SonicWall has admitted that all customers who used its cloud backup service to store firewall configuration files were affected by a cybersecurity incident first disclosed in mid-September, walking back earlier assurances that only a small fraction of users were impacted.

In an updated statement published on Wednesday, the California-based network security vendor said its investigation had determined that “all customers” who utilized the MySonicWall cloud backup feature were affected, confirming that attackers had accessed configuration backup files stored on its systems. These backups typically include firewall settings, policies, and network configurations, making them a valuable target for anyone seeking to map internal infrastructure or pivot into connected environments.

When SonicWall first disclosed the breach on 17 September, it claimed the incident was limited to “less than 5 percent” of customers. At the time, the company said it had detected “suspicious activity” against the cloud backup environment used by its next-generation firewalls and promptly disabled the service “out of an abundance of caution.”

That initial reassurance now appears premature. SonicWall’s latest post-mortem, which follows an independent investigation and external forensics review, confirms that the attackers successfully accessed data belonging to every customer who had ever used the cloud backup service, regardless of when their backups were created.

The Register has asked SonicWall how many customers use its cloud backup service but has not received a response. 

While SonicWall insists the intrusion did not affect other MySonicWall services or customer devices, it’s urging administrators to treat the incident seriously. Customers have been told to delete any existing cloud backups, change their MySonicWall credentials, rotate shared secrets and passwords, and recreate new backup files locally rather than in the cloud.

The company says it has since “hardened” its infrastructure, applied additional logging, and introduced stronger authentication controls to prevent a repeat. But it has not shared specifics about how attackers gained initial access, beyond describing “unauthorized access to the cloud storage environment” that held encrypted and compressed backup archives.

According to Arctic Wolf, which has been tracking the incident, the backups contain data that could aid follow-on attacks. 

“Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization’s network,”  said Stefan Hostetler, a threat intelligence researcher at Arctic Wolf. “These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates. In the past, Arctic Wolf has observed threat actors, including nation-state and ransomware groups, exfiltrating firewall configuration files to use in future attacks.”

SonicWall has not attributed the breach to any specific threat actor or nation-state, and it hasn’t said whether data was copied, leaked, or destroyed. The company continues to maintain that there is “no evidence” of any compromise to production firewalls or other customer-hosted systems.

For SonicWall, this is not its first brush with online attackers. Earlier this year, the company said it was investigating a spate of ransomware activity targeting its firewall devices, following multiple reports of a zero-day bug under active exploit in its VPNs. While this latest compromise appears more contained, the reversal from “5 percent” to “100 percent” is unlikely to inspire confidence among customers who entrusted their firewall blueprints to the cloud. ®