Credential Stuffing Campaign Exploits Stolen Employee Logins to Breach Corporate Networks A sophisticated credential stuffing campaign targeting corporate Single Sign-On (SSO) gateways particularly F5 BIG-IP interfaces has exposed a growing threat: attackers gaining network access not through software vulnerabilities, but by using stolen employee credentials. First detected on February 23, 2026, by threat intelligence group Defused Cyber, the attack leveraged credentials harvested from infostealer malware infections on employee devices. A single source IP (219.75.254.166, registered to OPTAGE Inc. in Japan) was observed sending large volumes of corporate email and password combinations in automated login attempts. Analysis by Hudson Rock revealed that 77% of the 70 unique credentials used in the attack matched known infostealer infection logs, confirming they were stolen from compromised endpoints rather than a traditional data breach. The credentials were then repurposed against ADFS, Security Token Services (STS), and OWA portals, demonstrating a shift from mere data theft to coordinated network intrusion. Affected organizations included high-profile entities such as Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Cellebrite, the Belgian Police, Queensland Police, Turkish government ministries, and major retail conglomerates. Attackers targeted these entities knowing that even a small number of valid logins especially in organizations lacking multi-factor authentication (MFA) could provide initial access. The attack infrastructure further raised concerns, as the source IP was traced to a compromised Fortinet FortiGate-60E firewall with open ports and a self-signed SSL certificate. This indicated attackers were routing traffic through hijacked network devices to target other edge systems, blending stolen credentials with compromised infrastructure. Researchers described the attack as part of a "Log-to-Lead" pipeline, an industrialized process where infostealer malware logs are aggregated, filtered by corporate domain, and sold to Initial Access Brokers on dark web marketplaces. Attackers then purchase these credential packages and use them in large-scale stuffing attacks until they gain access. The campaign underscores a critical shift in cyber threats: identity as the new perimeter. Since devices like F5 BIG-IP often accept the same credentials used for internal systems, a single stolen ADFS password could unlock VPNs, SSO portals, or remote access gateways effectively allowing attackers to bypass traditional security measures.

Credential-Stuffing Attacks Target Corporate SSO Systems via Infostealer-Mined Logins A surge in credential-stuffing attacks is targeting corporate Single Sign-On (SSO) systems, with recent campaigns focusing on F5 BIG-IP devices. Security firm Defused Cyber analyzed 70 unique email-password pairs used in the attacks, finding that 77% (54 credentials) matched data from Infostealer infections malware like RedLine, Raccoon, and Vidar that harvests browser-saved logins from compromised employee devices. The attacks, first detected by Defused Cyber’s honeypots, involved malicious authentication attempts from a Japanese IP (219.75.254.166, AS17511, OPTAGE Inc.). Threat actors repurposed stolen credentials to bypass defenses, targeting corporate portals such as ADFS, OWA, and STS, often exploiting weak multi-factor authentication (MFA) enforcement or password reuse. The campaign highlights an industrialized "log-to-lead" pipeline: 1. Infection: Employees’ devices are compromised by Infostealers, which exfiltrate stored credentials. 2. Marketplace: Stolen logs are sold on underground forums to Initial Access Brokers (IABs). 3. Front-Door Bypass: Attackers use valid credentials to access corporate systems like F5 BIG-IP, leveraging their role in authentication. 4. Network Compromise: Legitimate logins grant direct access, bypassing traditional security measures. Compromised credentials linked to high-profile organizations were identified, including Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Belgian and Queensland Police, Majid Al Futtaim, Cellebrite, Doka, and Turkey’s Ministry of Trade. The attacks cast a wide net, relying on volume to exploit gaps in MFA or user fatigue. Further investigation revealed the attacks originated from a compromised Fortinet FortiGate-60E firewall hosted by OPTAGE Inc., exposing open ports (541/tcp, 10443/tcp) with a self-signed SSL certificate. This indicates attackers are hijacking network edge devices to launch assaults, turning one organization’s infrastructure into an attack proxy for another. The campaign underscores a shift in cybercriminal tactics from exploiting vulnerabilities to abusing legitimate authentication emphasizing the growing threat of identity-based attacks.

Johnson & Johnson, along with other companies like CVS Health and Walgreens, has been involved in opioid settlements due to their role in the addiction crisis. The article highlights concerns about the misuse of settlement funds, which were intended to address the opioid crisis but are being diverted to other purposes. This misuse includes spending on unrelated projects like road repairs and jail body scanners, rather than helping those affected by addiction. The misallocation of these funds has led to widespread concern and advocacy for better oversight.

The Maine Office of the Attorney General reported that Johnson & Johnson, Inc. experienced an external system breach (hacking) on August 16, 2024, affecting 3,225 individuals in total, including 3 residents of Maine. The breach was discovered on August 17, 2024, and individuals affected were offered 12 months of identity theft protection through Equifax Identity Defense.

Johnson & Johnson is facing a 17% surge in lawsuits (now 73,570+ cases) alleging its talc-based baby powder causes cancer, following a failed attempt to force a $9 billion global settlement through bankruptcy court. A recent California jury awarded $966 million to a deceased woman’s family, linking her cancer to long-term baby powder use. Analysts predict total payouts could exceed $11 billion, with J&J already spending $3 billion on prior settlements. The company withdrew the product in 2023 but continues to deny liability, claiming talc is safe. Repeated legal defeats—including a bankruptcy judge rejecting its Chapter 11 strategy—have forced J&J back into state and federal courts, where upcoming trials (starting next month) risk further billion-dollar verdicts. The litigation threatens reputational damage, financial strain (projected $11B+), and operational disruption, as J&J defends cases across multiple jurisdictions while its Kenvue spinoff shares liability. State juries have repeatedly ruled against J&J, though some awards were later reduced on appeal. The escalating caseload (potentially 93,000+ claims) compounds legal costs and public scrutiny, undermining trust in the brand.

The home addresses of hundreds of Irish people had been published online in a data breach by a pharmaceutical company. The error left people vulnerable to hackers as the company also shared email addresses that may be linked to other online accounts.