in a controlled manner. At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted.”

While the company has not disclosed the nature of the cyberattack, shutting down systems is a common containment measure against ransomware. The scale of the operational disruption suggests that file-encrypting malware may have been involved, although no known ransomware groups have claimed responsibility.

JLR’s parent company Tata Motors confirmed that the incident had a global impact, affecting multiple regions. Reports indicate that several manufacturing plants in the UK, including Solihull, were forced to shut down. Dealers across the country were left unable to register new vehicles or supply parts.

JLR have now said that some data has been impacted, but they declined to expand on who the information pertained to. Since the attack Scattered Lapsus$ Hunters have claimed responsibility, the same group responsible for attacks on British retailer M&S earlier this year.

The attack is the second cyberattack JLR have faced this year. In March, hackers claimed to have stolen source code and tracking data from the company. The recurrence has raised concerns among experts about whether previous vulnerabilities were left unaddressed.

Ransomware Group LunaLock Threatens to Sell Stolen Artwork to AI Companies

The ransomware group LunaLock has claimed responsibility for a cyberattack against Artists & Clients, a commission-based platform that connects artists with customers. The group is demanding a $50,000 ransom, threatening not only to leak user data but also sell stolen artwork to AI companies for use in training datasets if payment is not made.

on August 30, users visiting the Artists & Clients website were met with a message from the attackers stating that the platform had been hacked. One user reported being redirected to a ransom note. The note alleged that all databases and filed, including artwork, messages, and payment information, had been stolen and encrypted.

LunaLock’s ransom note gave Artists & Clients over a week to pay in bitcoin or monero, stating that if the deadline is missed the group would release all of the stolen data to their Tor site and submit users’ artwork to AI companies for integration into large language model (LLM) training datasets.

The incident brings to light how ransomware tactics are evolving. By leveraging growing anxieties around AI’s impact on creative industries, groups like LunaLock may increase pressure on victims to pay. 

The ongoing fallout from Salesloft breach

A significant security breach at Salesloft, a company widely used for its AI chatbot to generate Salesforce leads, has resulted in the mass-theft of authentication tokens. While initially focused on Salesforce data, Google has now confirmed the breach extends to valid authentication tokens for hundreds of other online services integrated with Salesloft, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI.

Salesloft, which has over 5,000 customers, disclosed a security issue in the Drift application on August 20, urging customers to re-authenticate connections. However, it was not immediately clear that tokens had already been stolen.

On August 26, the Google Threat Intelligence Group (GTIG) revealed that hackers, identified as UNC6395, had taken large amounts of data from Salesforce instances between August 8 and August 18, 2025. The incident did not exploit a vulnerability in Salesforce itself, but rather the stolen Salesloft tokens. The attackers have been actively going through the stolen data for sensitive credentials like AWS keys, VPN credentials, and Snowflake access.

The GTIG updated its advisory on August 28, confirming that a small number of Google Workspace accounts integrated with Salesloft also had their email accessed. Google strongly advises all organizations using Salesloft integrations to immediately invalidate all stored or connected tokens, regardless of the third-party service, and consider their data compromised. As a result, Salesforce blocked Drift integration with its platform, Slack, and Pardot on August 28.

The Salesloft breach highlights the growing threat of “authorization sprawl,” a term where attackers leverage legitimate user access tokens to move undetected between systems. Instead of traditional malware, these threat actors exploit existing authorized access within centralized identity platforms.

Salesloft announced on August 27 that it has engaged Mandiant, Google Cloud’s incident response division, to investigate the root cause of the attack.