In recent months, a wave of high-profile cloud breaches has sent shockwaves through businesses, governments, and service providers. These incidents highlight how subtle misconfigurations, stolen credentials, and social-engineering tactics can undermine entire cloud infrastructures. In this comprehensive article, we break down the major incidents of early 2025, explain what went wrong, and share critical lessons your business can apply today.
1. Commvault Metallic Breach (May 2025)
What happened:
Commvault’s SaaS backup platform, Metallic (hosted on Microsoft Azure), fell victim to a zero-day exploit (CVE‑2025‑3928), allowing attackers—suspected to be state-affiliated—to steal client secrets and potentially access Microsoft 365 environments managed through the service infosecurity-magazine.comtechradar.com.
Impact:
Though Commvault swiftly patched the flaw and isolated affected systems, the breach placed clients at risk by exposing critical credentials and administrative access tokens techradar.com.
Lessons Learned:
- Never trust embedded credentials—rotate keys regularly and remove unused secrets.
- Apply zero-day patches immediately.
- Enforce tight access restrictions even in trusted SaaS environments.
2. Oracle Cloud Supply-Chain Leak (March–April 2025)
What happened:
A hacker named rose87168 claimed control over Oracle Cloud login servers, allegedly exfiltrating ~6 million records across 140,000+ tenants—using a patched vulnerability in Oracle Access Manager idagent.com+3cai.io+3reddit.com+3. Oracle initially denied the breach but later notified some clients integrity360.com+15cai.io+15ptechpartners.com+15.
Impact:
The breach exposed login credentials, single-sign-on (SSO) tokens, and configuration data from critical infrastructure—highlighting the risk of supply-chain and multi-tenant cloud setups infosecurity-magazine.com+8cai.io+8cybersecurityhq.com+8.
Lessons Learned:
- Patch legacy tools like Oracle Access Manager—even if “not mission-critical.”
- Reset SSO tokens and “break-glass” accounts immediately after suspected compromise.
- Implement access controls to isolate critical infrastructure.
3. Pearson Cloud Code and Token Breach (January 2025)
What happened:
UK education provider Pearson exposed a GitLab token in a public repository, giving attackers access to AWS, GCP, Snowflake, and Salesforce environments arxiv.org+2cai.io+2techradar.com+2integrity360.com+1brightdefense.com+1. Cybercriminals allegedly siphoned terabytes of data over months.
Impact:
Millions of student records, financial reports, and internal communications were at risk. The breach was traced to mismanaged credentials in code repositories linkedin.com+9integrity360.com+9strobes.co+9.
Lessons Learned:
- Use secret scanners and enforce policies to prevent token leaks.
- Treat GitHub, GitLab, and CI environments as part of your attack surface.
- Use IAM controls and rotate tokens regularly—even for developers.
4. Aflac and Insurance Industry Ruse (June 2025)
What happened:
The Scattered Spider hacking group used sophisticated social engineering to breach support desks at Aflac, Erie Indemnity, and Philadelphia Insurance. No malware was used—attackers simply impersonated employees to bypass controls wsj.com+1strobes.co+1.
Impact:
While no ransomware was deployed, sensitive data—including Social Security numbers and health claims—was accessed or exfiltrated wsj.com.
Lessons Learned:
- Train support teams to verify identity before granting access.
- Deploy layered controls to catch impersonation attempts.
- Monitor for anomalous data access patterns in real time.
5. Marks & Spencer Retail Cloud Attack (Easter 2025)
What happened:
Scattered Spider again struck—targeting M&S infrastructure via their IT partner, TCS. Using social-engineering and stolen Windows password hashes, the hackers moved laterally across M&S systems wsj.comstrobes.co.
Impact:
Systems were offline for 72+ hours, disrupting operations and costing up to £300M. Customer data and structural vulnerabilities were exposed strobes.co.
Lessons Learned:
- Third-party partners must meet your security standards.
- Rotate credentials and limit lateral movement with network segmentation.
- Prepare for disruptions with robust incident-response planning.
Why These Breaches Matter
| Pattern | Examples |
| Human Error & Misconfiguration | Exposed tokens (Pearson), password hash theft (M&S) |
| Social Engineering | Aflac, M&S breaches |
| Supply-Chain Vulnerabilities | Oracle’s multi-tenant infrastructure |
| Zero-Day Exploits | Commvault’s CVE‑2025‑3928 |
What Your Business Should Do Now
- Audit and Harden SaaS Settings
Scan for default credentials, stale secrets, and unused permissions—even in trusted tools.
- Automate Secrets Management
Use vaults or key managers to rotate MIME, API tokens, and service account keys on a schedule.
- Deploy Real-Time Anomaly Detection
AI tools catch unusual file access, login times, or data transfers.
- Train Support Teams on Social Engineering
Use simulations and phishing drills. Apply MFA to internal systems.
- Enforce Least Privilege & Network Segmentation
Microsegment cloud workloads and services—even within multi-tenant environments.
- Test Incident Response Plans Regularly
Simulate breaches, including those involving social engineering and third-party connections.
- Vet Third Parties & Partners
Include security clauses in contracts and require periodic audits.
At I.T. For Less, We Can Help You:
- Scan and secure your cloud environments.
- Build automation for secrets management and credential rotation.
- Deploy AI-powered monitoring and incident response.
- Train staff and support teams to resist social-engineering attacks.
- Audit third-party integrations and enforce least privilege access.
Final Thoughts
Recent cloud breaches—from Commvault to Oracle to Scattered Spider—underscore that no business is immune. Whether due to a misplaced token or a convincing voice call, the weakest link in your security can be the one you least expect.
But every breach offers a lesson: invest in detection, harden your systems, train your people, and never stop adapting. Secure your cloud right—and you turn risk into resilience.
Need help auditing your cloud or responding to today’s threats?
📧 Contact us | 📞 Schedule a Free Consultation | 🌐 www.itforless.com