Kodak, Salesforce, and ServiceNow Data Breaches: Implications for Cybersecurity Practices

In This Article
The week of June 21–28, 2026 didn’t bring a single “mega-breach” headline confined neatly to those seven days. Instead, it underscored something more operationally dangerous: breach narratives now unfold across weeks, with initial disclosures, third-party confirmations, and downstream customer impact arriving on different clocks. The most instructive signals for this week come from late-June response posture around incidents disclosed just prior—Kodak confirming a breach claimed by ShinyHunters, continued Salesforce-related data thefts via a compromised third-party app integration, and ServiceNow’s disclosure of an API flaw that enabled customer-instance data queries. Together, these incidents highlight a modern breach pattern: attackers don’t need to defeat your perimeter if they can exploit your ecosystem—your SaaS integrations, your exposed APIs, and your long-lived enterprise platforms.
A second theme is the reappearance of a familiar extortion brand. ShinyHunters is tied to Kodak’s confirmed breach and separately claimed broad PeopleSoft-related thefts affecting over 100 organizations. That pairing matters because it suggests a playbook that spans both “brand-name victim” pressure and scalable enterprise software targeting. Meanwhile, the Salesforce/Klue incident shows how business data—contacts, quotes, and sales artifacts—can be exfiltrated without classic ransomware encryption, yet still create real leverage and real harm.
This week’s takeaway for security leaders is not “patch faster” in the abstract. It’s to treat integrations and APIs as first-class attack surfaces, and to assume breach response will be iterative: initial scope is rarely final, and third-party compromise can turn a trusted workflow into an exfiltration channel overnight. [1][2][4]
What happened: four breach signals that define the week
Kodak acknowledged a security breach in which attackers accessed a limited amount of company data, with the ShinyHunters extortion gang claiming responsibility. Kodak said it is working with external cybersecurity experts to investigate and determine the extent of data accessed. While the report landed June 17, the confirmation and investigation posture are the kind of “active incident” reality many organizations lived through during June 21–28: containment and scoping continue well after the first public mention. [1]
In parallel, Dark Reading reported that threat actors exploited the Klue Battlecards app integration to access Salesforce customer data—described as the third incident involving third-party applications connected to Salesforce. One named victim, cybersecurity vendor Huntress, reported unauthorized access to sales-related information including business contacts and price quotes. This is a breach pattern that doesn’t require compromising Salesforce itself; it leverages the trust boundary created by app integrations. [2]
Another major disclosure came from ServiceNow: attackers exploited an unauthenticated access flaw in a vulnerable API endpoint, enabling them to query data from customer instances. ServiceNow applied a security update on June 5, 2026, and said it is working with affected customers to assess impact. The key detail is the mechanism—unauthenticated API access—because it collapses the distance between “internet-exposed” and “customer data reachable.” [4]
Finally, BleepingComputer reported ShinyHunters targeting Oracle PeopleSoft servers, claiming theft from over 100 organizations by using a combination of old and zero-day vulnerabilities across cloud and on-premises instances. Oracle had not publicly disclosed information about these attacks at the time of reporting. Even though this report is earlier in June, it frames the broader breach environment that persisted into the June 21–28 week: enterprise platforms with mixed patch levels and heterogeneous deployments remain attractive at scale. [3]
Why it matters: the ecosystem is the new perimeter
These incidents collectively point to a breach reality where “your data” is reachable through paths you don’t fully control. The Salesforce/Klue compromise is a direct example: a third-party app integration became the access route to customer data, and the stolen material included operationally sensitive sales artifacts (contacts and quotes) that can be exploited for competitive intelligence, targeted social engineering, or extortion pressure. The fact that this was described as the third such incident involving third-party apps connected to Salesforce elevates it from a one-off to a systemic integration-risk problem. [2]
ServiceNow’s incident reinforces the same lesson from a different angle: APIs are not just plumbing; they are product surfaces. An unauthenticated access flaw in an API endpoint that allows querying customer-instance data is the kind of issue that can turn a configuration or implementation mistake into cross-customer exposure. Even with a security update applied on June 5, the operational burden shifts to customers and incident responders to determine what was queried and what was accessed. [4]
Kodak’s confirmation adds the extortion dimension. When a named extortion gang claims responsibility, the breach becomes not only a technical investigation but also a pressure campaign. Kodak’s statement that only a limited amount of data was accessed and that external experts are engaged is typical of early-to-mid investigation phases—precisely the period many organizations find themselves in during the week after disclosure. [1]
The PeopleSoft targeting claim—over 100 organizations—illustrates scale economics for attackers: widely deployed enterprise software, spanning cloud and on-premises, offers a broad target set where vulnerability age and patch variance can be exploited. Whether or not every claimed victim is independently confirmed in public reporting, the described technique mix (old and zero-day vulnerabilities) is a reminder that “legacy” and “unknown” can coexist in the same intrusion chain. [3]
Expert take: treat integrations, APIs, and enterprise platforms as breach multipliers
The most actionable expert lens from this week is to stop categorizing breaches solely by “who got hacked” and start categorizing them by “which trust boundary failed.” In the Salesforce/Klue case, the trust boundary is the third-party app integration: once an app is connected, it can become a conduit to customer data if compromised. The reporting explicitly frames this as a continuing pattern, which should push security teams to inventory connected apps, review permissions, and treat app governance as a core control—not an IT convenience. [2]
ServiceNow’s disclosure highlights another boundary: unauthenticated API access. When an API endpoint can be queried without authentication, the blast radius can include customer-instance data exposure. The presence of a security update (June 5) is important, but it doesn’t erase the need for detection and scoping—what matters is whether attackers queried data before the fix and what telemetry exists to answer that question. [4]
ShinyHunters’ appearance across Kodak and PeopleSoft-related claims suggests an extortion actor comfortable operating across different victim profiles and technical surfaces. Kodak’s breach confirmation shows the “named victim” pressure tactic, while the PeopleSoft targeting claim suggests a scalable approach against enterprise software deployments. For defenders, the lesson is to align incident response playbooks across both scenarios: a single actor can run both targeted extortion and broad exploitation campaigns, and your organization might be exposed through either brand visibility or software footprint. [1][3]
Finally, the absence of public disclosure from Oracle in the PeopleSoft report is a reminder that defenders often must act on credible third-party reporting and internal evidence, not just vendor advisories or confirmations. That reality increases the value of proactive monitoring and rapid internal validation when credible claims emerge. [3]
Analysis & Implications: breach timelines are stretching, and “data theft” is the product
Across these incidents, the connective tissue is not a single vulnerability class—it’s the way modern organizations assemble systems. SaaS platforms, app marketplaces, API-driven workflows, and long-lived enterprise applications create a mesh of dependencies. Attackers exploit that mesh by finding the weakest trust boundary: a compromised integration (Klue), an unauthenticated API endpoint (ServiceNow), or vulnerable enterprise servers deployed across varied environments (PeopleSoft). [2][4][3]
One implication is that breach detection and disclosure are increasingly asynchronous. Kodak’s confirmation and ongoing investigation posture illustrates how “what happened” and “what was accessed” can remain fluid for days or weeks. That matters for customers, partners, and employees who want definitive answers quickly—but the technical reality is that scoping data access is often the hardest part, especially when attackers focus on theft rather than disruption. [1]
Another implication is that data theft is becoming the primary deliverable. None of the reporting here centers on encryption or operational shutdown as the defining feature; instead, it’s about unauthorized access and exfiltration—sales data via Salesforce integrations, customer-instance data via ServiceNow API queries, and broad organizational data theft claims via PeopleSoft exploitation. This shifts defensive priorities toward preventing unauthorized reads and exports, not just preventing system downtime. [2][4][3]
Third, third-party and platform risk management is no longer a compliance checkbox. The Salesforce/Klue incident is explicitly about a third-party app integration being the access path, and it’s described as part of a continuing series. That suggests organizations should treat connected apps as privileged actors: minimize permissions, continuously review access, and be prepared to revoke integrations quickly when compromise is suspected. [2]
Finally, the PeopleSoft report’s mention of both old and zero-day vulnerabilities is a sober reminder that patching alone is necessary but not sufficient. “Old” vulnerabilities imply backlog and hygiene gaps; “zero-day” implies that even well-maintained environments can be at risk. The practical response is layered: reduce exposure, monitor for anomalous access, and assume that some attacks will bypass preventive controls—making logging, alerting, and incident response readiness decisive. [3]
Conclusion: the breach surface is wherever trust is granted
June 21–28, 2026 is best understood as a week where the breach story was about surfaces of trust: integrations, APIs, and ubiquitous enterprise platforms. Kodak’s confirmed breach—claimed by ShinyHunters—shows how extortion actors continue to pressure recognizable brands while investigations unfold. The Salesforce/Klue compromise demonstrates that “secure SaaS” can still leak data through connected applications, and that the stolen material can be business-critical even when it isn’t traditionally regulated. ServiceNow’s API flaw reinforces that unauthenticated access paths can turn product endpoints into customer-data exposure events. And the PeopleSoft targeting claims underline how attackers pursue scale by exploiting widely deployed systems across cloud and on-premises footprints. [1][2][4][3]
The practical takeaway is to map and defend trust, not just infrastructure. Know which apps are connected to your core platforms, what they can access, and how quickly you can revoke them. Treat APIs as externally reachable products that require rigorous authentication and monitoring. And for enterprise platforms, assume patch variance exists and build detection and response around the possibility of both known and unknown vulnerabilities.
In a breach economy optimized for data theft, the organizations that fare best won’t be the ones that never get probed—they’ll be the ones that can rapidly prove what was (and wasn’t) accessed, and can cut off compromised trust paths before theft becomes leverage.
References
[1] Kodak confirms data breach claimed by ShinyHunters extortion gang — BleepingComputer, June 17, 2026, https://www.bleepingcomputer.com/news/security/kodak-confirms-data-breach-claimed-by-shinyhunters-extortion-gang/?utm_source=openai
[2] Salesforce Data Thefts Continue via Klue App Compromise — Dark Reading, June 18, 2026, https://www.darkreading.com/cyberattacks-data-breaches/salesforce-data-thefts-klue-app-compromise?utm_source=openai
[3] Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks — BleepingComputer, June 10, 2026, https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/amp/?utm_source=openai
[4] ServiceNow discloses security incident exposing customer data — BleepingComputer, June 9, 2026, https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data/?utm_source=openai