Cyber Incident Victim: Acronis
Date:
Mar 2023
Location:
Switzerland
Summary
A cybersecurity firm experienced a data leak involving 12 GB of certificate files, system configurations, command logs, and backup data following a hacker's claims. The breach stemmed from compromised credentials of a single customer account used for uploading diagnostic information to the company's support system. Internal investigations confirmed the leaked data originated solely from that customer's folder with no other systems or credentials affected. The organization suspended the impacted account, shared indicators of compromise with industry partners, and is cooperating with law enforcement while maintaining heightened security vigilance. No products were compromised as a result of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early March 2023, Acronis, a Switzerland-based cybersecurity firm specializing in backup and endpoint protection solutions, faced a public data leak incident. On March 2, 2023, a hacker posted on a cybercrime forum claiming to have breached Acronis, stating motivations of boredom and intent to humiliate the company. The attacker released a 12 GB archive allegedly containing certificate files, system configuration logs, filesystem archives, backup configuration data, scripts, and command logs. This same threat actor had recently offered to sell data purportedly stolen from Acer, though Acronis independently confirmed the compromise timeline. Preliminary analysis indicated the leaked data originated exclusively from a diagnostic upload folder belonging to one specific customer account within Acronis’ support system. The company’s investigation determined that attackers gained access by compromising the credentials of that single customer account, which had authorization to submit diagnostic information for technical support purposes.
Acronis CISO Kevin Reed publicly addressed the incident via LinkedIn beginning March 1, 2023, clarifying that no other systems, credentials, or customer accounts were compromised beyond this single point of entry. The company suspended the affected customer’s account access during remediation and directly collaborated with the impacted organization. Technical response measures included sharing Indicators of Compromise (IOCs) with industry partners and coordinating with law enforcement agencies. Forensic analysis confirmed the leak contained only data from the compromised customer’s support portal folder, with no evidence of broader network infiltration or product vulnerabilities being exploited. Acronis emphasized that none of its commercial software products or core infrastructure sustained compromise, and the breach remained isolated to the support data upload functionality. The organization maintained high security alert levels as investigations continued, while publicly reiterating the confined scope of the incident through official communications. The attacker's claims of extensive corporate access were disproven by forensic evidence showing no lateral movement beyond the initially compromised customer account.