What is the latest development in the MOVEit Transfer cyber attack?

A threat actor using the alias 'Nam3L3ss' has exposed data from at least 25 major organizations on a dark web forum. This data breach is connected to the MOVEit Transfer attacks that occurred in 2023 through the CVE-2023-34362 vulnerability.

Which major companies were affected by this data leak?

Affected companies include Amazon, Delta Airlines, HP, HSBC, Lenovo, British Telecom, McDonalds, Omnicom, Urban Outfitters, Canada Post (69,000 records), MetLife, U.S. Bank, 3M, and City National Bank, among others.

What type of data was exposed in this breach?

The exposed information primarily includes employee work contact details such as names, work email addresses, desk phone numbers, building locations, cost center codes, and organizational structures.

How was the data obtained and how is it being distributed?

The threat actor claims to have collected the data from exposed services including AWS Buckets, Azure Blobs, and MongoDB servers. They are sharing the data for free or for in-forum credits and claim to be independent, unaffiliated with any ransomware group.

What are the potential risks and future concerns?

Security experts warn that the free distribution of this data could lead to widespread misuse for social engineering attacks, targeted phishing campaigns, and identity theft. The threat actor claims to have '1,000 releases coming' in the future, and the case shows how stolen data can resurface long after initial breaches.

Knowledge

The MOVEit comes back to bite the victims once more - now through data leaks

published: Nov. 12, 2024

Take action: Once you are breached, the stolen data will be reused and abused many times after the initial incident. It will hurt you time and again. Which makes investment in preventing breaches a reasonable effort.

Learn More

A new development has emerged in the MOVEit Transfer cyber attack saga that hit hundreds of companies in 2023. An anonymous threat actor operating under the alias "Nam3L3ss" has exposed data from at least 25 major organizations on a dark web forum.

The data breach originally stemmed from a critical zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer file transfer tool, which was initially exploited in June through August 2023.

The threat actor Nam3L3ss claims to be independent and unaffiliated with any ransomware group, stating they collected the data from exposed services including AWS Buckets, Azure Blobs, and MongoDB servers. The actor is sharing the data for free or for in-forum credits.

The exposed information primarily consists of employee work contact details, including

names,
work email addresses,
desk phone numbers,
building locations,
cost center codes,
organizational structures.

Hudson Rock researchers have verified the authenticity of the data by cross-referencing emails with LinkedIn profiles and information found in infostealer infections. The scale of the leaked data is substantial, with leaked data including at least the following companies:

Amazon
Delta Airlines,
HP,
HSBC,
Lenovo,
British Telecom,
McDonalds,
Omnicom,
Urban Outfitters,
Canada Post (69,000 records),
MetLife,
U.S. Bank,
3M,
City National Bank

Security experts warn that this free distribution could lead to widespread misuse of the information for social engineering attacks, targeted phishing campaigns, and identity theft. Nam3L3ss has also claimed to have "1,000 releases coming" in the future.

Amazon has confirmed the breach through an official statement, emphasizing that it occurred through a property management vendor and only affected work contact information, with no sensitive personal data compromised. Similarly, Delta Airlines confirmed the exposure of internal directory information through a third-party partner but stated that no sensitive personal information was included in the breach.

The case also demonstrates how stolen data can resurface long after the initial breach, as this latest disclosure comes more than 18 months after the original MOVEit attacks.

The MOVEit comes back to bite the victims once more - now through data leaks

Read More
State of (in)security - Week 43, 2025
Data source with billions of previously leaked credentials …
State of (in)security - Week 4, 2024
State of (in)security - Week 22, 2023
State of (in)security - Week 46, 2025