Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SonicWall hit by network compromise

Incident
First reported
Last updated
Happening score
H score 41
4 unique sources, 5 articles

Summary

Hide ▲

SonicWall said a state-sponsored threat actor was behind the September compromise of its MySonicWall cloud backup service, where firewall configuration backup files were stolen. SonicWall said the activity was isolated to an API call against a specific cloud environment, and that the stolen files contained encrypted credentials and configuration data that could help attackers launch targeted attacks against related firewalls. The company said the incident was not linked to Akira ransomware, did not impact SonicWall products or firmware, and Mandiant completed the investigation.

Cases

SonicWall cloud backup theft and Marquis downstream intrusion (3)

Related Happenings

Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices

Target Trend
First: 15.04.2026 12:30 Last: 15.04.2026 12:30 Sources 1

About this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...

Open Happening

Medusa ransomware post-compromise deployment

Malware Activity
First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...

Open Happening

Akira group rapid double-extortion ransomware activity

Malware Activity
First: 02.04.2026 16:00 Last: 02.04.2026 16:00 Sources 1

About this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...

Open Happening

Marquis data breach exposing 672,075 people's personal and financial information

Data Leak
First: 18.03.2026 17:32 Last: 18.03.2026 17:32 Sources 1

About this happening: Marquis disclosed a **data breach** that exposed personal and financial records tied to **672,075 people**, increasing the risk of identity theft and account fraud. The stolen inf...

Open Happening

US District Court for the Eastern District of Texas complaint filed seeking damages against SonicWall on vendor-liability exposure over a cyber breach

Regulatory/Legal Action
First: 27.02.2026 00:02 Last: 27.02.2026 00:02 Sources 1

About this happening: Marquis filed a **federal complaint** in **US District Court for the Eastern District of Texas** against **SonicWall**, seeking **damages** over a **data breach** it says the vend...

Open Happening

Timeline

  1. 06.11.2025 11:51 1 articles · 6mo ago

    SonicWall attributes cloud backup theft to state-sponsored threat actor

    Attribution Update

    SonicWall said a state-sponsored threat actor used an API call to access cloud backup files from a specific cloud environment tied to its MySonicWall cloud backup service, and Mandiant completed its investigation into the September compromise.

    Show sources
    Open in new tab
  2. 09.10.2025 17:13 2 articles · 7mo ago

    SonicWall says all cloud backup customers were affected

    Victim Impact Update

    SonicWall said an unauthorized party accessed firewall configuration backup files stored in MySonicWall accounts for all customers who used SonicWall's cloud backup service. The company completed its investigation with Mandiant and said the exposed .EXP files contain AES-256-encrypted credentials and configuration data that could make firewall exploitation significantly easier.

    Show sources
    Open in new tab
  3. 18.09.2025 17:12 3 articles · 8mo ago

    SonicWall discloses cloud backup breach affecting MySonicWall accounts

    Initial Disclosure

    SonicWall said it recently detected suspicious activity targeting the cloud backup service for firewalls and that unknown threat actors accessed backup firewall preference files stored in the cloud for less than 5% of its customers. The company said the files contained encrypted credentials and other information that could help attackers exploit related firewalls, urged customers to reset credentials and review cloud backups, and recommended containment steps such as limiting WAN access, disabling HTTP/HTTPS/SSH management, turning off SSL VPN and IPSec VPN access, resetting passwords and TOTPs saved on the firewall, and reviewing logs and recent configuration changes. SonicWall said it was not aware of any files being leaked online, said the event was not a ransomware attack on its network, and described the access as a series of brute-force attacks.

    Show sources
    Open in new tab