BePrime Breach: Lack of MFA Causes Data Leak

A security firm fails to implement MFA on its own admin accounts. One stolen password later: 12.6 GB of customer data exposed, 1,858 network devices under foreign control, and plaintext passwords found in the stolen files.

6 min. read

Key Takeaways

No MFA, one password, full access. A stolen administrative login without a second factor was enough to gain complete system access.
12.6 GB of public data. Plaintext passwords, PostgreSQL superuser IDs, MinIO S3 data, and Meraki API keys were stolen and published.
1,858 network devices compromised. Client devices were breached via stolen Cisco Meraki API keys; surveillance cameras were accessible via live feed.
Exposed clients. Iberdrola, Whirlpool, Alsea, and ArcelorMittal, including confidential security audit reports with documented vulnerabilities.

What the attacker found: an open system

The exploit was straightforward. The attacker, alias “dylanmarly,” gained access to an admin account lacking multi-factor authentication. A single stolen password sufficed for full system access. What followed was not a sophisticated intrusion, but a simple retrieval of everything that was accessible.

What the 12.6 GB of stolen data contained:

Plaintext passwords – Credentials were neither hashed nor encrypted. A fundamental error considered unacceptable for decades.

PostgreSQL superuser IDs – Full access to databases containing customer data. A unique identifier, with no concept of rotation.

MinIO S3 bucket data – Object storage containing internal documents; MinIO is generally used for sensitive operational data.

Cisco Meraki API keys – Here lies the true escalation: Meraki API keys allow total control of connected network equipment. 1,858 devices were compromised.

Internal client security audit reports – This is the most problematic part for those affected. These documents describe vulnerabilities in client infrastructures. They are now accessible to the public.

Live surveillance feeds – Through the compromised Meraki consoles, feeds from active surveillance systems were accessible.

Clients appearing in the stolen data: Iberdrola (energy provider), Whirlpool, ArcelorMittal, and Alsea (operator of Starbucks and Domino’s in Latin America).

Compliance theater versus real security operations

What BePrime had What was missing

Security service offerings for clients MFA on their own admin accounts

Audit reports on client security Credential encryption in the database

Trust relationship with sensitive clients Least privilege for API keys and service accounts

Public communication regarding t

What DACH security teams can do in concrete terms

Three directly applicable consequences of this incident:

First: Security assessments of vendors must be technical, rather than based solely on documentation. A questionnaire asking whether multi-factor authentication (MFA) is active does not prove that it actually is. Access to a technical test—or at least a screenshot of the Entra/Okta report—should become the standard.

Second: Third-party API keys require scoping and rotation. Meraki API keys with full access to 1,858 devices in a service provider system represent a risk, regardless of the quality of protection.

More from the MBF Media network

→ Quantum computing development roadmap 2026: What IBM Heron and IonQ Forte mean for DACH enterprises (cloudmagazin)

→ 5G campus networks in German SMEs: What CIOs have learned after three years of pilot operation (Digital Chiefs)

Cover photo: Tima Miroshnichenko / Pexels

Print article

About the author: Alec Chizhik

More articles by Alec Chizhik

Also available in
Français Español Deutsch

You Might Also Like
Überwachung von Messenger-Diensten - die Fakten
EU Komission nimmt Datenschutz nicht ernst
Von A-Z: Leitlinien zur DSGVO
Aktuelle Events

Summit rund um das Thema IT- und Cybersicherheit

19.-21. September 2023

Berlin

Software Quality Days 2023

23.-25.05.2023

München

© 2026 Evernine Media GmbH
Privacy Policy

Legal Notice

Media Kit (MBF Media)

English
Français (French)
Deutsch (German)
Español (Spanish)

Multilingual WordPress with WPML

A magazine by Evernine Media GmbH

What BePrime had	What was missing
Security service offerings for clients	MFA on their own admin accounts
Audit reports on client security	Credential encryption in the database
Trust relationship with sensitive clients	Least privilege for API keys and service accounts
Public communication regarding t What DACH security teams can do in concrete terms Three directly applicable consequences of this incident: First: Security assessments of vendors must be technical, rather than based solely on documentation. A questionnaire asking whether multi-factor authentication (MFA) is active does not prove that it actually is. Access to a technical test—or at least a screenshot of the Entra/Okta report—should become the standard. Second: Third-party API keys require scoping and rotation. Meraki API keys with full access to 1,858 devices in a service provider system represent a risk, regardless of the quality of protection. More from the MBF Media network → Quantum computing development roadmap 2026: What IBM Heron and IonQ Forte mean for DACH enterprises (cloudmagazin) → 5G campus networks in German SMEs: What CIOs have learned after three years of pilot operation (Digital Chiefs) Cover photo: Tima Miroshnichenko / Pexels Print article About the author: Alec Chizhik More articles by Alec Chizhik Also available in Français Español Deutsch You Might Also Like Überwachung von Messenger-Diensten - die Fakten EU Komission nimmt Datenschutz nicht ernst Von A-Z: Leitlinien zur DSGVO Aktuelle Events Summit rund um das Thema IT- und Cybersicherheit 19.-21. September 2023 Berlin Software Quality Days 2023 23.-25.05.2023 München © 2026 Evernine Media GmbH Privacy Policy Legal Notice Media Kit (MBF Media) English Français (French) Deutsch (German) Español (Spanish) Multilingual WordPress with WPML A magazine by Evernine Media GmbH