Be Prime breach claims expose client data and surveillance system access
Mexican IT and cybersecurity provider Be Prime disclosed a cyberattack after a threat actor using the alias dylanmarly posted alleged proof of compromise on a cybercrime forum. The attacker claimed to have accessed Be Prime administrative accounts, Cisco Meraki Vision surveillance systems, Meraki API keys, and thousands of network devices, and to have leaked 12.6 GB of data linked to Be Prime and some of its clients. Public reporting said the intrusion may have involved administrator accounts without multifactor authentication, though Be Prime did not confirm those specific allegations.
Be Prime said it activated containment, mitigation, investigation, and remediation measures with support from Cisco Talos, and stated that it had found no evidence so far of disruption to its own operations or those of customers. At the same time, the company warned it could pursue legal action against parties spreading what it described as false or out-of-context claims about the incident, a response that drew criticism from researchers and journalists who argued that threatening reporters and whistleblowers could intensify scrutiny of the breach and its potential impact on client data and video surveillance exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
French court schedules judgment in Kevin M. case
In the prosecution of Kevin M. over the 'Balance ta balance' Telegram channel, judgment was scheduled for May 19. Prosecutors requested a three-year prison sentence and civil parties sought nearly €60,000 in damages.
French criminal investigation into X expands internationally
By April 2026, French authorities were continuing a criminal investigation into X, with related investigations reported in Spain and the United Kingdom. The case also became a diplomatic dispute after the Wall Street Journal reported U.S. Justice Department objections to the French probe.
Be Prime threatens legal action over breach reporting
Following public reporting on the alleged breach, Be Prime warned it might pursue defamation lawsuits against parties it said spread false or out-of-context information. The stance drew criticism from researcher Alberto Daniel Hill, who warned against threatening journalists and whistleblowers.
Be Prime confirms cyberattack and begins incident response
Be Prime acknowledged it suffered a cybersecurity incident and said it activated containment, mitigation, investigation, and remediation procedures with assistance from Cisco Talos. The company said it had not found evidence of disruption to its own operations or client operations and did not confirm the attacker's more specific claims.
Attacker posts alleged Be Prime breach evidence on cybercrime forum
A threat actor using the alias 'dylanmarly' claimed to have breached Be Prime and posted alleged evidence online, including assertions of access to administrative accounts, Meraki systems, API keys, and 12.6 GB of data. Reporting also linked the alleged intrusion to missing two-factor authentication on administrator accounts.
French authorities search X's offices in France
X's French offices were reportedly searched in February 2026 as part of the expanding criminal investigation into the platform. The probe concerns alleged complicity in offenses including child sexual abuse material and denial of crimes against humanity.
French investigators renew request and Telegram provides account IP
On 2024-09-13, French investigators renewed their request regarding the 'Balance ta balance' Telegram account. Telegram then supplied an IP address linked to the account, allowing authorities to identify suspect Kevin M.
Pavel Durov is arrested in France
Telegram cofounder Pavel Durov was arrested in France in September 2024. The article says Telegram's cooperation with French judicial requests changed after this arrest.
French probe into 'Balance ta balance' stalls over Telegram non-response
In early 2024, investigators seeking information about the 'Balance ta balance' channel were unable to advance the case because Telegram did not respond to judicial requests. This lack of cooperation prevented authorities from identifying the account operator at that stage.
'Balance ta balance' Telegram channel begins operating
French prosecutors said the Telegram channel 'Balance ta balance' became active in late May 2023. The channel allegedly exposed detainees as informants and sold advertising to drug traffickers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Affaire X : le bras de fer entre Elon Musk et la justice français ...
zdnet.fr
Open source" Balance ta balance " : ce détenu entraîné bien malgré lui dans ...
zdnet.fr
Open sourceCrook claims to leak 'video surveillance footage' of firms • The Register
go.theregister.com
Open sourceBreach at BE PRIME cybersecurity company exposes client data and surveillance systems; Be Prime threatens journalists - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Claims Cisco Breach Exposed Salesforce Records and Cloud Data
ShinyHunters has claimed responsibility for breaching Cisco and stealing more than **3 million Salesforce records** along with internal corporate data, **GitHub repositories**, and contents from **AWS S3 buckets**, then posted a **"FINAL WARNING"** on its leak site threatening to publish the data after April 3. Reports said the alleged haul may include information tied to Cisco customers, employees, and personnel from U.S. and foreign government agencies, while screenshots shared by the group purportedly showed access to Cisco-linked AWS infrastructure and multiple connected cloud accounts. The intrusion was linked in reporting to three alleged access paths involving **Salesforce CRM**, **Salesforce Aura/Experience Cloud**, and AWS environments, and to activity tracked as **`UNC6040`** and **`UNC6395`**. Threat intelligence cited in the coverage said the attackers have used **vishing** to trick employees into approving malicious Salesforce OAuth applications, then abused stolen tokens to bypass MFA and move deeper into cloud environments; recommended defenses included auditing connected OAuth apps, revoking suspicious tokens, tightening API access controls, and monitoring for unauthorized Salesforce Data Loader activity. Cisco had not publicly addressed the March 2026 extortion claim at the time of reporting.
May 2, 2026
Threat Actor Claims Adobe Support Breach via Third-Party BPO
A threat actor using the alias **"Mr. Raccoon"** has allegedly breached Adobe support systems through a third-party Indian BPO contractor and claims to have stolen a large cache of sensitive data. According to unverified reports and social media posts, the actor first compromised a contractor employee with a malicious email delivering a remote access trojan, then expanded access by phishing the employee’s manager. The attacker says the intrusion exposed more than **13 million support ticket records**, roughly **15,000 employee records**, internal documents, Adobe’s Microsoft SharePoint environment, and submissions from Adobe’s **HackerOne** bug bounty program. The reports further allege the actor abused overly permissive ticket export functionality that allowed bulk extraction of support data in a single request, raising concerns about phishing, identity theft, and exposure of unpublished vulnerability disclosures. The incident, if confirmed, would represent a significant third-party supply chain compromise affecting Adobe’s support operations. Adobe had not publicly confirmed or denied the claims at the time the reports were published.
Apr 9, 2026
LexisNexis Legal & Professional AWS Breach and FulcrumSec Data Leak
**LexisNexis Legal & Professional** confirmed that an unauthorized party accessed a limited number of its servers after a threat actor using the alias **FulcrumSec** leaked roughly **2 GB** of allegedly stolen files on underground forums. LexisNexis stated the exposed information was **mostly legacy/deprecated data from prior to 2020** (e.g., customer names, user IDs, business contact details, products used, customer survey data including respondent IP addresses, and support tickets) and said it found **no evidence of impact to products or services**; the company reported the matter to law enforcement and engaged an external forensics firm. FulcrumSec claimed the intrusion began by exploiting the **React2Shell** vulnerability in an **unpatched React frontend application** to gain access to LexisNexis’ **AWS** environment, and alleged broader access within cloud resources (including an ECS task role and data stores) and the presence of government-related accounts (e.g., `.gov` email addresses) in the stolen dataset. Public reporting notes a discrepancy between the actor’s claims (e.g., “millions of records,” passwords, and other internal artifacts) and LexisNexis’ characterization of the exposed data as limited and non-sensitive (no SSNs, financial data, active passwords, or customer search queries), but multiple outlets corroborated that the leaked files are tied to a real, now-contained incident affecting LexisNexis’ Legal & Professional division.
Mar 21, 2026