Dozens of global organizations have had highly sensitive corporate and customer information stolen and put up for sale by a threat actor because they didn’t secure cloud systems with multi-factor authentication (MFA), a new report has revealed.
The actor, known as “Zestix” (aka “Sentap”) scoured the dark web for infostealer logs containing credentials for popular cloud file sharing services ShareFile, Nextcloud and OwnCloud, according to Hudson Rock.
He was subsequently able to access, exfiltrate and auction the data stored in these accounts, due to a lack of MFA, the cybersecurity vendor said.
“A critical finding in this investigation is the latency of the threat. While some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them,” Hudson Rock explained.
“This highlights a pervasive failure in credential hygiene; passwords were not rotated, and sessions were never invalidated, turning a years-old infection into a present-day catastrophe.”
Read more on infostealers: Staggering 800% Rise in Infostealer Credential Theft
The credentials were originally obtained via a number of infostealer variants, including RedLine, Lumma and Vidar.
“Because the organizations […] did not enforce MFA, the attacker walks right in through the front door. No exploits, no cookies – just a password,” noted Hudson Rock.
The financially motivated threat actor apparently appears to be comfortable interacting on closed Russian cybercrime forums, where he presents as an initial access broker (IAB). However, the Sentap persona has also been linked to an Iranian national and is affiliated with the Funksec cybercrime group, the report claimed.
A Roll Call of Victims
Among the organizations caught out by Zestix and named in the report are:
- Iberia Airlines, which had 77GB of technical safety and fleet data stolen
- Burris & Macomber, a law firm acting as counsel for Mercedes-Benz USA, which spilled over 18GB of customer data, corporate secrets and info on litigation strategy
- Maida Health, a Brazilian firm which had over 2TB of health records relating to the Brazilian Military Police stolen
- Intecro Robotics, a Turkish defense manufacturer, which had over 11GB of military IP stolen
“The rise of the Zestix threat actor paints a grim picture for 2026: major enterprise breaches are succeeding without needing sophisticated zero-day exploits,” argued Xcape’s John Carberry.
“Someone can take 77 GB of flight maintenance data with a three-year-old password. That’s not ‘hacked’ security; that’s ignored security.”
Image credit: Fasttailwind / Shutterstock.com
