SonicWall confirms all of its cloud backup customers were affected by data breach

News
By published

It had previously said only 5% were affected

Representational image of a user accessing data from the cloud
(Image credit: Shutterstock/Jirsak)
  • SonicWall cloud backup breach exposed firewall config files of many global customers
  • Attackers brute-forced MySonicWall, risking credential leaks and targeted network intrusions
  • SonicWall urges users to delete backups, rotate secrets, and recreate configurations locally

All companies using SonicWall’s MySonicWall cloud backup feature have had their firewall configuration files exposed in a recent cyberattack, the company has admitted.

After initially claiming “fewer than 5%” of its customer base was affected, the company has revealed the true scale of the incident.

In mid-September 2025, SonicWall warned its firewall customers to reset their passwords after unnamed threat actors brute-forced their way into the company’s MySonicWall cloud service. This tool allows SonicWall firewall users (typically businesses and IT teams) to back up their firewall configuration files, including network rules and access policies, VPN configurations, service credentials (LDAP, RADIUS, SNMP), or admin usernames and passwords (if stored in config).

Other services intact

In theory, the attackers could brute-force or decrypt the secrets, extracting credentials used in services tied to the firewall, understand network topology and rules - bypassing defenses more easily, and launch targeted attacks using insider knowledge on how the firewalls are configured.

“While encryption remains in place, possession of these files could increase the risk of targeted attacks,” the notification reads. “We are working to notify all impacted partners and customers and have released tools to assist with device assessment and remediation.”

At the time, SonicWall said that fewer than 5% of its customer base was affected by this incident which, at worst, would put the number of victims at 25,000.

However, it now seems that the actual number of victims is a lot greater - SonicWall claims it services roughly 500,000 customers globally, although that doesn’t mean that all of them are using firewall, or cloud backup services.

The company also said the attack did not affect other MySonicWall services, or customer devices, but still urged its customers to be vigilant, delete existing cloud backups, change their credentials, rotate shared secrets, and recreate new backups locally.

Via The Register

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.