Massive MOVEit Leak Exposes Data from Amazon, HSBC, McDonald’s

A newly publicized breach stemming from a critical vulnerability in MOVEit, a popular file transfer tool, has resulted in the release of extensive employee data from some of the world's largest companies.

Hackers reportedly accessed sensitive information through CVE-2023-34362, a severe vulnerability discovered in mid-2023. The exposed data encompasses millions of records from corporations across sectors, including finance, retail, technology, and healthcare, escalating concerns about employee privacy and corporate security.

The security flaw in MOVEit allowed attackers to bypass authentication protocols, granting unauthorized access to databases containing confidential information. Since May 2023, attackers have exfiltrated employee data—much of it organized into structured directories with personal and corporate identifiers—triggering one of the largest data leaks in recent history.

According to a report by HudsonRock's Alon Gal, a hacker under the pseudonym “Nam3L3ss” has recently posted these records on a major cybercrime forum, highlighting the breadth and depth of data now in the hands of cybercriminals.

Scope and content of the breach

The compromised data, dating back to May 2023, includes sensitive employee information such as names, email addresses, phone numbers, and cost center codes. In some cases, the data also maps entire organizational structures, creating a detailed profile of the affected firms. Companies affected include Amazon, HSBC, McDonald's, MetLife, Cardinal Health, and HP, among many others. The volume of records in each company's directory varies:

• Amazon: 2,861,111 records
• HSBC: 280,693 records
• MetLife: 585,130 records
• Cardinal Health: 407,437 records
• HP: 104,119 records
• Lenovo :  45,522 records
• McDonald's: 3,295 records

Amazon's leaked dataset, which the company confirmed to media is authentic, includes fields such as employee names, cost center codes, phone numbers, and job titles, while HSBC's data spans records from various international branches, listing user IDs, employee status, and department codes.

HudsonRock's researchers corroborated the leak's authenticity by matching email addresses from the compromised data with LinkedIn profiles and records of info stealer malware infections affecting some of these companies' employees.

MOVEit and CL0P ransomware

This is not the first time the MOVEit vulnerability (CVE-2023-34362) has been implicated in a major breach. In 2023, the CL0P ransomware group exploited the same vulnerability to launch widespread attacks affecting organizations globally, leaking the data of millions. This attack, attributed to CL0P, highlighted the severe risks associated with unpatched vulnerabilities in widely used software tools. Many organizations impacted by the CL0P attack experienced operational disruptions, legal repercussions, and severe reputational damage.

According to Emsisoft's tracker page, that incident impacted 2,773 organizations and resulted in the compromise of the personal data of 95,788,491 people, making it one of the largest and most impactful data breaches ever to have occurred.

In the recent case, however, it has not yet been confirmed whether CL0P or affiliates are behind the leak. Although CL0P is notorious for targeting similar vulnerabilities in large-scale ransomware operations, researchers have yet to verify any connection between this latest breach and the group.

Nam3L3ss, the hacker behind this attack, has emphasized that the released data represents only a fraction of what they possess, suggesting more leaks may follow in the coming days. The threat actor urged the companies to “pay attention” to the upcoming disclosures, suggesting that more sensitive data is to be made public soon.