Millions of records from MOVEit hack released on dark web

A threat actor operating under the alias "Nam3L3ss" posted at least 25 CSV datasets on the BreachForums hacking site that contains millions of records from leading companies — data likely stolen during last year’s MOVEit transfer vulnerability case.

The MOVEit hack, the largest breach of 2023, was caused by hackers exploiting a zero-day vulnerability in Progress Software’s MOVEit transfer software. Claimed by the Clop ransomware gang, it impacted more than 1,000 organizations.

In a Nov. 11 blog post, Israeli cybersecurity firm Hudson Rock said the stolen data includes employee directories from 25 major organizations, including Amazon, MetLife, Cardinal Health, HSBC, Fidelity, and US Bank.

The Hudson Rock researchers said the directories contain detailed employee information, including names, email addresses, phone numbers, cost center codes, and in some cases, entire organizational structures.

“Such data could serve as a goldmine for cybercriminals seeking to engage in phishing, identity theft, or even social engineering attacks on a large scale,” wrote the researchers.

Amazon received the most negative press from this event because reportedly 2.8 million Amazon records were exposed. The next two largest hits were sustained by MetLife, with 585,130 records exposed, and Cardinal Health, which had 407,437 exposed. Amazon was also on the hot seat because it had publicly confirmed that it had experienced a “security incident” connected to the reported data leaks.

Adam Montgomery, an Amazon company spokesperson, said emphatically that Amazon and Amazon Web Services systems remain secure — and that the large tech company had not experienced a security incident. Montgomery shared the following statement with SC Media:

“It’s important to note that Amazon is one of many companies mentioned in the Hudson Rock report. We were notified about a security event at one of our property management vendors [connected to the report of the data leaks] that impacted several of its customers, including Amazon. The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations. The impacted vendor only receives employee contact information. They do not have access to sensitive employee information like Social Security numbers, government identification, or financial information. We have confirmed that the vendor has fixed the security vulnerability responsible for this event.”

Case underscores vulnerabilities of third-party apps

This most recent news reinforces how third-party software remains one of the largest and least manageable cybersecurity risks organizations face, including large and technically sophisticated enterprises, said Joe Silva, chief executive officer of Spektion. Silva said by the time any company reacts to third-party software risks and vulnerabilities, they're already being actively exploited while just being publicly disclosed.

“It's time for a new approach in how we address our software supply chain,” said Silva. “Rather than lagging behind and simply reacting to CVEs, CISOs and their teams need to focus on a proactive approach to their third-party software by shifting left and leveraging data that enables quick, accurate, and actionable risk assessments of software before they're exploited."  

It’s not just MOVEit — this year alone, we’ve seen new CVEs in other managed file transfer solutions, including SolarWinds SERV-U and CRUSHFTP, which can lead to data theft just as severe as the MoveIT incident from last year, pointed out Billy Hoffman, Field CTO at Ionix.

Hoffman said the challenge with these products is that they often fly under the radar for security teams. They are typically used by backend departments like finance, HR or procurement, for unglamorous jobs like exchanging data with partners or sharing compliance documents.

“Because of this, security teams are often not aware of who is using these tools, how they are configured or whether they are exposed to the public,” said Hoffman. “As a result, when vulnerabilities are disclosed, organizations may be slow to respond — or worse, assume they’re not impacted when they actually are. Companies can avoid these blind spots by continuously analyzing their attack surface from the outside to have a comprehensive understanding of what is exposed and needs to be protected.”

This latest incident serves as a reminder that effective third-party risk management should not be a “nice-to-have,” but a “must-have,” said Nick Mistry, senior vice president and CISO at Lineaje. Mistry said having a robust incident response plan that zeroes in on third-party threats is essential, so organizations can promptly identify and reduce any risks resulting from vendor partnerships.

“Businesses must put in place thorough procedures to proactively detect and address risks, such as frequent security audits, assessments, and ongoing third-party software monitoring,” said Mistry. “In today’s threat landscape, the security of your ecosystem extends far beyond the reach of your own systems and infrastructure. Now’s the time to reassess your third-party security practices, before the next vulnerability becomes a costly breach and reputational nightmare.”