According to Dark Reading, cybersecurity researchers at Hudson Rock have uncovered a massive breach cluster tied to a single threat actor using the aliases “Zestix” or “Sentap.” This actor is currently auctioning stolen data from approximately 50 global enterprises, including major names like Spanish airline Iberia and Japanese homebuilder Sekisui House. The attacks, spanning industries like aviation, legal services, and critical infrastructure, didn’t use sophisticated exploits. Instead, Zestix relied on credentials stolen by common infostealer malware like RedLine and Lumma, some of which had been sitting in logs for years. The threat actor then used these valid usernames and passwords to log into corporate collaboration platforms like ShareFile and Nextcloud. The entire campaign was successful for one simple, damning reason: none of the victim organizations had multi-factor authentication (MFA) enabled on these critical cloud gateways.
The Banality of the Breach
Here’s the thing that’s just infuriating about this story. This wasn’t some nation-state using a zero-day. It was basically a guy with a list of passwords walking through an open digital door. The report calls it “banal,” and that’s the perfect word. An employee gets tricked into downloading malware—it happens. That malware scrapes saved passwords from their browser—classic infostealer behavior. Those logs get dumped into a dark web database. Then, a threat actor like Zestix comes along, sorts through the noise for corporate cloud URLs, and tries the passwords. No MFA? You’re in. It’s that simple. The real failure, as Hudson Rock points out, isn’t the initial infection. It’s the years of credential hygiene neglect. Passwords weren’t rotated. Old sessions were never invalidated. So a malware infection from 2023 becomes a full corporate network breach in 2026. That’s the catastrophe.
The Staggering Scale of Risk
Now, the 50 companies being auctioned are just the tip of the iceberg. Hudson Rock used its platform to scan for other organizations using platforms like ShareFile and OwnCloud with compromised credentials floating around in these stealer logs. They found thousands. We’re talking major consulting firms, tech companies, retailers, and government agencies. Basically, if your company uses a cloud file-sharing service—and whose doesn’t?—and an employee or partner ever got their device infected, your corporate data might be sitting in a log waiting for someone like Zestix to find it. That’s the wake-up call. This isn’t a targeted attack against one sector. It’s a widespread, opportunistic cleanup of low-hanging fruit across the entire global economy. And for industrial and manufacturing firms managing sensitive operational data, this kind of breach isn’t just about leaked emails—it can disrupt physical operations. Securing access points with reliable hardware is a foundational step, which is why specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, emphasize hardened security features as a core part of their systems.
The MFA Mandate
So what’s the fix? The report is brutally clear: enable multi-factor authentication. It would have stopped this entire campaign dead. MFA isn’t some new, expensive, or complicated technology. It’s a basic, table-stakes security control in 2026. The report says there’s “no excuse” for these multi-billion-dollar organizations to have such an obvious failing. And look, we all know MFA isn’t foolproof. There are bypass techniques and phishing methods. But against a simple credential-stuffing attack like this? It’s a 99.9% effective deterrent. It turns a simple password into a useless key. The lesson here isn’t about buying fancier threat intelligence or next-gen antivirus. It’s about finally, consistently, implementing the boring basics. Rotate credentials. Invalidate old sessions. And for heaven’s sake, turn on MFA everywhere you can. Because the next Zestix is already sorting through those logs, and they’re just looking for the unlocked door.
