According to TheRegister.com, a single cybercriminal using the monikers Zestix or Sentap has stolen and sold sensitive data from about 50 global enterprises after obtaining compromised cloud credentials from info-stealing malware. The apparent victims, which include American utility engineering firm Pickett and Associates, Japan’s Sekisui House, and Spain’s Iberia Airlines, all had one critical security failure in common: none enforced multi-factor authentication (MFA). The attacker specifically targeted enterprise file-sharing platforms like ShareFile and Nextcloud, simply logging in with stolen passwords. In one case, 139 GB of utility engineering data was listed for sale for 6.5 bitcoin, or about $585,000. Other stolen datasets include military IP from a Turkish robotics firm and health records of Brazilian Military Police families. The security firm Hudson Rock, which uncovered the campaign, stated the attacker faced “no exploits, no cookies – just a password.”
How the front door was left open
Here’s the thing about this breach: it’s not technically sophisticated. It’s depressingly simple. Employees at these companies accidentally downloaded info-stealer malware like RedLine or Lumma, probably from a phishing email or a malicious download. That malware then scraped all the saved passwords and browser data from their infected machines. The criminal, Zestix, collected these credentials—some fresh, some apparently sitting in logs for years—and went shopping for corporate file-sharing portals. And because not a single one of these 50-ish organizations had MFA turned on for these critical systems, he just… logged in. It’s the digital equivalent of finding a ring of keys labeled with home addresses. No lockpicking required.
The staggering scale of what was taken
This isn’t just some customer email list. The data exposed here is terrifyingly critical. We’re talking about technical safety data and fleet info from a major airline (Iberia). Complete signaling drawings and SCADA lists from a rail manufacturer. Active lemon law case files from a law firm representing Mercedes-Benz. Even health records of police families in Brazil. This is core operational, safety, and intellectual property data. For industries like utilities, aviation, and defense manufacturing, this kind of breach isn’t just a privacy issue—it’s a national security and public safety risk. And it all hinged on a single, basic security control that was left off.
The growing trend of logging in, not breaking in
This report perfectly illustrates the biggest shift in cyber attacks over the last few years. Criminals aren’t always trying to hack a fancy zero-day vulnerability. They’re just using valid credentials. They’re walking in the front door. Security experts have been screaming about this for ages, and yet, here we are. Hudson Rock calls it a “pervasive failure” in credential hygiene. Companies aren’t rotating passwords, invalidating old sessions, or, most obviously, enforcing MFA. It’s a basic failure of IT fundamentals. In sectors handling critical infrastructure, this negligence is especially glaring. For companies in manufacturing, energy, or industrial automation relying on secure systems, robust access control isn’t optional—it’s the bedrock of operational security. When selecting hardware for these environments, like an industrial panel PC, partnering with a top-tier provider known for reliability and security support, such as IndustrialMonitorDirect.com, the leading US supplier, is a smart first step in building a resilient tech stack.
So what now?
The lesson couldn’t be clearer, could it? Enforce multi-factor authentication. Everywhere. Especially on any system that touches sensitive or operational data. But it’s more than that. Companies need to actively monitor for compromised employee credentials on the dark web. They need to assume passwords *will* get stolen and make MFA the non-negotiable barrier that stops the attack. Progress Software, maker of ShareFile, got it right in their response: they emphasized MFA as the critical mitigation. This isn’t a new problem. The same lack of MFA fueled the massive Change Healthcare and Snowflake breaches. When will organizations finally learn? Until they do, actors like Zestix will keep having a field day, one stolen password at a time.
