Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jan 25, 2026 · 5 min read

One Hacker Breached 50+ Companies—They All Had the Same Weakness

A single threat actor has been linked to data breaches at approximately 50 major global organizations. The attack method was not sophisticated. The companies simply did not have multi factor authentication enabled.

Shadowy figure at computer with corporate logos and file icons floating around them representing a single hacker targeting multiple organizations

The Zestix Campaign

Security researchers at Hudson Rock have identified a threat actor operating under the alias "Zestix" (also known as "Sentap") who has systematically breached corporate file sharing platforms at approximately 50 major global enterprises.

According to Dark Reading, the threat actor has been auctioning the stolen data on hacker forums, exposing everything from military defense blueprints to customer medical records.

The victims span critical sectors including airlines, law firms, healthcare providers, defense contractors, engineering firms, and even companies serving U.S. federal agencies.

The Embarrassingly Simple Attack Method

What makes this campaign noteworthy is not its sophistication—it is the complete lack of it. Zestix did not exploit zero day vulnerabilities. There was no complex malware deployment or advanced persistent threat activity.

The attack chain was straightforward:

  • Employees at target companies had their devices infected with infostealer malware (RedLine, Lumma, or Vidar)
  • The malware harvested saved passwords and browser history
  • Those credentials ended up in underground databases
  • Zestix purchased or obtained access to those credential logs
  • The threat actor simply logged in using valid usernames and passwords

As The Register bluntly reported: "These companies were not hacked by a quantum computer cracking encryption; they were hacked because an employee infected their device with an infostealer, and the organization failed to turn on two factor authentication."

The Targeted Platforms

Zestix specifically targeted cloud file sharing platforms where companies store sensitive documents:

  • ShareFile: Popular enterprise file sharing and collaboration platform
  • ownCloud: Self hosted file synchronization and sharing software
  • Nextcloud: Open source collaboration and file storage platform

These platforms are designed for sharing sensitive business documents—which made them ideal targets. Once inside, Zestix could access whatever files employees had stored or shared through these systems.

What Was Stolen

The Infosecurity Magazine report details some of the most sensitive data exposed:

  • Iberia Airlines: 77 GB of aircraft maintenance documents and fleet safety data
  • Intecro Robotics (Turkey): Over 11 GB of defense blueprints for UAVs and fighter jets, including ITAR controlled manufacturing data
  • CRRC MA: Complete engineering specifications for LA Metro transit systems
  • Pickett & Associates: 139 GB of classified LiDAR files covering U.S. power line infrastructure
  • Maida Health (Brazil): 2.3 TB of Brazilian Military Police medical records
  • Burris & Macomber: 18 GB of Mercedes Benz USA customer data and litigation strategy from their legal counsel

The combined data represents military intellectual property, critical infrastructure maps, customer personal information, health records, and corporate legal strategies.

The Common Thread: No MFA

Every single breach in the Zestix portfolio shares the same fundamental security failure: the targeted accounts did not have multi factor authentication enabled.

MFA requires users to prove their identity through something beyond just a password—typically a code from an authenticator app, a hardware key, or a push notification to a trusted device. Even if an attacker obtains your password, they cannot access your account without that second factor.

As BleepingComputer notes, "Zestix simply uses the valid username and password extracted from the logs. Because the organizations did not enforce MFA, the attacker walks right in."

The Threat Actor Profile

According to research by DarkSignal cited in the Rescana analysis, the Sentap persona has been linked to an Iranian national operating since at least 2021.

The actor employs what researchers call a "Trust Abuse Model"—targeting exposed infrastructure and third party access rather than developing sophisticated exploits. Sentap has also demonstrated affiliations with the Funksec cybercriminal group, known for high volume opportunistic attacks.

The approach is purely transactional: find credentials in underground markets, test them against corporate platforms, exfiltrate whatever data is accessible, sell it to the highest bidder.

Who Else Is at Risk

Hudson Rock's intelligence data reveals a troubling reality: thousands of additional companies have employees whose cloud access credentials are currently circulating in infostealer logs.

The at risk organizations reportedly include major enterprises such as Deloitte, Honeywell, and Walmart, as well as U.S. federal agencies. If those organizations have not enforced MFA on their file sharing platforms, they are vulnerable to the exact same attack.

The researchers describe the situation as a "ticking time bomb"—stolen credentials sitting in underground databases, waiting for someone to use them.

What This Means for Individuals

If your employer uses ShareFile, ownCloud, Nextcloud, or similar cloud file sharing platforms, your work data may be at risk if MFA is not enforced.

But the lesson extends beyond corporate platforms. The same attack pattern—credential theft followed by account access—works against any service where you only use a password:

  • Email accounts (Gmail, Outlook, Yahoo)
  • Social media platforms
  • Banking and financial services
  • Cloud storage (Dropbox, Google Drive, OneDrive)

If you have ever had malware on your device—even briefly—your passwords may already be in circulation. The only protection is having MFA enabled so that stolen passwords alone are not enough.

The Banality of Modern Data Breaches

The Zestix campaign illustrates an uncomfortable truth about modern cybersecurity: most breaches are not the result of genius hackers outsmarting sophisticated defenses. They happen because basic security measures were never implemented.

Defense contractors storing military blueprints. Law firms with privileged client information. Healthcare organizations holding patient records. All compromised not through technical brilliance, but because someone did not check a box to require MFA.

As the Hudson Rock researchers concluded: "The tragedy of the Zestix portfolio is not the sophistication of the attack, but its banality."

Enable MFA on every account that offers it. The alternative is hoping no one ever tries your stolen password.