SonicWall confirms all Cloud Backup Service users were compromised

SonicWall on Oct. 8 confirmed that an attacker compromised firewall configuration backup files for every customer that’s been using its SonicWall Cloud Backup Service.

When news of the breach first came out on Sept. 18, SonicWall originally said only 5% of its customers were affected.

And while SonicWall has not shared how many of its 500,000 customers use the cloud service, security experts say that “thousands of organizations” were likely compromised.

Heath Renfrow, co-founder and chief information security officer at Fenix24, explained that we’re likely seeing a classic case of initial scoping here versus full forensic visibility.

Renfrow said as a deeper log analysis, cloud access reviews, and third-party forensics progressed, they probably identified indicators that the attacker had broader or systemic access to the storage environment, affecting all devices configured for cloud backup.

“This kind of scope expansion is common in cloud-based incidents, where a single compromise in the backup infrastructure or authentication layer can cascade to multiple tenants,” said Renfrow. “The initial number was likely based on confirmed evidence, while the updated disclosure reflects a more accurate, comprehensive understanding of attacker reach. It’s also possible SonicWall underestimated how many customers had backups enabled or didn’t initially correlate preference-file exposure across all backup instances.”

Lawrence Pingree, technical evangelist at Dispersive Holdings, added that this is a worst-case scenario and means that security teams need to take microsegmentation at the system and workload level seriously.

“Attack surfaces are wide in software-as-a-service,” said Pingree. “Isolating workloads, taking steps to eliminate the infrastructure attack surface are a big start here. We have to do away with the fear of instantaneous blocking and isolation of systems when they start to behave unexpectedly.”