Ericsson Vendor Breach Exposes Personal Data of Over 15,000 Individuals On 28 April 2025, Ericsson disclosed a security incident involving a third-party vendor, which detected a suspicious event potentially linked to unauthorized access to data on its systems. The breach did not affect Ericsson’s internal infrastructure but occurred at a vendor handling sensitive information. An investigation revealed that an unauthorized party may have accessed a limited set of files between 17–22 April 2025, with the probe concluding on 23 February 2026. While the vendor reported no evidence of data misuse, regulatory filings confirmed that personal information of over 15,000 individuals was exposed. Ericsson promptly notified US regulators and implemented enhanced security measures to mitigate future risks. The incident underscores the growing threat to telecom providers, which handle vast amounts of sensitive data, making them prime targets for cybercriminals. Industry experts, including James Neilson, SVP of Global at OPSWAT, noted that such breaches highlight the need for robust vendor security protocols in high-risk sectors.

Credential Stuffing Campaign Exploits Stolen Employee Logins to Breach Corporate Networks A sophisticated credential stuffing campaign targeting corporate Single Sign-On (SSO) gateways particularly F5 BIG-IP interfaces has exposed a growing threat: attackers gaining network access not through software vulnerabilities, but by using stolen employee credentials. First detected on February 23, 2026, by threat intelligence group Defused Cyber, the attack leveraged credentials harvested from infostealer malware infections on employee devices. A single source IP (219.75.254.166, registered to OPTAGE Inc. in Japan) was observed sending large volumes of corporate email and password combinations in automated login attempts. Analysis by Hudson Rock revealed that 77% of the 70 unique credentials used in the attack matched known infostealer infection logs, confirming they were stolen from compromised endpoints rather than a traditional data breach. The credentials were then repurposed against ADFS, Security Token Services (STS), and OWA portals, demonstrating a shift from mere data theft to coordinated network intrusion. Affected organizations included high-profile entities such as Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Cellebrite, the Belgian Police, Queensland Police, Turkish government ministries, and major retail conglomerates. Attackers targeted these entities knowing that even a small number of valid logins especially in organizations lacking multi-factor authentication (MFA) could provide initial access. The attack infrastructure further raised concerns, as the source IP was traced to a compromised Fortinet FortiGate-60E firewall with open ports and a self-signed SSL certificate. This indicated attackers were routing traffic through hijacked network devices to target other edge systems, blending stolen credentials with compromised infrastructure. Researchers described the attack as part of a "Log-to-Lead" pipeline, an industrialized process where infostealer malware logs are aggregated, filtered by corporate domain, and sold to Initial Access Brokers on dark web marketplaces. Attackers then purchase these credential packages and use them in large-scale stuffing attacks until they gain access. The campaign underscores a critical shift in cyber threats: identity as the new perimeter. Since devices like F5 BIG-IP often accept the same credentials used for internal systems, a single stolen ADFS password could unlock VPNs, SSO portals, or remote access gateways effectively allowing attackers to bypass traditional security measures.

Credential-Stuffing Attacks Target Corporate SSO Systems via Infostealer-Mined Logins A surge in credential-stuffing attacks is targeting corporate Single Sign-On (SSO) systems, with recent campaigns focusing on F5 BIG-IP devices. Security firm Defused Cyber analyzed 70 unique email-password pairs used in the attacks, finding that 77% (54 credentials) matched data from Infostealer infections malware like RedLine, Raccoon, and Vidar that harvests browser-saved logins from compromised employee devices. The attacks, first detected by Defused Cyber’s honeypots, involved malicious authentication attempts from a Japanese IP (219.75.254.166, AS17511, OPTAGE Inc.). Threat actors repurposed stolen credentials to bypass defenses, targeting corporate portals such as ADFS, OWA, and STS, often exploiting weak multi-factor authentication (MFA) enforcement or password reuse. The campaign highlights an industrialized "log-to-lead" pipeline: 1. Infection: Employees’ devices are compromised by Infostealers, which exfiltrate stored credentials. 2. Marketplace: Stolen logs are sold on underground forums to Initial Access Brokers (IABs). 3. Front-Door Bypass: Attackers use valid credentials to access corporate systems like F5 BIG-IP, leveraging their role in authentication. 4. Network Compromise: Legitimate logins grant direct access, bypassing traditional security measures. Compromised credentials linked to high-profile organizations were identified, including Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Belgian and Queensland Police, Majid Al Futtaim, Cellebrite, Doka, and Turkey’s Ministry of Trade. The attacks cast a wide net, relying on volume to exploit gaps in MFA or user fatigue. Further investigation revealed the attacks originated from a compromised Fortinet FortiGate-60E firewall hosted by OPTAGE Inc., exposing open ports (541/tcp, 10443/tcp) with a self-signed SSL certificate. This indicates attackers are hijacking network edge devices to launch assaults, turning one organization’s infrastructure into an attack proxy for another. The campaign underscores a shift in cybercriminal tactics from exploiting vulnerabilities to abusing legitimate authentication emphasizing the growing threat of identity-based attacks.

Ericsson Data Breach Exposes Personal Information of Over 15,000 Individuals in Vishing Attack In April 2025, a voice-phishing (vishing) scam targeted an unnamed third-party vendor supporting Ericsson’s U.S. operations, leading to the exposure of sensitive personal data belonging to 15,661 individuals. Attackers successfully manipulated an employee into granting unauthorized access between April 17 and April 22, with the breach detected on April 28. The vendor responded by engaging cybersecurity experts, resetting passwords, and notifying the FBI. However, Ericsson itself was only informed of the incident on November 10, 2025, after the vendor completed its internal investigation. The company then spent months identifying affected individuals, finalizing the list by February 23, 2026. Exposed data varied by state but included names, Social Security numbers, driver’s license details, government-issued IDs, financial information (such as bank account and payment card numbers), medical records, and dates of birth. While no misuse of the stolen data has been confirmed, Ericsson is offering affected individuals 12 months of credit monitoring. The vendor has since implemented additional security measures and staff training to prevent future incidents. The breach underscores the risks of social engineering attacks, where human error not technical vulnerabilities can serve as the primary entry point for cybercriminals.

Ericsson U.S. Subsidiary Suffers Data Breach Affecting Thousands in Texas Ericsson Inc., the U.S. arm of Swedish telecommunications firm Ericsson, confirmed a data breach stemming from a third-party service provider, exposing sensitive information of at least 4,377 individuals in Texas with the total number of affected users likely higher nationwide. The breach was detected on April 28, 2025, following unauthorized access to the service provider’s systems between April 17 and April 22, 2025. A forensic investigation, conducted with external cybersecurity experts, concluded on February 23, 2026, revealing that compromised files contained a broad range of personal and financial data. Exposed information included names, addresses, Social Security numbers, driver’s license and passport details, credit card and bank account numbers, medical records, and dates of birth. Ericsson notified the Texas and California Attorneys General of the incident beginning March 9, 2026. In response, the company is offering affected individuals complimentary identity protection services through IDX, including 12 or 24 months of credit and dark web monitoring, a $1 million identity fraud reimbursement policy, and managed identity recovery support. The enrollment deadline for these services is June 9, 2026. The breach underscores the risks of third-party vulnerabilities in handling sensitive data, particularly in sectors reliant on external service providers. Ericsson has directed impacted individuals to monitor financial accounts and consider fraud alerts or credit freezes, though no further details on the root cause or the service provider’s identity have been disclosed.

Ericsson Discloses Major Data Breach Impacting Employees and Customers Swedish telecommunications giant Ericsson has confirmed a cyber incident in April 2025 that may have compromised sensitive personal and financial data belonging to employees and customers. The breach, disclosed in a formal notification to the California Attorney General’s office, exposed names, addresses, phone numbers, Social Security numbers, driver’s license details, and in some cases, credit card information and medical data. Ericsson attributed the attack to a state-sponsored threat actor, though it did not publicly identify the group. Such actors typically target large corporations for espionage, fraud, or other malicious purposes. Following the breach, the company launched an internal investigation with cybersecurity experts to assess the scope and reinforce its security measures. To mitigate potential harm, Ericsson is offering affected individuals free identity protection services through IDX, including credit and dark web monitoring, as well as identity theft recovery support. Eligible individuals can also receive up to $1 million in identity fraud reimbursement. Those impacted have until June 9, 2026, to register for these services. The company has stated it is enhancing its cybersecurity protocols to prevent future incidents.

A new bug was recently discovered in Ericsson Network Manager product by the TIM Red Team Research. The bug focuses on the CWE Exposure of Resource to Wrong Sphere and results in incorrect access-control behavior. Variuos security issues can be encountered of it gets exploited.