Ericsson
Company Details
Linkedin ID:
ericsson
Website:
Employees number:
107,243
Number of followers:
2,260,541
NAICS:
517
Industry Type:
Homepage:
ericsson.com
IP Addresses:
66
Company ID:
ERI_8911153
Scan Status:
Completed
Internal validation & live display
Multiple badges & continuous verification
Faster underwriting decisions
Ericsson Vendor Cyber Rating & Cyber Score
ericsson.comThe future of mobile isn’t on the horizon, it’s happening now. At Ericsson, we’re building the foundation for an open network ecosystem where industries, developers, and enterprises thrive. The convergence of 5G, AI, cloud, and network APIs isn’t just a technological shift; it’s a transformation that is redefining industries and enhancing everyday life. Open, programmable networks are enabling real-time innovation and unlocking new business models across the globe. Imagine a world where developers can dynamically access network capabilities on demand, where enterprises don’t just use connectivity but shape it. This isn’t a distant vision, it’s the ecosystem we’re creating today. Collaboration fuels everything we do. By working across industries, we’re designing a future where connectivity isn’t just seamless. It’s intelligent, programmable, and transformative. The shift is happening. Are you part of it?
Ericsson A.I CyberSecurity Scoring
Ericsson Risk Score (AI oriented)Between 550 and 599
Ericsson
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Ericsson Global Score (TPRM)XXXX
Ericsson
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Ericsson Company CyberSecurity News & History
Past Incidents
7
Attack Types
3
DefusedEricsson: Ericsson Data Breach Exposes Third-Party Service Risks
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Ericsson Vendor Breach Exposes Personal Data of Over 15,000 Individuals On 28 April 2025, Ericsson disclosed a security incident involving a third-party vendor, which detected a suspicious event potentially linked to unauthorized access to data on its systems. The breach did not affect Ericsson’s internal infrastructure but occurred at a vendor handling sensitive information. An investigation revealed that an unauthorized party may have accessed a limited set of files between 17–22 April 2025, with the probe concluding on 23 February 2026. While the vendor reported no evidence of data misuse, regulatory filings confirmed that personal information of over 15,000 individuals was exposed. Ericsson promptly notified US regulators and implemented enhanced security measures to mitigate future risks. The incident underscores the growing threat to telecom providers, which handle vast amounts of sensitive data, making them prime targets for cybercriminals. Industry experts, including James Neilson, SVP of Global at OPSWAT, noted that such breaches highlight the need for robust vendor security protocols in high-risk sectors.
Ericsson, Rolls-Royce and Johnson & Johnson: Infostealers Fuel Large‑Scale Brute‑Forcing of Corporate SSO Gateways Using Stolen Credentials
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Credential Stuffing Campaign Exploits Stolen Employee Logins to Breach Corporate Networks A sophisticated credential stuffing campaign targeting corporate Single Sign-On (SSO) gateways particularly F5 BIG-IP interfaces has exposed a growing threat: attackers gaining network access not through software vulnerabilities, but by using stolen employee credentials. First detected on February 23, 2026, by threat intelligence group Defused Cyber, the attack leveraged credentials harvested from infostealer malware infections on employee devices. A single source IP (219.75.254.166, registered to OPTAGE Inc. in Japan) was observed sending large volumes of corporate email and password combinations in automated login attempts. Analysis by Hudson Rock revealed that 77% of the 70 unique credentials used in the attack matched known infostealer infection logs, confirming they were stolen from compromised endpoints rather than a traditional data breach. The credentials were then repurposed against ADFS, Security Token Services (STS), and OWA portals, demonstrating a shift from mere data theft to coordinated network intrusion. Affected organizations included high-profile entities such as Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Cellebrite, the Belgian Police, Queensland Police, Turkish government ministries, and major retail conglomerates. Attackers targeted these entities knowing that even a small number of valid logins especially in organizations lacking multi-factor authentication (MFA) could provide initial access. The attack infrastructure further raised concerns, as the source IP was traced to a compromised Fortinet FortiGate-60E firewall with open ports and a self-signed SSL certificate. This indicated attackers were routing traffic through hijacked network devices to target other edge systems, blending stolen credentials with compromised infrastructure. Researchers described the attack as part of a "Log-to-Lead" pipeline, an industrialized process where infostealer malware logs are aggregated, filtered by corporate domain, and sold to Initial Access Brokers on dark web marketplaces. Attackers then purchase these credential packages and use them in large-scale stuffing attacks until they gain access. The campaign underscores a critical shift in cyber threats: identity as the new perimeter. Since devices like F5 BIG-IP often accept the same credentials used for internal systems, a single stolen ADFS password could unlock VPNs, SSO portals, or remote access gateways effectively allowing attackers to bypass traditional security measures.
Rolls-Royce, Ericsson, Johnson & Johnson, OPTAGE Inc. and Turkey Ministry of Trade: Infostealers Drive Massive Brute-Force Attacks on Corporate SSO Gateways with Stolen Credentials
Cyber Attack
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Credential-Stuffing Attacks Target Corporate SSO Systems via Infostealer-Mined Logins A surge in credential-stuffing attacks is targeting corporate Single Sign-On (SSO) systems, with recent campaigns focusing on F5 BIG-IP devices. Security firm Defused Cyber analyzed 70 unique email-password pairs used in the attacks, finding that 77% (54 credentials) matched data from Infostealer infections malware like RedLine, Raccoon, and Vidar that harvests browser-saved logins from compromised employee devices. The attacks, first detected by Defused Cyber’s honeypots, involved malicious authentication attempts from a Japanese IP (219.75.254.166, AS17511, OPTAGE Inc.). Threat actors repurposed stolen credentials to bypass defenses, targeting corporate portals such as ADFS, OWA, and STS, often exploiting weak multi-factor authentication (MFA) enforcement or password reuse. The campaign highlights an industrialized "log-to-lead" pipeline: 1. Infection: Employees’ devices are compromised by Infostealers, which exfiltrate stored credentials. 2. Marketplace: Stolen logs are sold on underground forums to Initial Access Brokers (IABs). 3. Front-Door Bypass: Attackers use valid credentials to access corporate systems like F5 BIG-IP, leveraging their role in authentication. 4. Network Compromise: Legitimate logins grant direct access, bypassing traditional security measures. Compromised credentials linked to high-profile organizations were identified, including Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Belgian and Queensland Police, Majid Al Futtaim, Cellebrite, Doka, and Turkey’s Ministry of Trade. The attacks cast a wide net, relying on volume to exploit gaps in MFA or user fatigue. Further investigation revealed the attacks originated from a compromised Fortinet FortiGate-60E firewall hosted by OPTAGE Inc., exposing open ports (541/tcp, 10443/tcp) with a self-signed SSL certificate. This indicates attackers are hijacking network edge devices to launch assaults, turning one organization’s infrastructure into an attack proxy for another. The campaign underscores a shift in cybercriminal tactics from exploiting vulnerabilities to abusing legitimate authentication emphasizing the growing threat of identity-based attacks.
Ericsson: Ericsson breach blamed on third party vendor vishing attack
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Ericsson Data Breach Exposes Personal Information of Over 15,000 Individuals in Vishing Attack In April 2025, a voice-phishing (vishing) scam targeted an unnamed third-party vendor supporting Ericsson’s U.S. operations, leading to the exposure of sensitive personal data belonging to 15,661 individuals. Attackers successfully manipulated an employee into granting unauthorized access between April 17 and April 22, with the breach detected on April 28. The vendor responded by engaging cybersecurity experts, resetting passwords, and notifying the FBI. However, Ericsson itself was only informed of the incident on November 10, 2025, after the vendor completed its internal investigation. The company then spent months identifying affected individuals, finalizing the list by February 23, 2026. Exposed data varied by state but included names, Social Security numbers, driver’s license details, government-issued IDs, financial information (such as bank account and payment card numbers), medical records, and dates of birth. While no misuse of the stolen data has been confirmed, Ericsson is offering affected individuals 12 months of credit monitoring. The vendor has since implemented additional security measures and staff training to prevent future incidents. The breach underscores the risks of social engineering attacks, where human error not technical vulnerabilities can serve as the primary entry point for cybercriminals.
Ericsson Inc.: Ericsson Inc Data Breach Affects Over 4k: PHI and PII Exposed
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Ericsson U.S. Subsidiary Suffers Data Breach Affecting Thousands in Texas Ericsson Inc., the U.S. arm of Swedish telecommunications firm Ericsson, confirmed a data breach stemming from a third-party service provider, exposing sensitive information of at least 4,377 individuals in Texas with the total number of affected users likely higher nationwide. The breach was detected on April 28, 2025, following unauthorized access to the service provider’s systems between April 17 and April 22, 2025. A forensic investigation, conducted with external cybersecurity experts, concluded on February 23, 2026, revealing that compromised files contained a broad range of personal and financial data. Exposed information included names, addresses, Social Security numbers, driver’s license and passport details, credit card and bank account numbers, medical records, and dates of birth. Ericsson notified the Texas and California Attorneys General of the incident beginning March 9, 2026. In response, the company is offering affected individuals complimentary identity protection services through IDX, including 12 or 24 months of credit and dark web monitoring, a $1 million identity fraud reimbursement policy, and managed identity recovery support. The enrollment deadline for these services is June 9, 2026. The breach underscores the risks of third-party vulnerabilities in handling sensitive data, particularly in sectors reliant on external service providers. Ericsson has directed impacted individuals to monitor financial accounts and consider fraud alerts or credit freezes, though no further details on the root cause or the service provider’s identity have been disclosed.
Ericsson: Data Breach at Ericsson leading to customer and employee information steal
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Ericsson Discloses Major Data Breach Impacting Employees and Customers Swedish telecommunications giant Ericsson has confirmed a cyber incident in April 2025 that may have compromised sensitive personal and financial data belonging to employees and customers. The breach, disclosed in a formal notification to the California Attorney General’s office, exposed names, addresses, phone numbers, Social Security numbers, driver’s license details, and in some cases, credit card information and medical data. Ericsson attributed the attack to a state-sponsored threat actor, though it did not publicly identify the group. Such actors typically target large corporations for espionage, fraud, or other malicious purposes. Following the breach, the company launched an internal investigation with cybersecurity experts to assess the scope and reinforce its security measures. To mitigate potential harm, Ericsson is offering affected individuals free identity protection services through IDX, including credit and dark web monitoring, as well as identity theft recovery support. Eligible individuals can also receive up to $1 million in identity fraud reimbursement. Those impacted have until June 9, 2026, to register for these services. The company has stated it is enhancing its cybersecurity protocols to prevent future incidents.
Ericsson
Vulnerability
Rankiteo Explanation
Attack threatening the organization's existence
Description: A new bug was recently discovered in Ericsson Network Manager product by the TIM Red Team Research. The bug focuses on the CWE Exposure of Resource to Wrong Sphere and results in incorrect access-control behavior. Variuos security issues can be encountered of it gets exploited.
Ericsson Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Ericsson
Incidents vs Telecommunications Industry Average (This Year)
Ericsson has 66.67% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Ericsson has 156.41% more incidents than the average of all companies with at least one recorded incident.
Incident Types Ericsson vs Telecommunications Industry Avg (This Year)
Ericsson reported 3 incidents this year: 1 cyber attacks, 0 ransomware, 0 vulnerabilities, 2 data breaches, compared to industry peers with at least 1 incident.
Incident History — Ericsson (X = Date, Y = Severity)
Ericsson cyber incidents detection timeline including parent company and subsidiaries
Ericsson Company Subsidiaries
The future of mobile isn’t on the horizon, it’s happening now. At Ericsson, we’re building the foundation for an open network ecosystem where industries, developers, and enterprises thrive. The convergence of 5G, AI, cloud, and network APIs isn’t just a technological shift; it’s a transformation that is redefining industries and enhancing everyday life. Open, programmable networks are enabling real-time innovation and unlocking new business models across the globe. Imagine a world where developers can dynamically access network capabilities on demand, where enterprises don’t just use connectivity but shape it. This isn’t a distant vision, it’s the ecosystem we’re creating today. Collaboration fuels everything we do. By working across industries, we’re designing a future where connectivity isn’t just seamless. It’s intelligent, programmable, and transformative. The shift is happening. Are you part of it?
Loading...
Ericsson Similar Companies
Ciena (NYSE:CIEN) is the global leader in high-speed connectivity. We build advanced networks to support exponential growth in bandwidth demand—empowering our customers, partners, and communities to thrive in the AI era. With unparalleled expertise and innovation, our networking systems, interconnec
EE
EE, part of BT Group, is the largest and most advanced mobile communications company in the UK, delivering mobile and fixed communications services to consumers. We run the UK's biggest and fastest mobile network, having pioneered the UK's first superfast 4G mobile service in October 2012 and was
MTS Group
Mobile TeleSystems OJSC ("MTS") is the leading telecommunications group in Russia, Eastern Europe and Central Asia, offering mobile and fixed voice, broadband, pay TV as well as content and entertainment services in one of the world's fastest growing regions. Including its subsidiaries, as of Decemb
stc
We are a forward-focused digital champion always been focused on innovation and evolution. Our purpose is to create and bring greater dimension and richness to people’s personal and professional lives. With stc, You will always be empowered to focus on delivering what’s next through collaborati
Telcel
Telcel (Radiomóvil Dipsa) es subsidiaria de América Móvil, uno de los mayores proveedores de comunicaciones celulares de Latinoamérica, grupo líder con inversiones en telecomunicaciones en varios países del continente americano. Telcel es la empresa de telefonía celular líder en México. Nuestra s
Spectrum
Spectrum is a suite of advanced communications services offered by Charter Communications, Inc. (NASDAQ:CHTR), a leading broadband connectivity company available to more than 57 million homes and small to large businesses across 41 states. Founded in 1993, Charter has evolved from providing cable TV
Huawei is a leading global provider of information and communications technology (ICT) infrastructure and smart devices. With integrated solutions across four key domains – telecom networks, IT, smart devices, and cloud services – we are committed to bringing digital to every person, home and organi
Proximus Group
Proximus Group is a provider of future-proof connectivity, IT and digital services, headquartered in Brussels. The Group is actively engaged in building a connected world that people trust, so society blooms. The Domestic segment is focused on providing state-of-the art telecommunications and IT se
TIM Brasil
A TIM é a empresa de telefonia móvel que mais cresce no Brasil. Atualmente, possui mais de 13 mil colaboradores em todo o país que trabalham entregando serviços inovadores e de qualidade em telefonia móvel, fixa e internet banda larga. É uma companhia feita de pessoas criativas, com energia real
.png)
Ericsson CyberSecurity News
March 30, 2026 04:17 PM
AT&T, Ericsson: Security is ‘team sport’ in the AI era
AT&T and Ericsson are urging tighter industry-wide coordination to thwart cyberattacks; Detection and eradication are getting far more...
March 24, 2026 04:19 PM
AT&T, Ericsson call for 5G network security rethink
AT&T and Ericsson unveil a security blueprint for AI and open 5G and 6G networks and call for more industry collaboration.
March 12, 2026 07:00 AM
Ericsson US Hit by Cyber Attack, Hackers Steal Personal Data of Employees and Customers
Ericsson Inc., the United States subsidiary of the Swedish telecommunications giant, has confirmed a data breach affecting 15661 of its...
March 12, 2026 06:00 AM
Ericsson confirms data breach
Ericsson, one of the largest telecommunications companies in the world, has acknowledged experiencing a data breach that would have resulted...
March 11, 2026 11:04 AM
Ericsson’s US subsidiary hit by cyberattack
A service provider that was storing the personal data of Ericsson's US subsidiary, Ericsson Inc., has experienced a cyberattack.
March 11, 2026 07:00 AM
Ericsson discloses data breach, employee and customer data exposed
The US branch of telecom provider Ericsson has revealed that a “data security incident” occurred at one of its service providers.
March 10, 2026 07:00 AM
Thousands Affected by Ericsson Data Breach
The US subsidiary of Ericsson has disclosed a data breach affecting the personal information of thousands of individuals.
March 10, 2026 07:00 AM
Ericsson Data Breach Exposes Third-Party Service Risks
Ericsson suffered a major data breach, with sensitive data belonging to 15000+ individuals affected as a result of third-party service...
March 10, 2026 07:00 AM
Ericsson US reveals employee and customer data breach after third-party hack
The US arm of Ericsson has confirmed suffering a third-party data breach which saw it lose sensitive data on an undisclosed number of its...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Ericsson CyberSecurity History Information
Official Website of Ericsson
The official website of Ericsson is http://www.ericsson.com.
Ericsson’s AI-Generated Cybersecurity Score
According to Rankiteo, Ericsson’s AI-generated cybersecurity score is 569, reflecting their Very Poor security posture.
How many security badges does Ericsson’ have ?
According to Rankiteo, Ericsson currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Has Ericsson been affected by any supply chain cyber incidents ?
According to Rankiteo, Ericsson has been affected by multiple supply chain cyber incidents. The affected supply chain sources and their corresponding incident IDs are:
- Defused (Incident ID: ERIDEFJOHROLVID1772180734)
- Ericsson (Incident ID: ERI1773081773)
Does Ericsson have SOC 2 Type 1 certification ?
According to Rankiteo, Ericsson is not certified under SOC 2 Type 1.
Does Ericsson have SOC 2 Type 2 certification ?
According to Rankiteo, Ericsson does not hold a SOC 2 Type 2 certification.
Does Ericsson comply with GDPR ?
According to Rankiteo, Ericsson is not listed as GDPR compliant.
Does Ericsson have PCI DSS certification ?
According to Rankiteo, Ericsson does not currently maintain PCI DSS compliance.
Does Ericsson comply with HIPAA ?
According to Rankiteo, Ericsson is not compliant with HIPAA regulations.
Does Ericsson have ISO 27001 certification ?
According to Rankiteo,Ericsson is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Ericsson
Ericsson operates primarily in the Telecommunications industry.
Number of Employees at Ericsson
Ericsson employs approximately 107,243 people worldwide.
Subsidiaries Owned by Ericsson
Ericsson presently has no subsidiaries across any sectors.
Ericsson’s LinkedIn Followers
Ericsson’s official LinkedIn profile has approximately 2,260,541 followers.
NAICS Classification of Ericsson
Ericsson is classified under the NAICS code 517, which corresponds to Telecommunications.
Ericsson’s Presence on Crunchbase
No, Ericsson does not have a profile on Crunchbase.
Ericsson’s Presence on LinkedIn
Yes, Ericsson maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/ericsson.
Cybersecurity Incidents Involving Ericsson
As of April 02, 2026, Rankiteo reports that Ericsson has experienced 7 cybersecurity incidents.
Number of Peer and Competitor Companies
Ericsson has an estimated 10,042 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Ericsson ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach, Vulnerability and Cyber Attack.
How does Ericsson detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with defused cyber (security firm), and third party assistance with defused cyber, third party assistance with hudson rock, and third party assistance with external cybersecurity experts, and communication strategy with notified texas and california attorneys general; offered identity protection services, and third party assistance with cybersecurity experts engaged, and law enforcement notified with fbi notified, and containment measures with password resets, and remediation measures with additional security measures and staff training, and communication strategy with notification to affected individuals, credit monitoring offered, and incident response plan activated with yes, and third party assistance with cybersecurity experts, and remediation measures with enhancing cybersecurity protocols, and communication strategy with formal notification to the california attorney general’s office, and incident response plan activated with yes, and remediation measures with enhanced security measures, and communication strategy with regulatory notifications and public disclosure..
Incident Details
Can you provide details on each incident ?
Title: Ericsson Network Manager Product Bug
Description: A new bug was recently discovered in Ericsson Network Manager product by the TIM Red Team Research. The bug focuses on the CWE Exposure of Resource to Wrong Sphere and results in incorrect access-control behavior. Various security issues can be encountered if it gets exploited.
Type: Vulnerability
Attack Vector: Exposure of Resource to Wrong Sphere
Vulnerability Exploited: CWE Exposure of Resource to Wrong Sphere
Threat Actor: TIM Red Team Research
Title: Credential-Stuffing Attacks Target Corporate SSO Systems via Infostealer-Mined Logins
Description: A surge in credential-stuffing attacks is targeting corporate Single Sign-On (SSO) systems, with recent campaigns focusing on F5 BIG-IP devices. Threat actors repurposed stolen credentials to bypass defenses, targeting corporate portals such as ADFS, OWA, and STS, often exploiting weak multi-factor authentication (MFA) enforcement or password reuse. The campaign highlights an industrialized 'log-to-lead' pipeline involving Infostealer infections, underground marketplace sales, and direct access to corporate systems.
Type: Credential Stuffing
Attack Vector: Stolen credentials from Infostealer malware (RedLine, Raccoon, Vidar)
Vulnerability Exploited: Weak multi-factor authentication (MFA) enforcement, password reuse, exposed network edge devices (e.g., Fortinet FortiGate-60E with open ports)
Threat Actor: Initial Access Brokers (IABs), cybercriminals leveraging Infostealer logs
Motivation: Unauthorized access to corporate systems, data exfiltration, potential financial gain
Title: Credential Stuffing Campaign Exploits Stolen Employee Logins to Breach Corporate Networks
Description: A sophisticated credential stuffing campaign targeting corporate Single Sign-On (SSO) gateways, particularly F5 BIG-IP interfaces, leveraged stolen employee credentials harvested from infostealer malware infections to gain network access. The attack was first detected on February 23, 2026, and involved automated login attempts using credentials repurposed against ADFS, STS, and OWA portals. The campaign highlights a shift from data theft to coordinated network intrusion, exploiting identity as the new perimeter.
Date Detected: 2026-02-23
Type: Credential Stuffing
Attack Vector: Stolen employee credentials via infostealer malware
Vulnerability Exploited: Lack of multi-factor authentication (MFA)
Threat Actor: Initial Access Brokers
Motivation: Network intrusion, data exfiltration, potential ransomware deployment
Title: Ericsson U.S. Subsidiary Suffers Data Breach Affecting Thousands in Texas
Description: Ericsson Inc., the U.S. arm of Swedish telecommunications firm Ericsson, confirmed a data breach stemming from a third-party service provider, exposing sensitive information of at least 4,377 individuals in Texas with the total number of affected users likely higher nationwide.
Date Detected: 2025-04-28
Date Publicly Disclosed: 2026-03-09
Type: Data Breach
Attack Vector: Third-party service provider compromise
Title: Ericsson Data Breach Exposes Personal Information of Over 15,000 Individuals in Vishing Attack
Description: In April 2025, a voice-phishing (vishing) scam targeted an unnamed third-party vendor supporting Ericsson’s U.S. operations, leading to the exposure of sensitive personal data belonging to 15,661 individuals. Attackers manipulated an employee into granting unauthorized access between April 17 and April 22, with the breach detected on April 28. Ericsson was informed on November 10, 2025, after the vendor completed its internal investigation. Exposed data included names, Social Security numbers, driver’s license details, government-issued IDs, financial information, medical records, and dates of birth. No misuse of the stolen data has been confirmed, but Ericsson is offering affected individuals 12 months of credit monitoring.
Date Detected: 2025-04-28
Type: Data Breach
Attack Vector: Vishing (Voice Phishing)
Vulnerability Exploited: Human error (social engineering)
Title: Ericsson Major Data Breach Impacting Employees and Customers
Description: Swedish telecommunications giant Ericsson has confirmed a cyber incident in April 2025 that may have compromised sensitive personal and financial data belonging to employees and customers. The breach exposed names, addresses, phone numbers, Social Security numbers, driver’s license details, and in some cases, credit card information and medical data.
Date Detected: 2025-04
Type: Data Breach
Threat Actor: State-sponsored threat actor
Motivation: EspionageFraud
Title: Ericsson Vendor Breach Exposes Personal Data of Over 15,000 Individuals
Description: Ericsson disclosed a security incident involving a third-party vendor, which detected a suspicious event potentially linked to unauthorized access to data on its systems. The breach did not affect Ericsson’s internal infrastructure but occurred at a vendor handling sensitive information. An investigation revealed that an unauthorized party may have accessed a limited set of files between 17–22 April 2025, with the probe concluding on 23 February 2026. While the vendor reported no evidence of data misuse, regulatory filings confirmed that personal information of over 15,000 individuals was exposed.
Date Detected: 2025-04-28
Date Publicly Disclosed: 2025-04-28
Date Resolved: 2026-02-23
Type: Data Breach
Attack Vector: Third-party vendor compromise
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Stolen credentials from Infostealer logs, Stolen employee credentials via infostealer malware and Third-party vendor employee.
Impact of the Incidents
What was the impact of each incident ?
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Data Compromised: Browser-saved logins, corporate SSO credentials
Systems Affected: F5 BIG-IP devicesADFSOWASTS portalsFortinet FortiGate-60E firewalls
Operational Impact: Bypassed authentication, potential unauthorized access to corporate networks
Brand Reputation Impact: Potential reputational damage for affected organizations
Identity Theft Risk: High (stolen credentials, PII exposure)
Incident : Credential Stuffing JOHROLERI1772202424
Data Compromised: Employee credentials, potential access to internal systems
Systems Affected: ADFSSecurity Token Services (STS)OWA portalsF5 BIG-IP interfacesVPNsSSO portalsRemote access gateways
Operational Impact: Potential unauthorized access to corporate networks
Brand Reputation Impact: Potential reputational damage due to unauthorized access
Identity Theft Risk: High (stolen employee credentials)
Incident : Data Breach ERI1773081773
Data Compromised: Sensitive personal and financial data
Brand Reputation Impact: Yes
Identity Theft Risk: High
Payment Information Risk: High
Incident : Data Breach ERI1773145444
Data Compromised: Sensitive personal and financial information
Brand Reputation Impact: Potential reputational damage
Identity Theft Risk: High
Payment Information Risk: High
Incident : Data Breach ERI1773160822
Data Compromised: Sensitive personal and financial data
Identity Theft Risk: High
Payment Information Risk: High
Incident : Data Breach ERI1773189089
Data Compromised: Personal information of over 15,000 individuals
Systems Affected: Vendor systems
Brand Reputation Impact: Potential reputational damage due to third-party breach
Identity Theft Risk: High
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Browser-Saved Logins, Corporate Sso Credentials, , Employee credentials, Personal Data, Financial Data, Medical Records, , Personally Identifiable Information (Pii), Financial Information, Medical Records, , Personal Data, Financial Data, Medical Data, and Personal information.
Which entities were affected by each incident ?
Incident : Vulnerability ERI1721322
Entity Name: Ericsson
Entity Type: Corporation
Industry: Telecommunications
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Entity Name: Rolls-Royce
Entity Type: Corporation
Industry: Aerospace/Defense
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Entity Name: Johnson & Johnson
Entity Type: Corporation
Industry: Healthcare/Pharmaceutical
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Entity Name: Ericsson
Entity Type: Corporation
Industry: Telecommunications
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Entity Name: Deloitte
Entity Type: Corporation
Industry: Professional Services/Consulting
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Entity Name: Belgian Police
Entity Type: Government
Industry: Law Enforcement
Location: Belgium
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Entity Name: Queensland Police
Entity Type: Government
Industry: Law Enforcement
Location: Australia
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Entity Name: Majid Al Futtaim
Entity Type: Corporation
Industry: Retail/Conglomerate
Location: UAE
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Entity Name: Cellebrite
Entity Type: Corporation
Industry: Digital Intelligence
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Entity Name: Doka
Entity Type: Corporation
Industry: Construction/Engineering
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Entity Name: Turkey’s Ministry of Trade
Entity Type: Government
Industry: Government/Trade
Location: Turkey
Incident : Credential Stuffing JOHROLERI1772202424
Entity Name: Rolls-Royce
Entity Type: Corporation
Industry: Aerospace/Defense
Incident : Credential Stuffing JOHROLERI1772202424
Entity Name: Johnson & Johnson
Entity Type: Corporation
Industry: Healthcare/Pharmaceutical
Incident : Credential Stuffing JOHROLERI1772202424
Entity Name: Ericsson
Entity Type: Corporation
Industry: Telecommunications
Incident : Credential Stuffing JOHROLERI1772202424
Entity Name: Deloitte
Entity Type: Corporation
Industry: Professional Services/Consulting
Incident : Credential Stuffing JOHROLERI1772202424
Entity Name: Cellebrite
Entity Type: Corporation
Industry: Digital Intelligence/Forensics
Incident : Credential Stuffing JOHROLERI1772202424
Entity Name: Belgian Police
Entity Type: Government
Industry: Law Enforcement
Location: Belgium
Incident : Credential Stuffing JOHROLERI1772202424
Entity Name: Queensland Police
Entity Type: Government
Industry: Law Enforcement
Location: Australia
Incident : Credential Stuffing JOHROLERI1772202424
Entity Name: Turkish government ministries
Entity Type: Government
Industry: Public Sector
Location: Turkey
Incident : Credential Stuffing JOHROLERI1772202424
Entity Name: Major retail conglomerates
Entity Type: Corporation
Industry: Retail
Incident : Data Breach ERI1773081773
Entity Name: Ericsson Inc.
Entity Type: Subsidiary
Industry: Telecommunications
Location: U.S.
Customers Affected: 4377 (Texas), likely higher nationwide
Incident : Data Breach ERI1773145444
Entity Name: Ericsson
Entity Type: Corporation
Industry: Telecommunications
Location: United States
Customers Affected: 15,661
Incident : Data Breach ERI1773160822
Entity Name: Ericsson
Entity Type: Corporation
Industry: Telecommunications
Location: Sweden
Customers Affected: Employees and customers
Incident : Data Breach ERI1773189089
Entity Name: Ericsson
Entity Type: Telecommunications company
Industry: Telecommunications
Customers Affected: 15,000+
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Third Party Assistance: Defused Cyber (security firm)
Incident : Credential Stuffing JOHROLERI1772202424
Third Party Assistance: Defused Cyber, Hudson Rock.
Incident : Data Breach ERI1773081773
Third Party Assistance: External cybersecurity experts
Communication Strategy: Notified Texas and California Attorneys General; offered identity protection services
Incident : Data Breach ERI1773145444
Third Party Assistance: Cybersecurity experts engaged
Law Enforcement Notified: FBI notified
Containment Measures: Password resets
Remediation Measures: Additional security measures and staff training
Communication Strategy: Notification to affected individuals, credit monitoring offered
Incident : Data Breach ERI1773160822
Incident Response Plan Activated: Yes
Third Party Assistance: Cybersecurity experts
Remediation Measures: Enhancing cybersecurity protocols
Communication Strategy: Formal notification to the California Attorney General’s office
Incident : Data Breach ERI1773189089
Incident Response Plan Activated: Yes
Remediation Measures: Enhanced security measures
Communication Strategy: Regulatory notifications and public disclosure
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Yes, Yes.
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Defused Cyber (security firm), Defused Cyber, Hudson Rock, , External cybersecurity experts, Cybersecurity experts engaged, Cybersecurity experts.
Data Breach Information
What type of data was compromised in each breach ?
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Type of Data Compromised: Browser-saved logins, Corporate sso credentials
Number of Records Exposed: 70 unique email-password pairs (54 matched Infostealer logs)
Sensitivity of Data: High (corporate authentication credentials, potential PII)
Personally Identifiable Information: Potential (browser-saved credentials may include PII)
Incident : Credential Stuffing JOHROLERI1772202424
Type of Data Compromised: Employee credentials
Number of Records Exposed: 70 unique credentials
Sensitivity of Data: High (corporate network access)
Personally Identifiable Information: Employee login credentials
Incident : Data Breach ERI1773081773
Type of Data Compromised: Personal data, Financial data, Medical records
Number of Records Exposed: 4377 (Texas), likely higher nationwide
Sensitivity of Data: High
Personally Identifiable Information: NamesAddressesSocial Security numbersDriver’s license detailsPassport detailsDates of birth
Incident : Data Breach ERI1773145444
Type of Data Compromised: Personally identifiable information (pii), Financial information, Medical records
Number of Records Exposed: 15,661
Sensitivity of Data: High
Personally Identifiable Information: NamesSocial Security NumbersDriver’s License DetailsGovernment-Issued IDsDates of Birth
Incident : Data Breach ERI1773160822
Type of Data Compromised: Personal data, Financial data, Medical data
Sensitivity of Data: High
Personally Identifiable Information: NamesAddressesPhone numbersSocial Security numbersDriver’s license detailsCredit card information
Incident : Data Breach ERI1773189089
Type of Data Compromised: Personal information
Number of Records Exposed: 15,000+
Sensitivity of Data: High
Personally Identifiable Information: Yes
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Additional security measures and staff training, Enhancing cybersecurity protocols, Enhanced security measures.
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by password resets.
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Breach ERI1773081773
Regulatory Notifications: Texas Attorney GeneralCalifornia Attorney General
Incident : Data Breach ERI1773160822
Regulatory Notifications: California Attorney General’s office
Incident : Data Breach ERI1773189089
Regulatory Notifications: US regulators
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Lessons Learned: The campaign underscores the shift from exploiting vulnerabilities to abusing legitimate authentication, highlighting the growing threat of identity-based attacks. Organizations must enforce strong MFA, monitor for credential leaks, and secure network edge devices to prevent such attacks.
Incident : Credential Stuffing JOHROLERI1772202424
Lessons Learned: The incident underscores the critical importance of multi-factor authentication (MFA) and the risks posed by infostealer malware in enabling credential stuffing attacks. Identity is now the new perimeter, and stolen credentials can bypass traditional security measures.
Incident : Data Breach ERI1773081773
Lessons Learned: Risks of third-party vulnerabilities in handling sensitive data, particularly in sectors reliant on external service providers.
Incident : Data Breach ERI1773145444
Lessons Learned: The breach underscores the risks of social engineering attacks, where human error—not technical vulnerabilities—can serve as the primary entry point for cybercriminals.
Incident : Data Breach ERI1773189089
Lessons Learned: The incident underscores the growing threat to telecom providers and the need for robust vendor security protocols in high-risk sectors.
What recommendations were made to prevent future incidents ?
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Recommendations: Enforce strong multi-factor authentication (MFA) across all corporate systems, Monitor for credential leaks and Infostealer infections on employee devices, Secure network edge devices (e.g., firewalls, VPNs) and close unnecessary open ports, Educate employees on password hygiene and the risks of password reuse, Implement adaptive behavioral WAFs and enhanced monitoring for authentication anomalies, Segment networks to limit lateral movement in case of a breachEnforce strong multi-factor authentication (MFA) across all corporate systems, Monitor for credential leaks and Infostealer infections on employee devices, Secure network edge devices (e.g., firewalls, VPNs) and close unnecessary open ports, Educate employees on password hygiene and the risks of password reuse, Implement adaptive behavioral WAFs and enhanced monitoring for authentication anomalies, Segment networks to limit lateral movement in case of a breachEnforce strong multi-factor authentication (MFA) across all corporate systems, Monitor for credential leaks and Infostealer infections on employee devices, Secure network edge devices (e.g., firewalls, VPNs) and close unnecessary open ports, Educate employees on password hygiene and the risks of password reuse, Implement adaptive behavioral WAFs and enhanced monitoring for authentication anomalies, Segment networks to limit lateral movement in case of a breachEnforce strong multi-factor authentication (MFA) across all corporate systems, Monitor for credential leaks and Infostealer infections on employee devices, Secure network edge devices (e.g., firewalls, VPNs) and close unnecessary open ports, Educate employees on password hygiene and the risks of password reuse, Implement adaptive behavioral WAFs and enhanced monitoring for authentication anomalies, Segment networks to limit lateral movement in case of a breachEnforce strong multi-factor authentication (MFA) across all corporate systems, Monitor for credential leaks and Infostealer infections on employee devices, Secure network edge devices (e.g., firewalls, VPNs) and close unnecessary open ports, Educate employees on password hygiene and the risks of password reuse, Implement adaptive behavioral WAFs and enhanced monitoring for authentication anomalies, Segment networks to limit lateral movement in case of a breachEnforce strong multi-factor authentication (MFA) across all corporate systems, Monitor for credential leaks and Infostealer infections on employee devices, Secure network edge devices (e.g., firewalls, VPNs) and close unnecessary open ports, Educate employees on password hygiene and the risks of password reuse, Implement adaptive behavioral WAFs and enhanced monitoring for authentication anomalies, Segment networks to limit lateral movement in case of a breach
Incident : Credential Stuffing JOHROLERI1772202424
Recommendations: Implement multi-factor authentication (MFA) for all corporate systems, especially SSO and remote access gateways., Monitor for infostealer malware infections on employee devices., Enforce strict password policies and regular credential rotation., Segment network access to limit lateral movement in case of a breach., Enhance monitoring of login attempts and anomalous access patterns., Educate employees on the risks of malware and credential theft.Implement multi-factor authentication (MFA) for all corporate systems, especially SSO and remote access gateways., Monitor for infostealer malware infections on employee devices., Enforce strict password policies and regular credential rotation., Segment network access to limit lateral movement in case of a breach., Enhance monitoring of login attempts and anomalous access patterns., Educate employees on the risks of malware and credential theft.Implement multi-factor authentication (MFA) for all corporate systems, especially SSO and remote access gateways., Monitor for infostealer malware infections on employee devices., Enforce strict password policies and regular credential rotation., Segment network access to limit lateral movement in case of a breach., Enhance monitoring of login attempts and anomalous access patterns., Educate employees on the risks of malware and credential theft.Implement multi-factor authentication (MFA) for all corporate systems, especially SSO and remote access gateways., Monitor for infostealer malware infections on employee devices., Enforce strict password policies and regular credential rotation., Segment network access to limit lateral movement in case of a breach., Enhance monitoring of login attempts and anomalous access patterns., Educate employees on the risks of malware and credential theft.Implement multi-factor authentication (MFA) for all corporate systems, especially SSO and remote access gateways., Monitor for infostealer malware infections on employee devices., Enforce strict password policies and regular credential rotation., Segment network access to limit lateral movement in case of a breach., Enhance monitoring of login attempts and anomalous access patterns., Educate employees on the risks of malware and credential theft.Implement multi-factor authentication (MFA) for all corporate systems, especially SSO and remote access gateways., Monitor for infostealer malware infections on employee devices., Enforce strict password policies and regular credential rotation., Segment network access to limit lateral movement in case of a breach., Enhance monitoring of login attempts and anomalous access patterns., Educate employees on the risks of malware and credential theft.
Incident : Data Breach ERI1773081773
Recommendations: Monitor financial accounts, consider fraud alerts or credit freezes, and enroll in identity protection services.
Incident : Data Breach ERI1773145444
Recommendations: Implement additional security measures and staff training to prevent future incidents.
Incident : Data Breach ERI1773189089
Recommendations: Implement stronger vendor security protocols and continuous monitoring of third-party systems.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are The campaign underscores the shift from exploiting vulnerabilities to abusing legitimate authentication, highlighting the growing threat of identity-based attacks. Organizations must enforce strong MFA, monitor for credential leaks, and secure network edge devices to prevent such attacks.The incident underscores the critical importance of multi-factor authentication (MFA) and the risks posed by infostealer malware in enabling credential stuffing attacks. Identity is now the new perimeter, and stolen credentials can bypass traditional security measures.Risks of third-party vulnerabilities in handling sensitive data, particularly in sectors reliant on external service providers.The breach underscores the risks of social engineering attacks, where human error—not technical vulnerabilities—can serve as the primary entry point for cybercriminals.The incident underscores the growing threat to telecom providers and the need for robust vendor security protocols in high-risk sectors.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Implement stronger vendor security protocols and continuous monitoring of third-party systems., Implement additional security measures and staff training to prevent future incidents., Monitor financial accounts, consider fraud alerts or credit freezes and and enroll in identity protection services..
References
Where can I find more information about each incident ?
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Source: Defused Cyber
Incident : Credential Stuffing JOHROLERI1772202424
Source: Defused Cyber
Incident : Credential Stuffing JOHROLERI1772202424
Source: Hudson Rock
Incident : Data Breach ERI1773081773
Source: Incident disclosure
Incident : Data Breach ERI1773160822
Source: California Attorney General’s office notification
Incident : Data Breach ERI1773189089
Source: Industry expert (James Neilson, SVP of Global at OPSWAT)
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Defused Cyber, and Source: Defused Cyber, and Source: Hudson Rock, and Source: Incident disclosure, and Source: California Attorney General’s office notification, and Source: Industry expert (James Neilson, SVP of Global at OPSWAT).
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Investigation Status: Ongoing (as per Defused Cyber’s analysis)
Incident : Credential Stuffing JOHROLERI1772202424
Investigation Status: Ongoing
Incident : Data Breach ERI1773081773
Investigation Status: Concluded (forensic investigation completed on 2026-02-23)
Incident : Data Breach ERI1773145444
Investigation Status: Completed
Incident : Data Breach ERI1773160822
Investigation Status: Ongoing
Incident : Data Breach ERI1773189089
Investigation Status: Concluded
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Notified Texas and California Attorneys General; offered identity protection services, Notification to affected individuals, credit monitoring offered, Formal notification to the California Attorney General’s office and Regulatory notifications and public disclosure.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach ERI1773081773
Customer Advisories: Offered complimentary identity protection services through IDX (12 or 24 months of credit and dark web monitoring, $1 million identity fraud reimbursement policy, and managed identity recovery support). Enrollment deadline: 2026-06-09.
Incident : Data Breach ERI1773145444
Customer Advisories: 12 months of credit monitoring offered to affected individuals
Incident : Data Breach ERI1773160822
Customer Advisories: Offering free identity protection services through IDX, including credit and dark web monitoring, identity theft recovery support, and up to $1 million in identity fraud reimbursement. Eligible individuals have until June 9, 2026, to register.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Offered complimentary identity protection services through IDX (12 or 24 months of credit and dark web monitoring, $1 million identity fraud reimbursement policy, and managed identity recovery support). Enrollment deadline: 2026-06-09., 12 months of credit monitoring offered to affected individuals, Offering free identity protection services through IDX, including credit and dark web monitoring, identity theft recovery support, and up to $1 million in identity fraud reimbursement. Eligible individuals have until June 9, 2026 and to register..
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Entry Point: Stolen credentials from Infostealer logs
High Value Targets: Corporate Sso Systems (F5 Big-Ip, Adfs, Owa, Sts),
Data Sold on Dark Web: Corporate Sso Systems (F5 Big-Ip, Adfs, Owa, Sts),
Incident : Credential Stuffing JOHROLERI1772202424
Entry Point: Stolen employee credentials via infostealer malware
High Value Targets: Corporate SSO gateways, ADFS, STS, OWA portals
Data Sold on Dark Web: Corporate SSO gateways, ADFS, STS, OWA portals
Incident : Data Breach ERI1773145444
Entry Point: Third-party vendor employee
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Credential Stuffing ERIDEFJOHROLVID1772180734
Root Causes: Infostealer Malware Infections On Employee Devices, Weak Mfa Enforcement Or Password Reuse, Exposed Network Edge Devices (E.G., Fortinet Fortigate-60E With Open Ports), Lack Of Monitoring For Credential Leaks,
Corrective Actions: Strengthen Mfa Policies, Deploy Endpoint Detection For Infostealer Malware, Secure And Monitor Network Edge Devices, Implement Credential Leak Monitoring,
Incident : Credential Stuffing JOHROLERI1772202424
Root Causes: Lack Of Multi-Factor Authentication (Mfa), Infostealer Malware Infections On Employee Devices, Use Of Stolen Credentials To Bypass Security Measures,
Corrective Actions: Implement Mfa Across All Systems, Enhance Endpoint Security To Detect And Prevent Infostealer Malware, Monitor And Restrict Access To Critical Systems,
Incident : Data Breach ERI1773081773
Root Causes: Third-party service provider compromise
Incident : Data Breach ERI1773145444
Root Causes: Human error (social engineering via vishing)
Corrective Actions: Additional security measures and staff training
Incident : Data Breach ERI1773160822
Corrective Actions: Enhancing cybersecurity protocols
Incident : Data Breach ERI1773189089
Root Causes: Third-party vendor compromise
Corrective Actions: Enhanced security measures
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Defused Cyber (security firm), Defused Cyber, Hudson Rock, , External cybersecurity experts, Cybersecurity experts engaged, Cybersecurity experts.
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Strengthen Mfa Policies, Deploy Endpoint Detection For Infostealer Malware, Secure And Monitor Network Edge Devices, Implement Credential Leak Monitoring, , Implement Mfa Across All Systems, Enhance Endpoint Security To Detect And Prevent Infostealer Malware, Monitor And Restrict Access To Critical Systems, , Additional security measures and staff training, Enhancing cybersecurity protocols, Enhanced security measures.
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an TIM Red Team Research, Initial Access Brokers (IABs), cybercriminals leveraging Infostealer logs, Initial Access Brokers and State-sponsored threat actor.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2026-02-23.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-04-28.
What was the most recent incident resolved ?
Most Recent Incident Resolved: The most recent incident resolved was on 2026-02-23.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Browser-saved logins, corporate SSO credentials, Employee credentials, potential access to internal systems, Sensitive personal and financial data, Sensitive personal and financial information, Sensitive personal and financial data, Personal information of over 15 and000 individuals.
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was F5 BIG-IP devicesADFSOWASTS portalsFortinet FortiGate-60E firewalls and ADFSSecurity Token Services (STS)OWA portalsF5 BIG-IP interfacesVPNsSSO portalsRemote access gateways and .
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was Defused Cyber (security firm), defused cyber, hudson rock, , External cybersecurity experts, Cybersecurity experts engaged, Cybersecurity experts.
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Password resets.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Sensitive personal and financial data, Browser-saved logins, corporate SSO credentials, Personal information of over 15,000 individuals, Employee credentials, potential access to internal systems and Sensitive personal and financial information.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 31.3K.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was The campaign underscores the shift from exploiting vulnerabilities to abusing legitimate authentication, highlighting the growing threat of identity-based attacks. Organizations must enforce strong MFA, monitor for credential leaks, and secure network edge devices to prevent such attacks., The incident underscores the critical importance of multi-factor authentication (MFA) and the risks posed by infostealer malware in enabling credential stuffing attacks. Identity is now the new perimeter, and stolen credentials can bypass traditional security measures., Risks of third-party vulnerabilities in handling sensitive data, particularly in sectors reliant on external service providers., The breach underscores the risks of social engineering attacks, where human error—not technical vulnerabilities—can serve as the primary entry point for cybercriminals., The incident underscores the growing threat to telecom providers and the need for robust vendor security protocols in high-risk sectors.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Educate employees on password hygiene and the risks of password reuse, Educate employees on the risks of malware and credential theft., Monitor for infostealer malware infections on employee devices., Enhance monitoring of login attempts and anomalous access patterns., Segment network access to limit lateral movement in case of a breach., Implement stronger vendor security protocols and continuous monitoring of third-party systems., Implement adaptive behavioral WAFs and enhanced monitoring for authentication anomalies, Secure network edge devices (e.g., firewalls, VPNs) and close unnecessary open ports, Monitor for credential leaks and Infostealer infections on employee devices, Monitor financial accounts, consider fraud alerts or credit freezes, and enroll in identity protection services., Implement multi-factor authentication (MFA) for all corporate systems, especially SSO and remote access gateways., Implement additional security measures and staff training to prevent future incidents., Enforce strict password policies and regular credential rotation., Segment networks to limit lateral movement in case of a breach and Enforce strong multi-factor authentication (MFA) across all corporate systems.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Industry expert (James Neilson, SVP of Global at OPSWAT), Incident disclosure, Defused Cyber, Hudson Rock and California Attorney General’s office notification.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (as per Defused Cyber’s analysis).
Stakeholder and Customer Advisories
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Offered complimentary identity protection services through IDX (12 or 24 months of credit and dark web monitoring, $1 million identity fraud reimbursement policy, and managed identity recovery support). Enrollment deadline: 2026-06-09., 12 months of credit monitoring offered to affected individuals, Offering free identity protection services through IDX, including credit and dark web monitoring, identity theft recovery support, and up to $1 million in identity fraud reimbursement. Eligible individuals have until June 9, 2026 and to register.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Stolen credentials from Infostealer logs, Third-party vendor employee and Stolen employee credentials via infostealer malware.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Infostealer malware infections on employee devicesWeak MFA enforcement or password reuseExposed network edge devices (e.g., Fortinet FortiGate-60E with open ports)Lack of monitoring for credential leaks, Lack of multi-factor authentication (MFA)Infostealer malware infections on employee devicesUse of stolen credentials to bypass security measures, Third-party service provider compromise, Human error (social engineering via vishing), Third-party vendor compromise.
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Strengthen MFA policiesDeploy endpoint detection for Infostealer malwareSecure and monitor network edge devicesImplement credential leak monitoring, Implement MFA across all systemsEnhance endpoint security to detect and prevent infostealer malwareMonitor and restrict access to critical systems, Additional security measures and staff training, Enhancing cybersecurity protocols, Enhanced security measures.
.png)
Latest Global CVEs (Not Company-Specific)
Description
A vulnerability was found in Nothings stb up to 1.26. Impacted is the function stbtt_InitFont_internal in the library stb_truetype.h of the component TTF File Handler. Performing a manipulation results in out-of-bounds read. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Risk Information
cvss2
Base: 5.0
Severity: LOW
AV:N/AC:L/Au:N/C:N/I:N/A:P
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
cvss4
Base: 5.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read in VS6ComFile!get_macro_mem_COM. Opening a crafted V7 file may lead to information disclosure from the affected product.
Risk Information
cvss3
Base: 7.8
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss4
Base: 8.4
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CSaveData::_conv_AnimationItem. Opening a crafted V7 file may lead to arbitrary code execution on the affected product.
Risk Information
cvss3
Base: 7.8
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss4
Base: 8.4
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in VS6MemInIF!set_temp_type_default. Opening a crafted V7 file may lead to information disclosure from the affected product.
Risk Information
cvss3
Base: 7.8
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss4
Base: 8.4
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in VS6ComFile!load_link_inf. Opening a crafted V7 file may lead to information disclosure from the affected product.
Risk Information
cvss3
Base: 7.8
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss4
Base: 8.4
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=ericsson' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
