{"id":14240,"date":"2026-04-29T19:53:18","date_gmt":"2026-04-29T19:53:18","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/05\/08\/beprime-breach-april-2026-case-study-wie-fehlende-mfa-in\/"},"modified":"2026-05-20T20:28:19","modified_gmt":"2026-05-20T20:28:19","slug":"beprime-breach-april-2026-case-study-wie-fehlende-mfa-in","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/04\/29\/beprime-breach-april-2026-case-study-wie-fehlende-mfa-in\/","title":{"rendered":"BePrime Breach: Lack of MFA Causes Data Leak"},"content":{"rendered":"<p><strong>A security firm fails to implement MFA on its own admin accounts. One stolen password later: 12.6 GB of customer data exposed, 1,858 network devices under foreign control, and plaintext passwords found in the stolen files.<\/strong><\/p>\n<p style=\"color:#69d8ed;font-size:0.9em;margin:0 0 16px;padding:0;\">6 min. read<\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">No MFA, one password, full access.<\/strong> A stolen administrative login without a second factor was enough to gain complete system access.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">12.6 GB of public data.<\/strong> Plaintext passwords, PostgreSQL superuser IDs, MinIO S3 data, and Meraki API keys were stolen and published.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">1,858 network devices compromised.<\/strong> Client devices were breached via stolen Cisco Meraki API keys; surveillance cameras were accessible via live feed.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">Exposed clients.<\/strong> Iberdrola, Whirlpool, Alsea, and ArcelorMittal, including confidential security audit reports with documented vulnerabilities.<\/li>\n<li><strong style=\"color:#69d8ed;\"><br \/>\n<h2>What the attacker found: an open system<\/h2>\n<p>The exploit was straightforward. The attacker, alias &#8220;dylanmarly,&#8221; gained access to an admin account lacking multi-factor authentication. A single stolen password sufficed for full system access. What followed was not a sophisticated intrusion, but a simple retrieval of everything that was accessible.<\/p>\n<p>What the 12.6 GB of stolen data contained:<\/p>\n<ol>\n<li><strong>Plaintext passwords<\/strong> &#8211; Credentials were neither hashed nor encrypted. A fundamental error considered unacceptable for decades.<\/li>\n<li><strong>PostgreSQL superuser IDs<\/strong> &#8211; Full access to databases containing customer data. A unique identifier, with no concept of rotation.<\/li>\n<li><strong>MinIO S3 bucket data<\/strong> &#8211; Object storage containing internal documents; MinIO is generally used for sensitive operational data.<\/li>\n<li><strong>Cisco Meraki API keys<\/strong> &#8211; Here lies the true escalation: Meraki API keys allow total control of connected network equipment. 1,858 devices were compromised.<\/li>\n<li><strong>Internal client security audit reports<\/strong> &#8211; This is the most problematic part for those affected. These documents describe vulnerabilities in client infrastructures. They are now accessible to the public.<\/li>\n<li><strong>Live surveillance feeds<\/strong> &#8211; Through the compromised Meraki consoles, feeds from active surveillance systems were accessible.<\/li>\n<\/ol>\n<p>Clients appearing in the stolen data: Iberdrola (energy provider), Whirlpool, ArcelorMittal, and Alsea (operator of Starbucks and Domino&#8217;s in Latin America).<\/p>\n<h2>Compliance theater versus real security operations<\/h2>\n<table style=\"width:100%;border-collapse:collapse;margin:24px 0;\">\n<thead>\n<tr style=\"background:#f0f9fa;\">\n<th style=\"padding:12px 16px;text-align:left;border-bottom:2px solid #69d8ed;font-size:0.95em;color:#004a59;\">What BePrime had<\/th>\n<th style=\"padding:12px 16px;text-align:left;border-bottom:2px solid #004a59;font-size:0.95em;color:#004a59;\">What was missing<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"border-bottom:1px solid #e8e8e8;\">\n<td style=\"padding:12px 16px;color:#444;\">Security service offerings for clients<\/td>\n<td style=\"padding:12px 16px;color:#444;\">MFA on their own admin accounts<\/td>\n<\/tr>\n<tr style=\"background:#fafafa;border-bottom:1px solid #e8e8e8;\">\n<td style=\"padding:12px 16px;color:#444;\">Audit reports on client security<\/td>\n<td style=\"padding:12px 16px;color:#444;\">Credential encryption in the database<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid #e8e8e8;\">\n<td style=\"padding:12px 16px;color:#444;\">Trust relationship with sensitive clients<\/td>\n<td style=\"padding:12px 16px;color:#444;\">Least privilege for API keys and service accounts<\/td>\n<\/tr>\n<tr style=\"background:#fafafa;border-bottom:1px solid #e8e8e8;\">\n<td style=\"padding:12px 16px;color:#444;\">Public communication regarding t<\/p>\n<h2>What DACH security teams can do in concrete terms<\/h2>\n<p>Three directly applicable consequences of this incident:<\/p>\n<p>First: Security assessments of vendors must be technical, rather than based solely on documentation. A questionnaire asking whether multi-factor authentication (MFA) is active does not prove that it actually is. Access to a technical test\u2014or at least a screenshot of the Entra\/Okta report\u2014should become the standard.<\/p>\n<p>Second: Third-party API keys require scoping and rotation. Meraki API keys with full access to 1,858 devices in a service provider system represent a risk, regardless of the quality of protection.<\/p>\n<h2 style=\"margin-top:0;margin-bottom:12px;font-size:1.05em;\">More from the MBF Media network<\/h2>\n<ul>\n<li>\u2192 <a href=\"https:\/\/www.cloudmagazin.com\/2026\/04\/29\/ibm-quantum-heron-ionq-forte-quas-vergleich-dach-enterprise-2026\/\"><strong>Quantum computing development roadmap 2026: What IBM Heron and IonQ Forte mean for DACH enterprises<\/strong><\/a> (cloudmagazin)<\/li>\n<li>\u2192 <a href=\"https:\/\/www.digital-chiefs.de\/5g-campus-netze-mittelstand-2026-cio-bilanz-pilotbetrieb\/\"><strong>5G campus networks in German SMEs: What CIOs have learned after three years of pilot operation<\/strong><\/a> (Digital Chiefs)<\/li>\n<\/ul>\n<\/div>\n<p style=\"text-align:right;\"><em>Cover photo: Tima Miroshnichenko \/ Pexels<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"Missing MFA at a cybersecurity firm: 12.6 GB of data stolen, 1,858 Meraki devices taken over. What DACH teams can learn from the BePrime breach.","protected":false},"author":10,"featured_media":13645,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"Study of","_yoast_wpseo_title":"BePrime Breach: Lack of MFA Causes Data Leak","_yoast_wpseo_metadesc":"No MFA on admin accounts cost BePrime 12.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"footnotes":""},"categories":[5],"tags":[],"class_list":["post-14240","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-case-studies"],"wpml_language":"en","wpml_translation_of":13646,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/14240","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=14240"}],"version-history":[{"count":5,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/14240\/revisions"}],"predecessor-version":[{"id":14690,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/14240\/revisions\/14690"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/13645"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=14240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=14240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=14240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}