- SonicWall Cloud Backup Breach Exposed Firewall Configuration Files of Many Global Customers
- The attackers used brute force on MySonicWall, risking credential leaks and targeted network intrusions.
- SonicWall prompts users to delete backups, rotate secrets, and recreate configurations locally
All companies that use SonicWall’s MySonicWall cloud backup feature have had their firewall configuration files exposed in a recent cyberattack, the company admitted.
After initially stating that “less than 5%” of its customer base was affected, the company has revealed the true magnitude of the incident.
In mid-September 2025, SonicWall warned its firewall customers to reset their passwords after anonymous threat actors broke into the company’s MySonicWall cloud service. This tool allows SonicWall firewall users (typically businesses and IT teams) to back up their firewall configuration files, including network rules and access policies, VPN configurations, service credentials (LDAP, RADIUS, SNMP), or administrator usernames and passwords (if stored in configuration).
Other services intact
In theory, attackers could brute force or crack secrets, extract credentials used in services linked to the firewall, understand network topology and rules (bypassing defenses more easily), and launch targeted attacks using internal knowledge about how firewalls are configured.
“Even if encryption remains in place, possession of these files could increase the risk of targeted attacks,” the notice reads. “We are working to notify all affected partners and customers and have released tools to assist with device assessment and repair.”
At the time, SonicWall stated that less than 5% of its customer base was affected by this incident which, in a worst-case scenario, would raise the number of victims to 25,000.
However, it now appears that the real number of victims is much higher: SonicWall claims to serve approximately 500,000 customers worldwide, although that doesn’t mean all of them are using firewall or cloud backup services.
The company also said that the attack did not affect other MySonicWall services or customer devices, but still urged its customers to be vigilant, delete existing backups in the cloud, change their credentials, rotate shared secrets and recreate new backups locally.
Through The Registry
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
