One criminal, 50 hacked organizations, and all because MFA wasn't turned on
(2026/01/06)
- Reference: 1767682866
- News link: https://www.theregister.co.uk/2026/01/06/50_global_orgs_hacked/
- Source link:
If you don't say "yes way" to MFA, the consequences can be disastrous. Sensitive data belonging to about 50 global enterprises is listed for sale – and, in some cases, has already been sold – on the dark web following a major infostealer campaign, with apparent victims including American utility engineering firm Pickett and Associates; Japan's homebuilding giant Sekisui House; and Spain's largest airline Iberia.
The thief, who goes by the moniker Zestix or Sentap, steals data from corporate file-sharing portals by using compromised cloud credentials obtained from information-stealing malware. And none of the purported victims [1]enforced multi-factor authentication (MFA) , according to Hudson Rock, an Israeli cybersecurity company that specializes in infostealers.
Stolen credentials combined with a lack of MFA are always a recipe for disaster, as we have seen in earlier big breaches such as [2]Change Healthcare , [3]British Library , and [4]Snowflake customers' database hacks.
[5]
"Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door," the cybersecurity shop [6]said in a Monday report. "No exploits, no cookies – just a password."
[7]
[8]
We're told Zestix gains access after employees inadvertently download infostealer-laden files to their devices. The [9]stealer malware , such as [10]RedLine , [11]Lumma , or [12]Vidar , then snarfs up saved credentials and browser history.
The cybercriminal, who has been operating as an initial access broker and extortionist [13]since at least 2021 , specifically targets enterprise file synchronization and sharing (EFSS) platforms like Progress Software's ShareFile, Nextcloud, and OwnCloud.
[14]
The Register reached out to all of the apparent victim companies listed in this story, plus the file-sharing software providers. As of press time, only one of them, Progress, had responded to our inquiries.
"Hudson Rock's investigation found that these recent compromises of corporate file-sharing portals - including ShareFile instances - were not the result of platform vulnerabilities, but consistent with the use of credentials previously stolen from infostealer-infected devices," a Progress spokesperson told us, adding that the compromises "appear to have involved the use of valid credentials in environments where multi-factor authentication was not enforced, which may have enabled unauthorized access."
The spokesperson added, "Progress continues to emphasize the importance of implementing multi-factor authentication as a widely recognized control to help mitigate the risk of credential-based attacks."
[15]
We will update this story if and when we receive any additional responses.
Meet the alleged victims
Most of the organizations listed in the Monday report have very sensitive data and span critical sectors such as utilities, aviation, robotics, housing, and government infrastructure, making this massive data dump particularly concerning.
The Register last week reported that [16]Pickett and Associates , a Florida-based engineering firm whose clients include major US utilities, was among the apparent victims after the data thief posted for sale 139 GB of engineering data about Tampa Electric Company, Duke Energy Florida, and American Electric Power. Zestix was selling this trove for 6.5 bitcoin, which amounts to about $585,000.
At the time, Pickett declined to comment, while a Duke Energy spokesperson told The Register that the company is investigating the criminal's claims.
Hudson Rock reports that Zestix obtained the engineering data by abusing stolen ShareFile credentials.
Turkey's Intecro Robotics, which manufactures aerospace testing equipment and defense robotics, was also reportedly victimized via ShareFile sans MFA. This 11.5 GB dataset reportedly contains critical military intellectual property.
Brazil's Maida Health is yet another of the 50-ish alleged victims, and the 2.3 TB dataset accessed via a Nextcloud instance reportedly contains the health records and sensitive personal information belonging to the Brazilian Military Police and their family members.
Burris & Macomber, a law firm that represents Mercedes-Benz USA in its lemon law cases and warranty litigation, was also an apparent victim, with the criminal claiming to have stolen active lemon law cases, defense strategies, and settlement policies from 48 states, along with thousands of customers' records containing VINs, license plates, home addresses, and phone numbers.
[17]Cybercrook claims to be selling infrastructure info about three major US utilities
[18]Death to one-time text codes: Passkeys are the new hotness in MFA
[19]Ransomware gangs are paying attention to infostealers, so why aren't you?
[20]Who needs phishing when your login's already in the wild?
The Iberia Airlines breach reportedly contains 77 GB of technical safety data and confidential fleet information.
Pwned engineering servers belonging to CRRC MA – the Massachusetts subsidiary of the world's largest rolling stock manufacturer – reportedly contained complete signaling drawings, SCADA RTU lists, and "deliberately withheld" test reports regarding doors, HVAC, and propulsion systems, along with sensitive security info such as GPS coordinates of control rooms and battery rooms.
And the [21]list of reported victims goes on … and on, and on.
Credential hygiene
The report illustrates the growing problem with [22]infostealers , a [23]favorite method of ransomware gangs and other financially motivated criminals.
It also highlights the [24]growing trend of criminals simply [25]logging in – not breaking in – to cloud accounts, which security experts have been warning about for the past couple of years.
Plus, as Hudson Rock reports, "while some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them." This, the team adds, shows a "pervasive failure" in corporate credential hygiene with organizations neglecting to rotate passwords and invalidate sessions.
"It is time for organizations to enforce MFA and monitor their employees' compromised credentials," the security firm notes. We couldn't agree more. ®
Get our [26]Tech Resources
[1] https://www.theregister.com/2025/12/06/multifactor_authentication_passkeys/
[2] https://www.theregister.com/2024/05/08/unitedhealths_egregious_negligence/
[3] https://www.theregister.com/2025/05/01/ico_brit_library/
[4] https://www.theregister.com/2024/06/11/crims_targeting_snowflake_customers/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aVzrTQAQanmuuJtwtrLWywAAAZU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://www.infostealers.com/article/dozens-of-global-companies-hacked-via-cloud-credentials-from-infostealer-infections-more-at-risk/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aVzrTQAQanmuuJtwtrLWywAAAZU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aVzrTQAQanmuuJtwtrLWywAAAZU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/12/16/santastealer_stuffs_users_credentials_crypto/
[10] https://www.theregister.com/2025/06/05/rewards_for_justice_maxim_rudometov/
[11] https://www.theregister.com/2025/06/02/security_news_roundup/
[12] https://www.theregister.com/2025/05/29/billions_of_cookies_available/
[13] https://www.darksignal.co/p/sentap-an-opportunistic-threat-actor
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aVzrTQAQanmuuJtwtrLWywAAAZU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aVzrTQAQanmuuJtwtrLWywAAAZU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://www.theregister.com/2026/01/02/critical_utility_files_for_sale/
[17] https://www.theregister.com/2026/01/02/critical_utility_files_for_sale/
[18] https://www.theregister.com/2025/12/06/multifactor_authentication_passkeys/
[19] https://www.theregister.com/2024/02/29/infostealers_increased_use/
[20] https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/
[21] https://www.infostealers.com/article/dozens-of-global-companies-hacked-via-cloud-credentials-from-infostealer-infections-more-at-risk/#victim-analysis
[22] https://www.theregister.com/2025/07/07/phishing_platforms_infostealers_blamed_for/
[23] https://www.theregister.com/2024/02/29/infostealers_increased_use/
[24] https://www.theregister.com/2025/10/16/ai_makes_phishing_45x_more_effective/
[25] https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/
[26] https://whitepapers.theregister.com/
The thief, who goes by the moniker Zestix or Sentap, steals data from corporate file-sharing portals by using compromised cloud credentials obtained from information-stealing malware. And none of the purported victims [1]enforced multi-factor authentication (MFA) , according to Hudson Rock, an Israeli cybersecurity company that specializes in infostealers.
Stolen credentials combined with a lack of MFA are always a recipe for disaster, as we have seen in earlier big breaches such as [2]Change Healthcare , [3]British Library , and [4]Snowflake customers' database hacks.
[5]
"Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door," the cybersecurity shop [6]said in a Monday report. "No exploits, no cookies – just a password."
[7]
[8]
We're told Zestix gains access after employees inadvertently download infostealer-laden files to their devices. The [9]stealer malware , such as [10]RedLine , [11]Lumma , or [12]Vidar , then snarfs up saved credentials and browser history.
The cybercriminal, who has been operating as an initial access broker and extortionist [13]since at least 2021 , specifically targets enterprise file synchronization and sharing (EFSS) platforms like Progress Software's ShareFile, Nextcloud, and OwnCloud.
[14]
The Register reached out to all of the apparent victim companies listed in this story, plus the file-sharing software providers. As of press time, only one of them, Progress, had responded to our inquiries.
"Hudson Rock's investigation found that these recent compromises of corporate file-sharing portals - including ShareFile instances - were not the result of platform vulnerabilities, but consistent with the use of credentials previously stolen from infostealer-infected devices," a Progress spokesperson told us, adding that the compromises "appear to have involved the use of valid credentials in environments where multi-factor authentication was not enforced, which may have enabled unauthorized access."
The spokesperson added, "Progress continues to emphasize the importance of implementing multi-factor authentication as a widely recognized control to help mitigate the risk of credential-based attacks."
[15]
We will update this story if and when we receive any additional responses.
Meet the alleged victims
Most of the organizations listed in the Monday report have very sensitive data and span critical sectors such as utilities, aviation, robotics, housing, and government infrastructure, making this massive data dump particularly concerning.
The Register last week reported that [16]Pickett and Associates , a Florida-based engineering firm whose clients include major US utilities, was among the apparent victims after the data thief posted for sale 139 GB of engineering data about Tampa Electric Company, Duke Energy Florida, and American Electric Power. Zestix was selling this trove for 6.5 bitcoin, which amounts to about $585,000.
At the time, Pickett declined to comment, while a Duke Energy spokesperson told The Register that the company is investigating the criminal's claims.
Hudson Rock reports that Zestix obtained the engineering data by abusing stolen ShareFile credentials.
Turkey's Intecro Robotics, which manufactures aerospace testing equipment and defense robotics, was also reportedly victimized via ShareFile sans MFA. This 11.5 GB dataset reportedly contains critical military intellectual property.
Brazil's Maida Health is yet another of the 50-ish alleged victims, and the 2.3 TB dataset accessed via a Nextcloud instance reportedly contains the health records and sensitive personal information belonging to the Brazilian Military Police and their family members.
Burris & Macomber, a law firm that represents Mercedes-Benz USA in its lemon law cases and warranty litigation, was also an apparent victim, with the criminal claiming to have stolen active lemon law cases, defense strategies, and settlement policies from 48 states, along with thousands of customers' records containing VINs, license plates, home addresses, and phone numbers.
[17]Cybercrook claims to be selling infrastructure info about three major US utilities
[18]Death to one-time text codes: Passkeys are the new hotness in MFA
[19]Ransomware gangs are paying attention to infostealers, so why aren't you?
[20]Who needs phishing when your login's already in the wild?
The Iberia Airlines breach reportedly contains 77 GB of technical safety data and confidential fleet information.
Pwned engineering servers belonging to CRRC MA – the Massachusetts subsidiary of the world's largest rolling stock manufacturer – reportedly contained complete signaling drawings, SCADA RTU lists, and "deliberately withheld" test reports regarding doors, HVAC, and propulsion systems, along with sensitive security info such as GPS coordinates of control rooms and battery rooms.
And the [21]list of reported victims goes on … and on, and on.
Credential hygiene
The report illustrates the growing problem with [22]infostealers , a [23]favorite method of ransomware gangs and other financially motivated criminals.
It also highlights the [24]growing trend of criminals simply [25]logging in – not breaking in – to cloud accounts, which security experts have been warning about for the past couple of years.
Plus, as Hudson Rock reports, "while some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them." This, the team adds, shows a "pervasive failure" in corporate credential hygiene with organizations neglecting to rotate passwords and invalidate sessions.
"It is time for organizations to enforce MFA and monitor their employees' compromised credentials," the security firm notes. We couldn't agree more. ®
Get our [26]Tech Resources
[1] https://www.theregister.com/2025/12/06/multifactor_authentication_passkeys/
[2] https://www.theregister.com/2024/05/08/unitedhealths_egregious_negligence/
[3] https://www.theregister.com/2025/05/01/ico_brit_library/
[4] https://www.theregister.com/2024/06/11/crims_targeting_snowflake_customers/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aVzrTQAQanmuuJtwtrLWywAAAZU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://www.infostealers.com/article/dozens-of-global-companies-hacked-via-cloud-credentials-from-infostealer-infections-more-at-risk/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aVzrTQAQanmuuJtwtrLWywAAAZU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aVzrTQAQanmuuJtwtrLWywAAAZU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/12/16/santastealer_stuffs_users_credentials_crypto/
[10] https://www.theregister.com/2025/06/05/rewards_for_justice_maxim_rudometov/
[11] https://www.theregister.com/2025/06/02/security_news_roundup/
[12] https://www.theregister.com/2025/05/29/billions_of_cookies_available/
[13] https://www.darksignal.co/p/sentap-an-opportunistic-threat-actor
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aVzrTQAQanmuuJtwtrLWywAAAZU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aVzrTQAQanmuuJtwtrLWywAAAZU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://www.theregister.com/2026/01/02/critical_utility_files_for_sale/
[17] https://www.theregister.com/2026/01/02/critical_utility_files_for_sale/
[18] https://www.theregister.com/2025/12/06/multifactor_authentication_passkeys/
[19] https://www.theregister.com/2024/02/29/infostealers_increased_use/
[20] https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/
[21] https://www.infostealers.com/article/dozens-of-global-companies-hacked-via-cloud-credentials-from-infostealer-infections-more-at-risk/#victim-analysis
[22] https://www.theregister.com/2025/07/07/phishing_platforms_infostealers_blamed_for/
[23] https://www.theregister.com/2024/02/29/infostealers_increased_use/
[24] https://www.theregister.com/2025/10/16/ai_makes_phishing_45x_more_effective/
[25] https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/
[26] https://whitepapers.theregister.com/
Re: Most companies give away 50% of login credentials from the start
Headley_Grange
I've got 3 bank accounts and 3 credit card accounts in the UK and none of them uses an email address as the account login.
Re: Most companies give away 50% of login credentials from the start
Anonymous Coward
Same for my French banks and various stock and pension accounts. The only important places I use that use email addresses are UK gov sites, and they have basic MFA.
MFA is definitely helpful, a few years ago I was alerted that my debit card had been compromised when I started to get 2FA approval requests for purchases I hadn't made. I called my bank, which blocked the card and reimbursed the few transactions that had been successful without authorisation (which shouldn't have been accepted).
"Most of the organizations [..] have very sensitive data and span critical sectors*
Pascal Monett
And yet, apparently, they did not have the required IT expertise to secure that data.
I'm guessing thwt they're going to be paying extra to get their IT up to speed now.
Seen it happen..
Anonymous Coward
Seen it happen where the stealer malware attack was YEARS ago but the threat actor is trawling for credentials for exactly the service in question and found they were still valid.
IT departments can do lots of things - in this scenario even basic MFA will block the attack, but you can also rotate passwords at least once a year, monitor the dark web for credentials but perhaps most crucially clean up the data from these ancillary systems when no longer needed.
Most companies give away 50% of login credentials from the start
Any organisation which uses a user's email address as account credential is already handing over 50% of the required credentials for access (I'm looking at you, Microsoft, but this default is everywhere).
I know a bank where the user email address is NOT used for logins, and that alone makes a breach less likely (but yes, they also use MFA).
And no, ditto here. As a matter of fact, on most sites I have, the use of my email address in a login attempt will trigger a timeout for the originating IP address. Just because I can :).