Lack of MFA Enables Vast Cloud Credential Heist Affecting 50 Enterprises

Lack of MFA Is Common Thread in Vast Cloud Credential Heist

The threat actor “Zestix” successfully compromised approximately 50 enterprises by leveraging infostealers to obtain credentials and access file-sharing instances. Zestix is currently auctioning stolen data from these breaches, highlighting a critical security lapse.

This incident demonstrates a reliance on readily available infostealers like RedLine, Lumma, and Vidar, coupled with a widespread failure to implement basic security measures. The cost of these breaches, while not quantified in the article, is likely substantial given the number of affected organizations and the potential for data exfiltration.

Why This Matters

Current cloud security models often assume strong credential protection, but this attack reveals a significant gap where weak password hygiene and the absence of MFA render those models ineffective. Organizations invest heavily in perimeter security and vulnerability management, yet a simple lack of MFA bypasses these defenses, exposing sensitive data at scale.

Key Insights

• Zestix/Sentap activity: Threat actor active since January 2026.
• Infostealers over Exploits: Attackers prioritize credential harvesting via infostealers over complex exploit chains.
• MFA as a Mitigator: Implementing MFA is the single most effective control against this type of attack.

Practical Applications

• Use Case: Iberia airline and other impacted companies failed to enforce MFA on file-sharing platforms, leading to data breaches.
• Pitfall: Assuming password complexity alone is sufficient security; neglecting MFA creates an easily exploitable vulnerability.

References:

• https://www.darkreading.com/cloud-security/lack-mfa-common-thread-vast-cloud-credential-heist