Data Leak Incident ×2

SonicWall cloud backup theft and Marquis downstream intrusion

Updated 03.06.2026 17:02

Case score 61

Case score 61 Members 3 Latest activity 03.06.2026 17:02

No public exploit known

Members 3 First seen 18.09.2025 17:12 Last seen 29.01.2026 19:57 Updated 03.06.2026 17:02

Overview

**SonicWall**'s **MySonicWall** cloud backup service was breached, exposing firewall configuration backup files that contained encrypted credentials and configuration data. SonicWall said the access was limited to a specific cloud environment and API call, and later said a state-sponsored threat actor was behind the theft. The stolen files created follow-on risk because they could help attackers understand and target customer firewalls. Marquis Software Solutions later said its August 14, 2025 ransomware attack came through a SonicWall firewall and was tied to configuration data taken from the cloud-backup breach. SonicWall completed its investigation with Mandiant and told customers to reset credentials and review backups, while Marquis said its notifications covered 74 U.S. banks and credit unions and more than 400,000 people.

Key facts

**SonicWall**'s **MySonicWall** cloud backup service was breached and firewall configuration backup files were stolen.
The exposed **.EXP** files contained AES-256-encrypted credentials and configuration data, and SonicWall said access came through an API call in a specific cloud environment.
Marquis Software Solutions said its August 14, 2025 ransomware attack was tied to SonicWall configuration data, and notifications covered 74 U.S. banks and credit unions.
Marquis said more than 400,000 people were affected across Maine, Iowa, and Texas, and it said there is no evidence the data has been misused or published.
SonicWall said the cloud-backup incident did not impact its products or firmware and was unrelated to Akira ransomware.
SonicWall completed its investigation with Mandiant and told customers to reset credentials and review backups while further hardening continues.
The role of **CVE-2024-40766** is contextual here; available evidence does not establish that it powered either the cloud-backup theft or the Marquis intrusion.

Signals

9 derived

Impact signals

Affected over 400,000 customers at 74 banks and credit unions Downtime operations at 74 banks across the United States were disrupted Affected dozens of U.S. banks and credit unions Affected 74 U.S. banks Affected all customers who used SonicWall's cloud backup service Affected fewer than 5% of SonicWall firewall install base

Exploitation

Exploit No public exploit known

Affected impact

Affected 74 U.S. banks

CVEs/products

CVE

Victims/regions

Victim region United States

Status

Incident status Disclosed

Threat context

Ransomware Tooling

Affected surface

Affected organizations 74

Data exposure

Leak status Partially Leaked

Malware context

3 families · 3 tools

Tools

SonicWall Huntress EDR agents Huntress portal

Member happenings

3 related

Data Leak SonicWall MySonicWall cloud backup breach exposing firewall backup files

Updated 29.01.2026 19:57 Lead Contribution 55

Exploit No Known Public Exploit Data Type Authentication Tokens Data Type Corporate Secrets Data Status Partially Leaked

**SonicWall** said a **state-sponsored threat actor** stole **firewall configuration backup files** from its **MySonicWall cloud backup service** in a **September** security breach. The exposed **.EXP** backups contained **AES-256-encrypted credentials** and configuration data, and SonicWall said the incident was isolated to an **API call** in a specific cloud environment. The company completed its investigation with **Mandiant**, notified impacted customers and partners, and said the breach was **unrelated to Akira ransomware** and did **not impact SonicWall products or firmware**.

View happening

Incident Marquis Software Solutions hit by ransomware attack

Updated 29.01.2026 19:57 Scoring Support Contribution 4

Extortion Ransomware Encryption Incident Disclosed

**Marquis Software Solutions** disclosed that its **August 14, 2025** ransomware attack exposed personal data tied to **74 U.S. banks and credit unions** and affected **over 400,000 customers**. The company says attackers breached its network through a **SonicWall firewall** and stole files containing information received from business customers. Marquis says there is **no evidence of misuse or publication** of the data at this time. The incident remains centered on a victim-focused breach of a financial software provider and the downstream impact on its banking and credit union customers.

View happening

Incident SonicWall hit by network compromise

Updated 18.09.2025 17:12 Scoring Support Contribution 2

Extortion None Incident Disclosed

**SonicWall** said a **state-sponsored threat actor** was behind the **September** compromise of its **MySonicWall cloud backup service**, where firewall configuration backup files were stolen. SonicWall said the activity was **isolated to an API call** against a specific cloud environment, and that the stolen files contained **encrypted credentials and configuration data** that could help attackers launch targeted attacks against related firewalls. The company said the incident was **not linked to Akira ransomware**, did **not impact SonicWall products or firmware**, and Mandiant completed the investigation.

View happening