One criminal leveraged old stolen passwords and a lack of multi-factor authentication (MFA) to quietly breach roughly 50 large enterprises—showcasing that the weakest link in cloud security is not technology, but basic governance and accountability. This campaign, run by a threat actor known as Zestix or Sentap, is a case study in how organizations can spend millions on cyber tools yet still leave the “front door” wide open.

At the center of this story is a simple, uncomfortable truth: these breaches did not require zero-day exploits, nation-state sophistication, or advanced persistence techniques. They required only valid passwords, harvested years ago from infostealer infections, and cloud portals that did not enforce MFA. The resulting exposures span aviation, housing, robotics, infrastructure, legal and healthcare data, and more—demonstrating a systemic failure in credential hygiene and cloud security governance.

—

A Threat Actor Who Didn’t Need to Hack

Security firm Hudson Rock and other researchers have tracked Zestix/Sentap as an initial access broker (IAB) and data extortionist operating at least since 2021. As an IAB, the actor’s core business model is not deploying ransomware directly, but obtaining and selling or monetizing initial access into corporate environments. Recent analysis links the “Sentap” persona to an Iranian national and associates the actor with the Funksec cybercriminal group, known for high-volume, opportunistic attacks.

What makes this campaign remarkable is how unremarkable the techniques are:

– Infection: Employees downloaded malicious files that deployed infostealer malware such as RedLine, Lumma, or Vidar, which quietly exfiltrate saved credentials and browser histories.
– Aggregation: These infostealer logs were collected into massive databases traded and shared on the dark web.
– Targeting: Zestix systematically searched those logs for corporate cloud file-sharing URLs, zeroing in on platforms like ShareFile, Nextcloud, and OwnCloud.
– Access: The attacker simply logged in with the stolen username and password—no exploit chain, no bypass tricks—because MFA was not enabled on the target portals.

Hudson Rock summarized it bluntly: because organizations did not enforce MFA, “the attacker walks right in through the front door. No exploits, no cookies – just a password.”

—

The Scale: Dozens of Enterprises, Years of Exposure

Across this campaign, approximately 50 major global enterprises had their cloud file-sharing environments compromised. Victims span multiple sectors:

– Aviation: including Iberia Airlines and firms with large troves of flight and maintenance data.
– Housing and construction: such as Japan’s Sekisui House.
– Robotics and manufacturing: including entities in the robotics and rail sectors like CRRC MA.
– Professional services and infrastructure: including Pickett and Associates, K3G Solutions, GreenBills, and others.

The data exposed is not trivial. According to technical analysis, exfiltrated content includes:

– Engineering blueprints and utility schematics
– Defense and UAV project files
– Healthcare and patient records
– Legal and litigation documents
– Financial archives and ERP source code

Many organizations had not publicly disclosed these breaches, despite regulatory obligations, underscoring both a detection problem and a governance problem.

One of the most damning findings is the age of the credentials used. Hudson Rock reported that some passwords had been “sitting in logs for years,” still valid and still unprotected by MFA when Zestix decided to exploit them. In the words of one expert, “Someone can take 77 GB of flight maintenance data with a three-year-old password. That’s not ‘hacked’ security; that’s ignored security.”

—

From Brute Force to Infostealers: A Shift in the Threat Model

For years, enterprise security narratives have emphasized defending against sophisticated intrusion sets, patching zero-day vulnerabilities, and hardening perimeter infrastructure. This campaign highlights a different dominant attack path:

– Instead of brute force or credential stuffing, attackers prefer ready-made, high-quality credentials stolen via infostealers.
– Instead of complex exploits, they lean on misconfigurations and missing controls, particularly the absence of MFA and poor credential lifecycle management.

This reflects a broader shift: infostealers have become the primary initial access vector in many large breaches. Once credentials are stolen from an endpoint—whether managed or personal—they enter a long-lived criminal supply chain of logs, combo lists, and “account shop” marketplaces. Years later, as this case shows, those credentials can still be operational if:

– The password was never changed
– The session was never invalidated
– MFA was never enforced

In other words, an old infection becomes a persistent enterprise risk if basic hygiene processes are not in place.

—

Cloud Portals: Technically Secure, Practically Exposed

Zestix targeted enterprise file synchronization and sharing (EFSS) platforms: Progress Software’s ShareFile, Nextcloud, and OwnCloud. Importantly, there is no indication that these platforms were compromised via:

– Product vulnerabilities
– Zero-day exploits
– Weak encryption or inherent architectural flaws

Instead, the same pattern appears across breaches:

– The EFSS instance was internet-facing.
– Access was guarded only by single-factor authentication (username + password).
– Credentials from infostealer logs remained valid and unmonitored.
– No effective process existed to detect suspicious access from unusual locations or IPs.

That makes this not a “cloud is insecure” story, but a cloud governance and configuration story. Even technically robust platforms are only as strong as the policies wrapped around them. When MFA is turned off, passwords are reused, and credentials from infected machines are never invalidated, cloud security investments are rendered moot.

—

Governance Failure, Not Technology Failure

The most striking aspect of the Zestix/Sentap campaign is how directly it indicts security governance:

1. MFA still not universal
All ~50 breached organizations shared a single, preventable trait: MFA was not enforced on their cloud file-sharing portals. This is despite over a decade of guidance from regulators, standards bodies, and industry frameworks calling MFA a baseline control for internet-facing services.

2. Credential hygiene was neglected
Credentials compromised in malware infections years earlier were still valid, still reused, and still granted access to critical assets. This signals:

– No enforced password rotation after known or suspected endpoint compromises
– No monitoring for corporate credentials leaked in infostealer logs
– Weak or nonexistent policies for session invalidation and access key revocation

3. Endpoint security gaps persisted
Infostealers were able to infect both managed and unmanaged devices used for corporate access. That suggests:

– Insufficient control over bring-your-own-device (BYOD) and remote workforce endpoints
– Lax enforcement of EDR/AV requirements
– Weak user awareness around phishing and malicious downloads

4. Detection and disclosure lagged
Many affected organizations appeared unaware of the breaches until external researchers contacted them, and some still have not disclosed them publicly. That points to:

– Limited telemetry around file-sharing portal activity
– Insufficient anomaly detection in cloud access patterns
– Weak incident response processes for third-party or external notifications

Taken together, this describes a world where security rhetoric—“cloud first,” “zero trust,” “defense in depth”—diverges sharply from operational reality. The controls that stopped this campaign were not exotic, expensive technologies; they were basic hygiene measures that were known, recommended, and not implemented.

—

The Trust Abuse Model: Exploiting How Enterprises Really Work

Research on Zestix/Sentap describes an opportunistic “Trust Abuse Model” of targeting. Rather than focusing on a specific industry or strategic victim profile, the actor:

– Harvests whatever valid corporate credentials appear in infostealer logs
– Identifies exposed cloud portals tied to those credentials
– Abuses implicit trust in those credentials and portals to move data out quietly

This approach exploits realities of modern enterprises:

– Distributed access: Employees access cloud systems from many devices and networks.
– Third-party dependencies: Contractors, vendors, and partners often need portal access, extending the attack surface beyond internal IT control.
– Configuration sprawl: Each business unit or project might stand up its own file-sharing or collaboration instance, often with inconsistent security settings.

In such an environment, it is the smallest configuration gap—no MFA on one specific portal—that becomes the catastrophic weakness.

—

The Ransomware and Extortion Pipeline

While this campaign has centered on data exfiltration and auctioning, it sits squarely in the larger ransomware ecosystem:

– Zestix acts as an initial access broker, selling access or data to other criminal groups.
– Similar infostealer-driven access has been at the root of high-profile incidents affecting Change Healthcare, the British Library, and Snowflake customers, where initial credential abuse paved the way for deeper compromise and ransomware deployment.

This means the 50 known breaches likely represent only the visible tip of a larger access and extortion marketplace. For every organization whose data shows up in a public auction, there may be others where access has been sold quietly and exclusively to a ransomware affiliate or espionage buyer.

—

Why Basic Controls Still Aren’t Deployed

That raises the uncomfortable strategic question for security leaders: Why, in 2026, do so many major enterprises still lack MFA and credential hygiene on critical cloud systems? Several structural factors typically converge:

– Misaligned incentives:
Security is often treated as a cost center, while productivity and user experience are rewarded more directly. If enabling MFA is seen as adding friction, it is delayed or scoped narrowly.

– Fragmented ownership:
Cloud portals may be owned by business units, not central IT. Security policies become advisory rather than enforced, and exceptions proliferate.

– Underestimation of infostealer risk:
Many programs still treat malware on endpoints as a local incident—wipe and rebuild—rather than as a credential compromise event that demands downstream password resets and log monitoring.

– Overconfidence in perimeter controls:
Some organizations still implicitly assume that VPNs, firewalls, and network monitoring will block malicious access, overlooking how easily cloud services bypass traditional perimeters.

– Technical debt and legacy processes:
Password policies, rotation schedules, and access reviews were often designed for on-premise systems and have not been modernized for API-driven, internet-exposed cloud services.

This campaign is therefore less an indictment of individual CISOs and more a reflection of systemic, organizational inertia: the gap between what leaders declare in strategies and roadmaps, and what is consistently enforced in everyday operational decisions.

—

From Cautionary Tale to Action Plan

For enterprise security and risk leaders, the Zestix/Sentap case should be treated as a board-level scenario, not a niche technical issue. It exposes failures in control baselines, monitoring, and accountability that are likely mirrored in many organizations.

Key steps to treat this as a turning point rather than another headline include:

1. Mandate MFA for all cloud-accessible systems holding sensitive data
– Make MFA non-negotiable for EFSS, collaboration suites, SaaS ERP/CRM, and any remote admin interface.
– Eliminate exceptions rather than managing them on a case-by-case basis.

2. Treat infostealer infections as full credential incidents
– Implement a process where any endpoint with confirmed infostealer infection triggers:
– Forced password changes for all accounts used on that device
– Session/token invalidation
– Review of access logs for suspicious behavior post-compromise.

3. Continuously monitor for leaked credentials
– Use services or internal tooling to check whether corporate domains and accounts appear in infostealer logs, password dumps, or dark web markets.
– Integrate these findings into identity governance workflows.

4. Standardize access governance for cloud portals
– Inventory all file-sharing, collaboration, and ad hoc portals across the enterprise.
– Bring them under centralized policy for authentication, logging, and retention.
– Decommission or consolidate shadow IT instances.

5. Enhance telemetry and anomaly detection for cloud access
– Log and analyze access patterns to detect unusual geography, time-of-day, or bulk download behaviors.
– Integrate these signals with SOC workflows so a single suspicious login can trigger rapid containment.

6. Align security metrics with reality, not rhetoric
– Report to executives and boards not only on “tools deployed” but on control coverage:
– Percentage of critical systems with enforced MFA
– Mean time to rotate credentials after an endpoint compromise
– Number of high-risk portals still allowing password-only access.

—

The $1 Million Password

The campaign led by Zestix/Sentap illustrates a painful paradox: enterprises are losing millions of dollars in value, reputation, and resilience to attacks that require almost no technical sophistication. When 77 GB of flight data, years of engineering IP, or sensitive legal archives can be taken with a password stolen from a home PC in 2022, the problem is not that attackers are too advanced; it is that security basics have not kept pace with how organizations really use the cloud.

In that sense, this story is not primarily about a clever criminal. It is about a governance gap so wide that a single actor could, with commodity malware logs and patience, breach roughly 50 of the world’s enterprises by doing what their own employees do every day: logging in.

The lesson for leadership is stark: until MFA, credential hygiene, and infostealer response are treated as non-optional operating requirements, the industry will continue to pay “$1 million password” prices for problems that were solvable years ago.

—