Hackers claim they’ve obtained a “sensitive dataset” from the Tel Aviv-based cybersecurity company Check Point Software. They want over $400,000 for what the firm calls an “old, known, and very pinpointed event.”
A threat actor using the moniker CoreInjection is selling the allegedly stolen data for five bitcoins, or around $410,000. The price is “firm and non-negotiable,” and the hacker has a proven track record of credible leaks.
According to the post on the illicit marketplace, the Check Point dataset contains proprietary information, including internal network maps and architecture diagrams, user credentials (hashed and plaintext passwords), employee contact information (phone numbers, emails), sensitive project documentation, and proprietary software source code and binaries.
The hackers’ claims were first reported on LinkedIn by Alon Gal, co-founder and CTO at Hudson Rock, another Israeli cybersecurity firm.
“With high certainty, Check Point Software has been hacked. A threat actor appears to have gained access to an administrator account with serious privileges, but I don’t have full confirmation yet,” Gal’s post reads.
The hackers provided some convincing screenshots from what appears to be an admin account inside Check Point’s Infinity Portal. Gal recognized some API keys, some with the “Admin” role, the ability to edit accounts and reset two-factor authentication, internal app access, and sensitive client data.
“The leaked emails and phone numbers match real Check Point employees,” Gal said.
Check Point says it is an old event
Check Point responded to Gal personally. He shared the response on a separate LinkedIn Post.
“This is an old, known and very pinpointed event which involved only a few organizations and a portal that does not include customers’ systems, production or security architecture. This was handled months ago, and didn’t include the description detailed on the dark forum message,” the response reads.
“These organizations were updated and handled at that time, and this is not more than the regular recycling of old information. We believe that at no point was there a security risk to Check Point, its customers or employees.”
However, the response did not completely convince Gal, and he followed up with several other questions to Check Point. These include seeking clarification on the timeline, scope, and nature of the breach.
“The screenshot shared by CoreInjection shows what looks like an admin dashboard with data on 121,120 accounts, including 18,864 paying customers, their service usage (like Endpoint, Playblocks), and contract details with dates stretching into 2031. Does this data match what was accessed in the “old event” you mentioned, or does this suggest a different or more recent breach?” Gal asked.
Three organizations affected
Check Point later released an update explaining that the incident “included three organizations' tenants in a portal that does not include customers' systems, production or security architecture.”
“The event did not include the description detailed in the post,” Check Point assures.
“The event was addressed immediately and thoroughly investigated. These organizations were updated and handled at the time, and this post is recycling this old, irrelevant information.”
The company clarifies that the hackers’ post relates to an incident from December 2024, which “stems from compromised credentials of a portal account with limited access.”
The breach exposed account names, product names, three customer accounts with contact names, and some employee emails, but did not affect customer systems, production, or security architecture.
Check Point states the incident was investigated, contained, and poses no risk to customers or security.
“The content of the post falsely implies exaggerated claims which never happened. The portal has different internal mitigations.”
The statement doesn’t explain the intrusion method and how the hackers may have compromised the credentials
Gal believes that the explanation is insufficient and worries that the hacker's uploaded screenshots don't align with their ‘limited access’ claim.
“Plus, there's no mention of a public report or SEC filing from December 2024, raising transparency concerns for a listed company,” Gal said.
Updated on March 31st [02:00 p.m. GMT] with a statement from Check Point.
Your email address will not be published. Required fields are markedmarked