A Cybersecurity Firm Got Hacked Because It Had No Two Factor Authentication—Then It Threatened the Journalists Who Reported It

What Was Stolen

The attacker exfiltrated 12.6 GB of data from BePrime's systems, including:

• Plaintext credentials for client networks and internal systems
• Security audit reports and penetration test results detailing vulnerabilities across client infrastructure
• Transaction records and business documents
• API keys for Cisco Meraki network management

Using the stolen Meraki credentials, the attacker took control of 1,858 network devices including switches and routers, and gained visibility into traffic from over 2,600 connected devices across BePrime's client base.

Live Surveillance Camera Access

The most alarming element of the breach was the attacker's access to live video feeds from surveillance cameras at client offices. Using Cisco Meraki's cloud managed camera system, the attacker published screenshots of the Meraki Vision dashboard showing real time camera feeds overlooking workspaces at corporate client locations.

This means an unauthorized individual had the ability to watch employees at Iberdrola, ArcelorMittal, Whirlpool, and Alsea (the operator of Starbucks, Domino's, and Vips locations across Latin America) in real time. The implications for physical security and corporate espionage are severe.

The Irony of a Security Firm Without MFA

"The irony that a firm selling cybersecurity was breached for not having two factor authentication on its administrator accounts results in a total loss of trust," said Alberto Daniel Hill, a cybersecurity researcher who analyzed the incident.

Multifactor authentication is not an advanced security measure. It is a baseline requirement that every cybersecurity framework mandates, including the ones BePrime was presumably auditing its clients against. The absence of MFA on administrator accounts, the most privileged accounts in any organization, suggests that BePrime's internal security practices did not match what it sold to clients.

The breach also exposed security audit reports and penetration test results from client engagements. These documents detail specific vulnerabilities in client systems, effectively handing attackers a roadmap for future exploitation.

Threatening the Messenger

Rather than focusing on transparency and remediation, BePrime announced its intention to pursue legal action against journalists and media outlets that reported on the breach, claiming some coverage was "false, inaccurate, or out of context."

This response drew sharp criticism from the cybersecurity community. Threatening journalists who report on security incidents is widely considered a counterproductive strategy that erodes public trust further. It also raises concerns about press freedom, particularly in Mexico, where journalists already face significant risks.

The pattern is not new. Companies that suffer embarrassing breaches sometimes attempt to control the narrative through legal threats rather than addressing the underlying security failures. This approach almost never works and typically generates more negative coverage than the original incident.

Supply Chain Risk in Managed Security

BePrime's breach is a textbook example of supply chain risk. The company had privileged access to its clients' most sensitive infrastructure: network devices, security cameras, audit reports, and credentials. When BePrime was compromised, every client it served was effectively compromised too.

"Unauthorized access to the control systems of energy sector suppliers represents a direct threat to Mexico's energy sovereignty and national security," noted one analysis. Iberdrola, one of the affected clients, is a major energy provider in Mexico.

This mirrors a broader trend in 2026. Attackers increasingly target managed service providers and security vendors because compromising one vendor gives access to dozens or hundreds of downstream organizations. Recent examples include the Vercel breach through Context AI and the Checkmarx KICS supply chain attack that compromised Docker images and VS Code extensions.

What Organizations Should Learn

If your organization relies on a managed security provider:

• Audit your vendors' security. Require evidence that your security provider enforces MFA on all privileged accounts. If they cannot demonstrate this, that is a red flag.
• Limit vendor access. Apply the principle of least privilege to third party accounts. No vendor needs persistent administrative access to all systems simultaneously.
• Rotate credentials after any vendor incident. If your managed security provider is breached, assume all credentials they held are compromised and rotate immediately.
• Review shared audit data. Penetration test reports and vulnerability assessments contain information that attackers can use. Ensure these documents are stored securely and access logged.
• Segment network management. Camera systems, network devices, and security infrastructure should not all be accessible through a single set of credentials.

The Bottom Line

BePrime sold cybersecurity services to some of Mexico's largest corporations. It was breached through the most basic security failure possible: administrator accounts without two factor authentication. The attacker did not need a sophisticated exploit or a zero day vulnerability. They walked through an open door.

The company's decision to threaten journalists instead of publishing a transparent incident report only compounds the damage. Trust, once lost in cybersecurity, is extraordinarily difficult to rebuild, and threatening the press is not the way to start.