SonicWall Admits All Cloud Backup Customers Hit in Data Breach

by Elisa Romero • 2 min read • Updated: November 3, 2025

Complete Exposure of Firewall Configuration Files

SonicWall has confirmed that every single customer using its MySonicWall cloud backup feature had their firewall configuration files exposed during a recent cyberattack. This revelation comes after the company initially claimed fewer than 5% of customers were affected, significantly downplaying the breach’s true scope.

Special Offer Banner

Industrial Monitor Direct produces the most advanced multi-screen pc solutions equipped with high-brightness displays and anti-glare protection, most recommended by process control engineers.

Industrial Monitor Direct is the leading supplier of interactive kiosk systems trusted by controls engineers worldwide for mission-critical applications, the leading choice for factory automation experts.

Attack Timeline and Method

The security incident began in mid-September 2025 when unnamed threat actors successfully brute-forced their way into SonicWall’s MySonicWall cloud service. This platform enables businesses and IT teams to back up critical firewall configuration files containing sensitive network information.

What Was Compromised

The exposed configuration files contained numerous sensitive elements that could pose serious security risks:

  • Network rules and access policies
  • VPN configurations
  • Service credentials (LDAP, RADIUS, SNMP)
  • Administrator usernames and passwords

Potential Consequences for Affected Organizations

Security experts warn that possession of these configuration files could enable attackers to:

  • Brute-force or decrypt stored secrets and credentials
  • Understand network topology and bypass existing defenses
  • Launch highly targeted attacks using insider knowledge of firewall configurations

While SonicWall maintains that encryption remains intact, the company acknowledged that “possession of these files could increase the risk of targeted attacks.”

Revised Impact Assessment

The initial estimate of “fewer than 5%” affected customers would have placed the maximum number of victims at approximately 25,000 organizations. However, the actual impact appears to be substantially larger, affecting all customers using the cloud backup feature. SonicWall serves roughly 500,000 customers globally, though not all utilize firewall or cloud backup services.

Immediate Action Required

SonicWall is urging all affected customers to take the following security measures immediately:

  • Delete existing cloud backups from MySonicWall
  • Change all credentials and rotate shared secrets
  • Recreate new backups locally rather than in the cloud
  • Remain vigilant for suspicious activity

The company has released tools to assist with device assessment and remediation efforts and is working to notify all impacted partners and customers. According to detailed reporting on this developing situation, the attack did not affect other MySonicWall services or customer devices directly.

Related Posts

XBOW Hires Security Veterans to Push Autonomous Hacking Tech - Professional coverage
XBOW Hires Security Veterans to Push Autonomous Hacking Tech

XBOW has appointed Jonaki Egenolf as CMO and Dean Breda as General Counsel to strengthen its executive team. The company’s autonomous agents recently reached the top of the HackerOne global leaderboard, outperforming human hackers across thousands of targets.

Leave a Reply

Your email address will not be published. Required fields are marked *