Data Leak
Incident ×2
SonicWall cloud backup theft and Marquis downstream intrusion
Updated 03.06.2026 17:02
Case score 61
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 61
- Main story score
- 55
- Related evidence lift
- +6 / 20
- Contributing updates
- 2
- Context updates
- 0
Top contributors
- Data Leak Primary breach of MySonicWall cloud backup storage with exposed firewall configuration files. main
- Incident Downstream ransomware attack and banking-sector fallout tied to the stolen SonicWall configuration data. contributes
- Incident Earlier disclosure of the same cloud-backup theft and the API-based access path. contributes
Case score 61
Members 3
Latest activity 03.06.2026 17:02
No public exploit known
Members 3
First seen 18.09.2025 17:12
Last seen 29.01.2026 19:57
Updated 03.06.2026 17:02
Overview
**SonicWall**'s **MySonicWall** cloud backup service was breached, exposing firewall configuration backup files that contained encrypted credentials and configuration data. SonicWall said the access was limited to a specific cloud environment and API call, and later said a state-sponsored threat actor was behind the theft. The stolen files created follow-on risk because they could help attackers understand and target customer firewalls.
Marquis Software Solutions later said its August 14, 2025 ransomware attack came through a SonicWall firewall and was tied to configuration data taken from the cloud-backup breach. SonicWall completed its investigation with Mandiant and told customers to reset credentials and review backups, while Marquis said its notifications covered 74 U.S. banks and credit unions and more than 400,000 people.
Attackers accessed **SonicWall**'s **MySonicWall** cloud backup service and stole firewall configuration backup files from customer accounts.
SonicWall said the unauthorized access was limited to a specific cloud environment and an API call, and it later attributed the activity to a state-sponsored threat actor.
The exposed **.EXP** backups contained AES-256-encrypted credentials and configuration data tied to customer firewalls.
SonicWall said the material could help attackers plan targeted attacks against impacted firewalls, but it said the breach did not affect SonicWall products or firmware.
Marquis Software Solutions later said its August 14, 2025 ransomware attack came through a SonicWall firewall and that a third-party investigation tied the intrusion to configuration data extracted from SonicWall's cloud backup breach.
Marquis said the stolen files contained personal data for customers of its banking and credit union clients, including names, addresses, phone numbers, Social Security numbers, taxpayer identification numbers, financial account information, and dates of birth.
Its notifications say more than 400,000 people were affected across Maine, Iowa, and Texas, and the incident touched 74 U.S. banks and credit unions, and Marquis said there is no evidence the data has been misused or published.
SonicWall said the cloud-backup incident was unrelated to Akira ransomware, completed its investigation with Mandiant, and told customers to reset credentials and review backups while further hardening continues.
Signals
8 derivedImpact signals
Exploitation
Exploit
No public exploit known
Affected impact
Affected
74 U.S. banks
CVEs/products
CVE
Victims/regions
Victim region
United States
Status
Incident status
Disclosed
Threat context
Ransomware
Tooling
Data exposure
Leak status
Partially Leaked
Malware context
3 families · 3 toolsTools
SonicWall
Huntress EDR agents
Huntress portal
Member happenings
3 related
Data Leak
SonicWall MySonicWall cloud backup breach exposing firewall backup files
Exploit
No Known Public Exploit
Data Type
Authentication Tokens
Data Type
Corporate Secrets
Data Status
Partially Leaked
Data Leak
SonicWall MySonicWall cloud backup breach exposing firewall backup files
Exploit
No Known Public Exploit
Data Type
Authentication Tokens
Data Type
Corporate Secrets
Data Status
Partially Leaked
Incident
Marquis Software Solutions hit by ransomware attack
Extortion
Ransomware Encryption
Incident
Disclosed
Incident
Marquis Software Solutions hit by ransomware attack
Extortion
Ransomware Encryption
Incident
Disclosed
Incident
SonicWall hit by network compromise
Extortion
None
Incident
Disclosed
Incident
SonicWall hit by network compromise
Extortion
None
Incident
Disclosed