Data Leak
Incident ×2
SonicWall cloud backup theft and Marquis downstream intrusion
Updated 18.03.2026 17:32
Case score 61
Score breakdown
- Total
- 61
- Lead score
- 55
- Support bonus
- +6 / 20
- Scoring support
- 2
- Context members
- 0
Top contributors
- Data Leak Primary breach of MySonicWall cloud backup storage with exposed firewall configuration files. base
- Incident Downstream ransomware attack and banking-sector fallout tied to the stolen SonicWall configuration data. support
- Incident Earlier disclosure of the same cloud-backup theft and the API-based access path. support
Case score 61
Members 3
Latest activity 18.03.2026 17:32
No public exploit known
No public exploit known
Members 3
First seen 18.09.2025 17:12
Last seen 29.01.2026 19:57
Updated 18.03.2026 17:32
Overview
**SonicWall**'s **MySonicWall** cloud backup service was breached, exposing firewall configuration backup files that contained encrypted credentials and configuration data. SonicWall said the access was limited to a specific cloud environment and API call, and later said a state-sponsored threat actor was behind the theft. The stolen files created follow-on risk because they could help attackers understand and target customer firewalls.
Marquis Software Solutions later said its August 14, 2025 ransomware attack came through a SonicWall firewall and was tied to configuration data taken from the cloud-backup breach. SonicWall completed its investigation with Mandiant and told customers to reset credentials and review backups, while Marquis said its notifications covered 74 U.S. banks and credit unions and more than 400,000 people.
Attackers accessed **SonicWall**'s **MySonicWall** cloud backup service and stole firewall configuration backup files from customer accounts.
SonicWall said the unauthorized access was limited to a specific cloud environment and an API call, and it later attributed the activity to a state-sponsored threat actor.
The exposed **.EXP** backups contained AES-256-encrypted credentials and configuration data tied to customer firewalls.
SonicWall said the material could help attackers plan targeted attacks against impacted firewalls, but it said the breach did not affect SonicWall products or firmware.
Marquis Software Solutions later said its August 14, 2025 ransomware attack came through a SonicWall firewall and that a third-party investigation tied the intrusion to configuration data extracted from SonicWall's cloud backup breach.
Marquis said the stolen files contained personal data for customers of its banking and credit union clients, including names, addresses, phone numbers, Social Security numbers, taxpayer identification numbers, financial account information, and dates of birth.
Its notifications say more than 400,000 people were affected across Maine, Iowa, and Texas, and the incident touched 74 U.S. banks and credit unions, and Marquis said there is no evidence the data has been misused or published.
SonicWall said the cloud-backup incident was unrelated to Akira ransomware, completed its investigation with Mandiant, and told customers to reset credentials and review backups while further hardening continues.