Sign in Subscribe

Data Leaked at SonicWall. Company Urges Customers to Change Passwords Immediately

Data Leaked at SonicWall. Company Urges Customers to Change Passwords Immediately

SonicWall has urged customers to reset their credentials following a cyberattack on MySonicWall accounts that exposed firewall configuration backup files.

Immediate Response and Investigation

According to the company, once the intrusion was detected, attackers’ access was blocked. SonicWall is now working with cybersecurity agencies and law enforcement to assess the scope and consequences of the breach.

“As part of our commitment to transparency, we are notifying you of an incident that led to the compromise of firewall configuration backup files stored in some MySonicWall accounts,” the company said in its statement. “Access to the compromised configuration files could significantly facilitate the exploitation of firewalls for attackers.”

Why the Leak Matters

The leaked backups pose a serious risk: they may contain credentials and tokens for services running on SonicWall devices within customer networks. Such data could allow attackers to move laterally or exploit additional systems.

To minimize risks, SonicWall has published detailed recommendations for administrators. These include:

  • Reconfiguring potentially compromised passwords and secrets immediately.
  • Monitoring systems closely for signs of malicious activity.

The company also warned that passwords, shared secrets, and encryption keys set in SonicOS may need to be updated across related services — including Internet service providers, Dynamic DNS providers, email platforms, remote IPSec VPN peers, and LDAP/RADIUS servers.

Scope of the Incident

In a comment to Bleeping Computer, SonicWall confirmed that less than 5% of its firewalls were affected. Attackers reportedly used brute-force attacks against an API service for cloud backups.

“Our investigation revealed that less than 5% of our total firewalls had configuration backups in the cloud that were accessed by the attackers,” the company explained. “While the files contained encrypted passwords, they also contained information that could facilitate the hacking of the firewalls. Currently, we are not aware of these files being published by the attackers in the public domain. This was not a ransomware incident or another similar attack on SonicWall. Rather, it was a series of brute-force attacks targeting individual accounts to gain access to configuration files from backups for their subsequent use.”

Read next