Stolen passwords and no MFA led to 50 major recent breaches

Published: 6 January 2026
Last updated: 7 January 2026
password stealing
Image by Cybernews.

A single password stolen from an employee after an infostealer infection led to 50 recent breaches in major global companies. One threat actor has built a reputation for breaking into cloud storage platforms that lack multi-factor authentication (MFA), exploiting even years-old passwords.

Key takeaways:
  • Threat actor breached 50 global companies by exploiting stolen credentials for cloud storage platforms lacking MFA.
  • Major victims like Iberia Airlines and Intecro Robotics lost sensitive blueprints, medical records, and corporate secrets.
  • Hackers mine old infostealer logs for passwords to access corporate file-sharing portals without two-factor authentication.
  • Research links the attacker to an Iranian national affiliated with the AI-driven Funksec ransomware cartel.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

Hudson Rock threat researchers warn of a “global epidemic of cloud exposure.” Hackers are actively mining infostealer logs for passwords and using them to siphon data from platforms like ShareFile, OwnCloud, or Nextcloud.

ADVERTISEMENT

Corporate cloud file-sharing platforms are similar to Dropbox, but firms often store large volumes of sensitive data there without enforcing MFA.

“A high-profile threat actor, operating under the moniker ‘Zestix,’ has been identified auctioning data exfiltrated from the corporate file-sharing portals of approximately 50 major global enterprises,” Hudson Rock warns in a report about the recent cloud credentials heist on infostealers.com.

Distinct identified victims, whose data was recently auctioned on illicit forums, include Pickett, Intecro Robotics, Iberia Airlines, Sekisui House, IFLUSAC, K3G Solutions, CRRC MA, GreenBills, CiberC, and many other companies.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Zestix (also operating as “Sentap”) only emerged around late 2024 and has since earned a reputation for reliability on Russian-language closed forums. It is motivated by financial gains and sells the extracted data for bitcoin as an initial access broker.

The threat actor’s attack method is surprisingly simple. It sifts through old infostealer logs for cloud platform passwords and tests each one like a scratch-off ticket. Most fail, but occasionally Zestix hits the jackpot, granting access to a treasure trove of corporate data.

“The tragedy of the Zestix portfolio is not the sophistication of the attack, but its banality. These companies were not hacked by a quantum computer cracking encryption – they were hacked because an employee infected their device with an Infostealer, and the organization failed to turn on Two-Factor Authentication,” the Hudson Rock researchers said.

In each breach case, listed in the report, the hackers have obtained dozens or even hundreds of gigabytes of valuable data from each company. Breached cloud storage instances belong to companies in critical sectors, including aviation, robotics, housing, and government infrastructure.

ADVERTISEMENT
stolen-data-hudson
Image by Hudson Rock.

The researchers warn that the infostealer ecosystem is replacing brute-force attacks as a primary engine of cybercrime.

Infostealer malware families, such as RedLine, Lumma, and Vidar, are widespread, and a single infection can be all it takes to steal a password from a corporate data-sharing portal.

“While some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them,” the report reads.

“Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door. No exploits, no cookies – just a password.”

Has my data been leaked?
Check Now

What companies had their data allegedly stolen?

Hudson Rock researchers identified and listed data for sale on illicit forums, allegedly stolen by Zestix (Sentap), a follows:

  • Pickett & Associates (engineering firm): 139.1GB of LiDAR files, operational blueprints, and high-resolution orthophotos.
  • Intecro Robotics (aerospace and defense robotics manufacturer in Turkey): 11.5GB of military intellectual property, including UAV and fighter jet blueprints, models, and CNC programs.
  • Maida Health (military healthcare provider in Brazil): 2.3TB of medical records and sensitive personally identifiable information.
  • Burris & Macomber (Mercedes-Benz legal counsel): 18.3GB of litigation strategies, customer data, and corporate secrets.
  • Iberia Airlines (Spanish airline): 77GB of aircraft maintenance programs, confidential fleet data.
  • CRRC MA (mass transit manufacturer): complete engineering servers, containing signaling, SCADA, and train design schematics.
  • K3G Solutions (Brazilian ISP): 192GB of fiber network configurations, including backups, internal handbooks, and tower data.
  • IFLUSAC (mechanical/fire protection contractor in Peru): 22GB of projects with major clients, including engineering and business data.
  • GreenBills (healthcare service provider): 39.5GB of patient medical reports with sensitive PII.
  • CiberC (tech integrator in Colombia): 103GB of project tracking reports, maps, and infrastructure videos.
  • Sekisui House (real estate developer in Japan): access market as sold.
  • Hydratec (fire protection company): 81GB of CAD designs and training videos.
  • Total ETO (engineering firm in Canada): 28.95GB of ERP source code and customer database backups.
  • Degewo AG (housing company in Germany): 5.5GB of architectural plans for Berlin state housing.
  • ThermoEx (engineering company in Malaysia): 170GB of heat exchanger designs and financial purchase orders from Thailand.
  • Voltras (travel aggregator in Indonesia): complete internal financial archive.
  • Aion Law Partners (Canadian law firm): 38GB of legal, financial, immigration, and corporate documents, including sensitive client data.
  • NMCV Business (US healthcare platform): 47GB of patient medical and financial data, including protected health information.
  • PT Pasifik Satelit Nusantara (Indonesian satellite operator): 92GB of satellite project technical documents, ground system data, and other aerospace secrets.
  • VYTL-SFT (Verahealth, US healthcare software platform): 3.65GB of patient PHI and clinical records.
  • Others: Navee Teknoloji; La Esperanza Fuel; Esenboğa Airport; Injaro Investments; Industrial CMMS; UrbanX.io; Bradley R Tyer; Lex Logos Romania; Australian NBN; Hutchinson Builders; imss-consultores; GTD System; Clevertech S.p.A.; New Glasgow / Canuck; PetroAndina S.R.L.; Kimia Farma; Telecall Brazil; GreenHills Ventures; Pan-Pacific Mechanical; Cloisall / WSP; Schrödinger GmbH; The Providence Group; THESAVVYACCOUNTANT; Albany Physical Therapy; EXPRO-YPF; Treasure Coast Cardiology; Lebanese ISP; Bluefire / Old American; Saudi Arabia Customs; Erga Group.
ADVERTISEMENT

What do we know about the threat actor?

Research by DarkSignal linked the persona of Sentap to an Iranian national. Further analysis links this persona to a recently active handle, Zestix. The threat actor exploits stolen credentials and weakly secured services, targeting file-sharing platforms to exfiltrate large volumes of sensitive business information.

Hudson Rock researchers estimate that the threat actor has been active since at least 2021. The threat actor has demonstrated clear affiliations with another cybercrime cartel, Funksec, a newly emerged ransomware gang that utilizes generative AI to create code.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT