An Iranian hacker operating under the aliases Zestix and Sentap successfully breached the private data of 50 global corporations, including Iberia Airlines and Sekisui House, by using stolen credentials. The attacker is currently auctioning the compromised corporate information on dark web forums after exploiting the lack of multi-factor authentication on sensitive file-sharing platforms.

A lone cybercriminal has successfully infiltrated the private digital archives of approximately 50 major international corporations. According to research conducted by the cybersecurity firm Hudson Rock, the victim list includes prominent names such as Iberia Airlines, Sekisui House, and CRRC MA. The individual responsible is believed to be an Iranian national who uses the online handles Zestix and Sentap. This hacker is now actively selling the massive quantities of stolen corporate data to the highest bidders on various dark web marketplaces.

Despite the significant size and resources of these targeted organizations, the breaches were not the result of a highly sophisticated technical exploit. Instead, the hacker relied on a surprisingly simple method of entry by using valid passwords to log directly into company accounts. This was made possible because the affected businesses had failed to implement basic security measures on their external systems. The ease with which the attacker gained access highlights a widespread vulnerability in corporate digital infrastructure.

The primary tools used in these attacks were malware variants known as infostealers, specifically RedLine, Lumma, and Vidar. These malicious programs typically infect a computer when a user unknowingly downloads a compromised file or pirated software. Once active, the virus quietly extracts every password saved within the victim's web browser and sends the data back to the attacker. In this case, the hacker gathered credentials belonging to employees of the targeted firms and used them to target corporate file-sharing sites.

Zestix focused their efforts on platforms like ShareFile, Nextcloud, and OwnCloud, which companies use to store and distribute sensitive internal documents. Because these specific accounts were not protected by multi-factor authentication, the stolen passwords provided total access. Multi-factor authentication acts as a vital second layer of defense by requiring a unique code from a mobile device or email before granting entry. Without this requirement, the hacker was able to bypass security as if they were a legitimate employee.

The success of this campaign serves as a stark reminder of the risks associated with poor credential management and the absence of secondary security protocols. By failing to enable a simple authentication step, these 50 global companies allowed a single actor to walk away with proprietary information. This incident demonstrates that even the largest organizations can be compromised through basic oversights, emphasizing the critical importance of multi-factor authentication in preventing unauthorized data access.

Source: Lone Hacker Used Infostealers To Access Data At 50 Global Companies