A digital burglar is claiming to have nabbed a trove of “highly sensitive” data from Check Point – something the American-Israeli security biz claims is a huge exaggeration.

A cybercrime forum user going by the name CoreInjection advertised “a highly sensitive dataset” allegedly comprised of Check Point files on Sunday evening. They claimed this contained internal network maps and architectural diagrams, user credentials (including hashed and plaintext passwords), employee contact information, and proprietary source code.

Screenshots shared in the post appear to show CoreInjection inside a Check Point admin Infinity (security management) portal, supposedly granting themselves the ability to change users’ two-factor authentication settings.

Check Point denies there was ever a security risk to customers and employees, claiming the orgs affected were “updated” at the time, and the crim was merely recycling old information.

The Register contacted Check Point for answers to various questions, many of which it did not respond to. The vendor instead sent over a brief statement: “This is an old, known, and very pinpointed event which involved only a few organizations and a portal that does not include customers’ systems, production, or security architecture. 

“This was handled months ago and did not include the description detailed on the dark forum message. These organizations were updated and handled at that time, and this is not more than the regular recycling of old information. We believe that at no point was there a security risk to Check Point, its customers, or employees.”

There are perhaps 10,000 reasons to doubt Oracle Cloud’s security breach denial

READ MORE

The vendor also posted a similar statement to its support page, adding that the break in had affected only three organizations in December 2024.

It said the root cause of the breach was the abuse of compromised credentials for a portal account “with limited access.”

“It was limited to a list of several account names with product names, three customers’ accounts with contact names, and a list of some Check Point employees’ emails. As said, this does not include customers’ systems, production, or security architecture.

“The content of the post falsely implies exaggerated claims which never happened. The portal has different internal mitigations.”

Hudson Rock co-founder and CTO Alon Gal was one of the more prominent industry figures to raise concerns about the criminal’s allegations. 

Before the vendor’s response, he opined that the screenshots the criminal provided appeared to him to be “highly convincing” as CoreInjection had a known history of targeting Israeli companies and a “track record of legitimate leaks” because many of the details in the images appeared to be too real to be faked.

After the support page statement was published on Monday, Gal said: “To me, honestly, it leaves a lot of questions unanswered, but the scope of the breach is likely narrower than initially thought.”

Referring to one of CoreInjection’s screenshots, Gal noted an admin panel view appeared to list more than 120,000 accounts, 18,824 of which appeared to be active and paying. He noted in an earlier post that he wanted to “make sure people are not freaking out” and could “differentiate between what the hacker is saying they have access to (source code, passwords, sensitive projects), and what they show in the images,” adding: “This could end with a limited impact which does not affect customers or Check Point’s IP.”

Check Point told The Register it would not be making any further comment. ®