SonicWall confirmed that **all customers** using its **MySonicWall cloud backup service** were impacted by a cybersecurity breach initially disclosed in September 2023. The attackers accessed **firewall configuration backup files**, which include critical network settings, policies, user/group/domain details, DNS/log configurations, and certificates. While SonicWall claims no evidence of compromise to production firewalls or other systems, the exposed data could enable threat actors—including nation-state groups or ransomware operators—to **map internal infrastructure, pivot into connected environments, or launch follow-on attacks**. Initially, SonicWall downplayed the incident, stating only **<5% of customers** were affected, but an independent forensic review revealed **100% of cloud backup users** were exposed. Customers were advised to **delete cloud backups, rotate credentials, and recreate backups locally**. The company has not disclosed the attack vector, attributed the breach to a specific threat actor, or confirmed whether data was exfiltrated, leaked, or destroyed. This incident follows prior SonicWall breaches, including a **zero-day VPN exploit** linked to ransomware attacks earlier in 2023, further eroding customer trust in its security posture.
Source: https://www.theregister.com/2025/10/09/sonicwall_breach_hits_every_cloud/
TPRM report: https://www.rankiteo.com/company/sonicwall
"id": "son2392523100925",
"linkid": "sonicwall",
"type": "Breach",
"date": "9/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'All customers using MySonicWall '
'cloud backup feature',
'industry': 'Cybersecurity',
'location': 'California, USA',
'name': 'SonicWall',
'type': 'Network Security Vendor'}],
'attack_vector': ['Cloud Storage Exploitation',
'Unauthorized Access to Backup Archives'],
'customer_advisories': ['Treat incident seriously despite no evidence of '
'compromise to production firewalls or '
'customer-hosted systems.'],
'data_breach': {'data_encryption': ['Backups were encrypted and compressed '
'(but still accessed)'],
'data_exfiltration': True,
'file_types_exposed': ['Configuration Backup Files'],
'sensitivity_of_data': 'High (includes internal '
'infrastructure details, '
'user/group/domain settings, DNS/log '
'settings)',
'type_of_data_compromised': ['Firewall Configuration Files',
'Network Settings',
'Policies',
'Certificates']},
'date_detected': '2023-09-17',
'date_publicly_disclosed': '2023-09-17',
'description': 'SonicWall admitted that all customers using its MySonicWall '
'cloud backup feature were affected by a cybersecurity '
'incident first disclosed in mid-September 2023. Attackers '
'accessed firewall configuration backup files, which include '
'sensitive network settings, policies, and infrastructure '
'details. Initially, SonicWall claimed only 5% of users were '
'impacted, but an independent investigation later confirmed '
'that 100% of cloud backup users were affected. The company '
'has since urged customers to delete backups, rotate '
'credentials, and recreate backups locally. SonicWall has '
'hardened its infrastructure and implemented stronger '
'authentication controls but has not disclosed how initial '
'access was gained.',
'impact': {'brand_reputation_impact': ['Loss of customer trust due to revised '
'impact scope (from 5% to 100%)'],
'data_compromised': ['Firewall Configuration Files',
'Network Policies',
'User/Group/Domain Settings',
'DNS and Log Settings',
'Certificates'],
'operational_impact': ['Customers advised to delete backups, '
'rotate credentials, and recreate backups '
'locally'],
'systems_affected': ['MySonicWall Cloud Backup Service']},
'initial_access_broker': {'entry_point': ['Unauthorized access to cloud '
'storage environment'],
'high_value_targets': ['Firewall configuration '
'files (for network mapping '
'and pivoting)']},
'investigation_status': 'Completed (independent investigation and external '
'forensics review concluded)',
'lessons_learned': ['Initial impact assessment was inaccurate (underestimated '
'scope from 5% to 100% of users).',
'Cloud-stored firewall configurations are high-value '
'targets for threat actors.',
'Need for stronger access controls and monitoring of '
'cloud backup environments.',
'Importance of transparent communication during incident '
'response.'],
'motivation': ['Data Exfiltration', 'Potential Follow-on Attacks'],
'post_incident_analysis': {'corrective_actions': ['Hardened infrastructure '
'with additional logging.',
'Implemented stronger '
'authentication controls.',
'Disabled vulnerable cloud '
'backup service.',
'Advised customers on '
'mitigation steps '
'(credential rotation, '
'local backups).'],
'root_causes': ['Inadequate access controls for '
'cloud backup storage.',
'Insufficient monitoring/logging '
'of cloud storage environment.',
'Initial underestimation of breach '
'scope.']},
'recommendations': ['Avoid storing sensitive configuration files in cloud '
'backups unless absolutely necessary.',
'Implement multi-factor authentication (MFA) and '
'least-privilege access for cloud services.',
'Regularly audit and rotate credentials, shared secrets, '
'and certificates.',
'Monitor for unusual access patterns in cloud storage '
'environments.',
'Prepare for follow-on attacks leveraging exfiltrated '
'configuration data.'],
'references': [{'source': 'The Register'},
{'source': 'SonicWall Official Statement (September 2023)'},
{'source': 'Arctic Wolf Threat Intelligence Analysis'}],
'response': {'communication_strategy': ['Public disclosure updates',
'Customer advisories to rotate '
'credentials and delete backups'],
'containment_measures': ['Disabled cloud backup service',
'Deleted compromised backups'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'recovery_measures': ['Customers advised to recreate backups '
'locally'],
'remediation_measures': ['Hardened infrastructure',
'Additional logging',
'Stronger authentication controls'],
'third_party_assistance': ['Independent Investigation',
'External Forensics Review']},
'stakeholder_advisories': ['Customers advised to delete cloud backups, change '
'MySonicWall credentials, rotate shared '
'secrets/passwords, and recreate backups locally.'],
'title': 'SonicWall Cloud Backup Service Data Breach',
'type': ['Data Breach', 'Unauthorized Access']}