Someone nicknamed "Zestix" quietly siphoned data from roughly 50 big organizations by doing something shockingly simple. Using stolen passwords and logging in where multi‑factor authentication wasn’t turned on. No zero‑day. No headline‑grabbing exploit. Just credentials lifted by infostealer malware and accounts left undefended.

Why You Should Be Taking Note

• Targets: corporate file‑sharing platforms (ShareFile, Nextcloud, OwnCloud).

• Loot: terabytes of sensitive material; defense blueprints, aircraft maintenance logs, medical records, utility maps.

• Method: infostealer malware (think RedLine, Lumma, Vidar) harvested saved passwords and session data from infected endpoints. The attacker searched dark‑web dumps for corporate cloud URLs and used those credentials to sign in.

• Root cause: years‑old leaked passwords and organizations that still don’t enforce MFA.

The Takeaway

This wasn’t a headline‑grabbing cyber wizardry stunt. It was basic hygiene failure. An employee downloads a malicious file, an infostealer grabs saved credentials, and an organization without MFA hands over everything. Hudson Rock, (a cyber‑security intelligence firm that investigates criminal cyber activities), called it a "pervasive failure in credential hygiene."

That’s the polite phrasing for “we left the keys under the mat.”

What You Need To Do…NOW

• Turn on MFA everywhere that supports it. No exceptions.

• Stop relying on saved plaintext credentials and legacy single‑factor logins for cloud storage.

• Deploy endpoint protection that detects infostealers and suspicious credential exfiltration.

• Hunt for reused, leaked credentials tied to corporate domains and rotation policies.

• Treat initial‑access brokers as the business problem they are — if access can be sold, your data can be leaked.

How cybersecure is your organization…really?