What Happened

On September 17, SonicWall first disclosed what it called a “cloud backup file incident.” At the time, the company believed only about 5% of customers were affected. Attackers were found to have accessed encrypted credentials and firewall configuration backup files — data that could, in theory, be used to target a customer’s network.

However, after completing a deeper investigation with Google Cloud’s Mandiant, SonicWall confirmed on October 8 that all customers who used the cloud backup feature were impacted. That means configuration backups for 100% of users were exposed.

What Data Was Involved

The exposed data includes:

• Encrypted credentials (like passwords or access keys)
• Firewall configuration files — the settings that determine how your firewall protects your network

While the credentials were encrypted, SonicWall warns that possession of these files increases the risk of targeted attacks — especially if passwords or security keys are not changed promptly.

There are no confirmed follow-up attacks so far, but the company urges all users to assume they are affected and take immediate steps to protect their systems.

What SonicWall Is Doing About It

SonicWall has stated that:

• They are notifying all impacted customers
• They have released tools to help users assess and fix any risks
• They are working with Mandiant to harden their cloud infrastructure
• They have implemented additional security monitoring to detect future threats

If you use SonicWall devices or the MySonicWall.com cloud service, SonicWall recommends:

1. Logging in to confirm your devices are listed as affected
2. Changing all related passwords and keys — including any used by your firewall
3. Updating credentials used with other connected services, such as:
   • Internet Service Providers (ISP)
   • Dynamic DNS
   • Email services
   • VPN connections
   • Authentication servers (LDAP/RADIUS)

What This Means for Businesses

This incident is a strong reminder that even trusted vendors can experience breaches — and that staying secure requires regular credential rotation, careful vendor monitoring, and quick response to alerts.

As Gene Moody, CTO at Action1, explained, early breach estimates are often revised once investigators have a clearer view of how deeply attackers accessed systems. In this case, SonicWall’s shift from 5% to 100% affected users reflects standard caution, assuming the worst until proven otherwise — which is the safest approach.

How to Protect Your Organization

Even if your business doesn’t use SonicWall, this event highlights a few essential steps every organization should take:

• Rotate passwords and encryption keys regularly
• Avoid reusing credentials across systems or vendors
• Monitor for security advisories from all your vendors
• Ensure your backups are encrypted and stored safely
• Partner with a cybersecurity expert to audit your systems

Need Help Securing Your Network?

If you’re concerned that your systems might be affected — or if you want help assessing your cybersecurity readiness — our team can help.

Reach out to us for assistance →