{
	"id": "f70b3a89-a6d7-45e0-9f48-f9450114d6d5",
	"created_at": "2026-04-06T00:15:06.851924Z",
	"updated_at": "2026-04-10T13:11:39.807759Z",
	"deleted_at": null,
	"sha1_hash": "345ed04c2e680ba2326f1a13e4bdf3a00afdec13",
	"title": "Cylance confirms data breach linked to 'third-party' platform",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2647829,
	"plain_text": "Cylance confirms data breach linked to 'third-party' platform\r\nBy Sergiu Gatlan\r\nPublished: 2024-06-10 · Archived: 2026-04-05 15:25:53 UTC\r\nCybersecurity company Cylance confirmed the legitimacy of data being sold on a hacking forum, stating that it is old data\r\nstolen from a \"third-party platform.\"\r\nA threat actor known as Sp1d3r is selling this stolen data for $750,000, as first spotted by Dark Web Informer.\r\nThe data allegedly includes a substantial amount of information, such as 34,000,000 customer and employee emails and\r\npersonally identifiable information belonging to Cylance customers, partners, and employees.\r\nhttps://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nHowever, researchers have told BleepingComputer that the leaked samples appear to be old marketing data used by Cylance.\r\nBlackBerry Cylance told BleepingComputer that they're aware of and investigating the threat actor's claims but that no\r\n\"BlackBerry data and systems related to [..] customers, products, and operations have been compromised.\"\r\n\"Based on our initial reviews of the data in question, no current Cylance customers are impacted, and no sensitive\r\ninformation is involved,\" the company added.\r\n\"The data in question was accessed from a third-party platform unrelated to BlackBerry and appears to be from 2015-2018,\r\npredating BlackBerry's acquisition of the Cylance product portfolio.\"\r\nCylance data for sale (Dark Web Informer)\r\nLinks to Snowflake attacks\r\nWhile the company has yet to reply to a follow-up request for more details regarding the name of the third-party platform\r\nthat was breached to steal what it claims to be old data, the same threat actor is also selling 3TB of data from automotive\r\naftermarket parts provider Advance Auto Parts, stolen after breaching the company's Snowflake account.\r\nBleepingComputer found a link to a Snowflake web management console located at\r\nhttps://cylance.snowflakecomputing.com/ that appears to be linked to Cylance. However, a BlackBerry spokesperson told\r\nBleepingComputer that the dashboard is \"old and invalid\" and \"BlackBerry Cylance is not a Snowflake customer.\"\r\nRecent breaches at Santander, Ticketmaster, and QuoteWizard/Lendingtree have also been linked to Snowflake attacks.\r\nTicketmaster's parent company, Live Nation, also confirmed that a data breach had affected the ticketing firm after its\r\nSnowflake account was compromised on May 20.\r\nIn a joint advisory with CrowdStrike and Mandiant, Snowflake said that attackers had used stolen customer credentials to\r\ntarget accounts without multi-factor authentication protection.\r\nToday, Mandiant published a report linking the Snowflake attacks to a financially motivated threat actor it tracks as\r\nUNC5537. The actor gained access to Snowflake customer accounts using customer credentials stolen in infostealer\r\nmalware infections from as far back as 2020.\r\nMandiant has been tracking the UNC5537 since May 2024. The financially motivated threat actor has targeted hundreds of\r\norganizations worldwide, extorting victims for financial gain.\r\nhttps://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/\r\nPage 3 of 5\n\nUNC5537 Snowflake attack timeline (Mandiant)\r\nWhile Mandiant has not shared much information about UNC5537, BleepingComputer has learned they are part of a larger\r\ncommunity of threat actors who frequent the same websites, Telegram, and Discord servers, where they commonly\r\ncollaborate on attacks.\r\n\"The impacted accounts were not configured with multi-factor authentication enabled, meaning successful authentication\r\nonly required a valid username and password,\" Mandiant said.\r\n\"Credentials identified in infostealer malware output were still valid, in some cases years after they were stolen, and had not\r\nbeen rotated or updated. The impacted Snowflake customer instances did not have network allow lists in place to only allow\r\naccess from trusted locations.\"\r\nMandiant says it has identified hundreds of customer Snowflake credentials exposed in Vidar, RisePro, Redline, Racoon\r\nStealer, Lumm, and Metastealer infostealer malware attacks since at least 2020.\r\nTo date, Snowflake and Mandiant have notified around 165 organizations potentially exposed to these ongoing attacks.\r\nUpdate June 11, 07:13 EDT: Added BlackBerry statement saying Cylance is not a Snowflake customer.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/\r\nPage 4 of 5\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/\r\nhttps://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/"
	],
	"report_names": [
		"cylance-confirms-data-breach-linked-to-third-party-platform"
	],
	"threat_actors": [
		{
			"id": "358432a9-d927-43c7-9201-b7aa7d184c26",
			"created_at": "2024-06-20T02:02:10.317536Z",
			"updated_at": "2026-04-10T02:00:05.043265Z",
			"deleted_at": null,
			"main_name": "UNC5537",
			"aliases": [],
			"source_name": "ETDA:UNC5537",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c3c24777-7c0f-4772-b273-2163ac5a6b67",
			"created_at": "2024-06-19T02:00:04.373472Z",
			"updated_at": "2026-04-10T02:00:03.651748Z",
			"deleted_at": null,
			"main_name": "UNC5537",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC5537",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d99090fb-318c-46a2-a1b6-9e89ec61a6d8",
			"created_at": "2024-06-19T02:00:04.375337Z",
			"updated_at": "2026-04-10T02:00:03.652523Z",
			"deleted_at": null,
			"main_name": "Sp1d3r",
			"aliases": [],
			"source_name": "MISPGALAXY:Sp1d3r",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434506,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/345ed04c2e680ba2326f1a13e4bdf3a00afdec13.pdf",
		"text": "https://archive.orkl.eu/345ed04c2e680ba2326f1a13e4bdf3a00afdec13.txt",
		"img": "https://archive.orkl.eu/345ed04c2e680ba2326f1a13e4bdf3a00afdec13.jpg"
	}
}