Global Cyberattack Exposes Sensitive Data from 50 Major Companies via Stolen Credentials
An Iranian hacker, operating under the aliases Zestix and Sentap, has breached the private files of approximately 50 corporations worldwide, including Iberia Airlines, Pickett & Associates, Sekisui House, and CRRC MA. The attack, uncovered by Israeli cybersecurity firm Hudson Rock, exploited weak security practices specifically, the absence of multi-factor authentication (MFA) to gain unauthorized access to corporate file-sharing platforms like ShareFile, Nextcloud, and OwnCloud.
Rather than targeting the companies directly, the hacker leveraged infostealer malware including RedLine, Lumma, and Vidar to harvest passwords from unsuspecting individuals. These viruses, often distributed through malicious downloads or cracked software, silently extract saved browser credentials, which the attacker then used to infiltrate corporate systems.
The stolen data spans highly sensitive materials: Iberia Airlines lost 77 GB of files, including aircraft safety manuals, while U.S.-based Pickett & Associates had 139 GB of utility infrastructure maps exposed. In Turkey, Intecro Robotics’ military drone and fighter jet designs were compromised, and Brazil’s Maida Health saw 2.3 TB of military police medical records stolen. Other victims included firms tied to public transit, aerospace, and financial services.
Notably, some of the compromised passwords were years old, underscoring the risks of outdated credentials and the lack of basic security measures. Hudson Rock’s findings also revealed that employee credentials from companies like Samsung, Walmart, and Deloitte are circulating in hacker logs, leaving them potentially vulnerable to similar attacks.
The incident highlights the critical role of MFA in preventing unauthorized access, as the breaches could have been thwarted with a simple secondary authentication step. The stolen data is now being auctioned on dark web forums, with no indication of whether affected organizations have secured their systems post-breach.
Source: https://hackread.com/lone-hacker-infostealers-global-companies-data/
Sekisui House US Holdings, LLC cybersecurity rating report: https://www.rankiteo.com/company/sekisui-house-us-holdings-llc
CRRC MA cybersecurity rating report: https://www.rankiteo.com/company/crrc-ma
K3G Solutions cybersecurity rating report: https://www.rankiteo.com/company/k3g-solutions
GreenBills cybersecurity rating report: https://www.rankiteo.com/company/greenbills
CiberC LATAM cybersecurity rating report: https://www.rankiteo.com/company/ciberc-latam
"id": "SEKCRRK3GGRECIB1767799956",
"linkid": "sekisui-house-us-holdings-llc, crrc-ma, k3g-solutions, greenbills, ciberc-latam",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Utilities/Infrastructure',
'location': 'United States',
'name': 'Pickett & Associates',
'type': 'U.S. Firm'},
{'name': 'Sekisui House', 'type': 'Company'},
{'name': 'IFLUSAC', 'type': 'Company'},
{'industry': 'Aviation',
'location': 'Spain',
'name': 'Iberia Airlines',
'type': 'Airline'},
{'name': 'K3G Solutions', 'type': 'Company'},
{'industry': 'Public Transit/Manufacturing',
'name': 'CRRC MA',
'type': 'Company'},
{'name': 'GreenBills', 'type': 'Company'},
{'name': 'CiberC', 'type': 'Company'},
{'industry': 'Defense/Robotics',
'location': 'Turkey',
'name': 'Intecro Robotics',
'type': 'Company'},
{'customers_affected': 'Military police',
'industry': 'Healthcare',
'location': 'Brazil',
'name': 'Maida Health',
'type': 'Healthcare Provider'},
{'industry': 'Transportation',
'location': 'United States',
'name': 'LA Metro',
'type': 'Public Transit Agency'}],
'attack_vector': 'Stolen Credentials',
'data_breach': {'data_exfiltration': 'Yes (auctioned on dark web)',
'personally_identifiable_information': 'Yes (medical records, '
'military personnel '
'data)',
'sensitivity_of_data': 'High (military, medical, '
'infrastructure-related)',
'type_of_data_compromised': ['Medical records',
'Military blueprints',
'Internal documents',
'Safety manuals',
'Power line maps',
'Utility station details',
'Military drone designs',
'Fighter jet designs',
'Train brake and signaling '
'plans']},
'description': 'A lone hacker, believed to be an Iranian national operating '
'under the names Zestix and Sentap, breached approximately 50 '
'major companies worldwide by exploiting stolen credentials '
'obtained via infostealers. The attacker auctioned stolen '
'corporate data on dark web forums, including sensitive files '
'such as medical records, military blueprints, and internal '
'documents. The breach was facilitated by the lack of '
'Multi-Factor Authentication (MFA) on company file-sharing '
'platforms.',
'impact': {'brand_reputation_impact': 'Significant',
'data_compromised': 'Massive amounts of corporate data, including '
'medical records, military blueprints, and '
'internal documents',
'identity_theft_risk': 'High (due to exposure of PII and sensitive '
'data)',
'operational_impact': 'Exposure of sensitive internal and customer '
'data',
'systems_affected': 'File-sharing platforms (ShareFile, Nextcloud, '
'OwnCloud)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (auctioned to highest '
'bidder)',
'entry_point': 'Stolen credentials via infostealers '
'(RedLine, Lumma, Vidar)',
'high_value_targets': 'File-sharing platforms '
'(ShareFile, Nextcloud, '
'OwnCloud)'},
'investigation_status': 'Ongoing (research by Hudson Rock)',
'lessons_learned': 'Basic security measures like Multi-Factor Authentication '
'(MFA) and regular password changes could have prevented '
'the breach. Stolen credentials remain a significant '
'threat if not properly secured.',
'motivation': 'Financial gain (auctioning stolen data on dark web)',
'post_incident_analysis': {'corrective_actions': ['Implement MFA across all '
'systems',
'Monitor for stolen '
'credentials',
'Enhance employee training '
'on cybersecurity best '
'practices'],
'root_causes': ['Lack of Multi-Factor '
'Authentication (MFA)',
'Use of stolen credentials '
'obtained via infostealers',
'Failure to enforce regular '
'password updates']},
'recommendations': ['Enforce Multi-Factor Authentication (MFA) on all '
'corporate systems',
'Regularly update and rotate passwords',
'Monitor for stolen credentials in dark web forums',
'Implement enhanced monitoring for unauthorized access',
'Educate employees on the risks of downloading cracked '
'software or fake files'],
'references': [{'source': 'Hudson Rock / Infostealers.com',
'url': 'https://infostealers.com'},
{'source': 'Exploit.in (Russian cybercrime forum)'}],
'response': {'third_party_assistance': 'Hudson Rock (cybersecurity firm)'},
'threat_actor': 'Zestix (aka Sentap), Iranian national',
'title': 'Massive Corporate Data Breach via Stolen Credentials',
'type': 'Data Breach',
'vulnerability_exploited': 'Lack of Multi-Factor Authentication (MFA)'}