InfoSecBulletin Cybersecurity for mankind
# “While many leaked security credentials belong to customers, some exposed sensitive accounts suggest that security vendors too have been hit by infostealers.” #
A Cyble report reveals that account credentials from multiple cybersecurity vendors are being sold on dark web marketplaces. While most of the exposed credentials belong to customers—likely captured by infostealers infecting their devices—there has also been a concerning number of internal vendor credentials leaked, granting access to sensitive enterprise, development, and security systems.
FBI investigating cyberattack at Oracle, Bloomberg News reports
OpenAI Offering $100K Bounties for Critical Vulns
Splunk Alert User RCE and Data Leak Vulns
CIRT alert Situational Awareness for Eid Holidays
Cyberattack on Malaysian airports: PM rejected $10 million ransom
Micropatches released for Windows zero-day leaking NTLM hashes
VMware Patches Authentication Bypass Flaw in Windows Tool
IngressNightmare
Over 40% of cloud environments are vulnerable to RCE
(CVE-2025-29927)
Urgently Patch Your Next.js for Authorization Bypass
Oracle refutes breach after hacker claims 6 million data theft
These credentials can be purchased for as little as $10, with many being harvested from infostealer logs and sold in bulk. Cyble focused on credentials leaked in 2025, finding that all 14 vendors examined had both customer and internal credentials exposed. These vendors primarily provide enterprise and cloud security services, though some consumer security providers were also affected.
The leaked credentials largely belonged to customers and protected access to security management and account interfaces. However, internal vendor credentials were also found, with exposure to systems .
Cyble said it didn’t test to see if the credentials were valid, but noted that many were for “easily accessible web console interfaces, SSO logins and other web-facing account access points.”
In one case, a large vendor had sensitive internal company accounts exposed, including email addresses and developer and product account interfaces, which could pose significant risks depending on the level of access granted to these accounts.
Even if all the exposed accounts were protected by other means, as ideally, they were, such leaks are concerning for one other reason: They can help threat actors conduct reconnaissance by giving them an idea of the systems that a potential target uses, including locations of sensitive data and potential vulnerabilities to exploit.
Other sensitive information exposed by info stealers could include URLs of management interfaces that are unknown to the public, which would give hackers further recon information.
Leaked credentials for security tools and other important systems are important to monitor not only to prevent breaches but also to keep hackers from learning important information about an organization’s systems and how to access them.
Cyble concluded that “If the largest security vendors can be hit by infostealers, so can any organization, making basic cybersecurity practices like MFA, zero trust, vulnerability management and network segmentation important for minimizing – and ideally preventing – data breaches, ransomware and other cyberattacks.”
To read the full in-depth report click here.
Source: Cyble
