A cybersecurity controversy has erupted as hackers claiming to have breached Check Point Software Technologies are allegedly selling sensitive data on a dark web marketplace.
The threat actor, operating under the alias “CoreInjection,” has listed the stolen dataset for five bitcoins (approximately $410,000), asserting that it contains proprietary information, including internal network maps, hashed and plaintext user credentials, employee contact details, project documentation, and even proprietary software source code and binaries.
Details of the Alleged Breach
According to the post from DarkWebInformer, the dataset reportedly includes screenshots from Check Point’s Infinity Portal admin dashboard.
These images purportedly reveal API keys with “Admin” roles, access to sensitive client data, and the ability to reset two-factor authentication settings.
According to cybersecurity expert Alon Gal, co-founder of Hudson Rock, the leaked emails and phone numbers match real Check Point employees, lending credibility to the hackers’ claims.
CoreInjection has emphasized that the price is “firm and non-negotiable,” citing their track record of credible leaks.
The dataset also allegedly contains data on 121,120 accounts, including 18,864 paying customers, with service usage details extending into 2031.
Check Point’s Response
Check Point Software Technologies has downplayed the severity of the incident. In a statement shared by Gal, the company described the breach as an “old, known, and very pinpointed event” that was resolved months ago.
They clarified that the affected portal did not include customer systems or production security architecture.
However, this explanation has left some cybersecurity experts unconvinced.
Gal has raised further questions about the timeline and scope of the breach.
He asked whether the data described in CoreInjection’s marketplace post aligns with what Check Point referred to as an “old event” or if it points to a more recent compromise.
Technical Insights into Infinity Portal Security
The alleged breach highlights potential vulnerabilities in Check Point’s Infinity Portal—a centralized platform for managing services like Harmony Endpoint Security and firewall configurations.
Administrators can create API keys for automating configurations or integrating third-party applications.
These API keys are critical for accessing services securely but can become a liability if compromised.
For instance, creating an administrator account with API key authentication involves generating a unique token through SmartConsole.
This token is used for executing API commands but cannot be used for console authentication. Proper management of these keys is essential to prevent unauthorized access.
Below is an example command using an API key for login:
bashmgmt_cli login api-key mvYSiHVmlJM+J0tu2FqGag12 > /var/tmp/token.txt
mgmt_cli -s /var/tmp/token.txt add simple-gateway name "gw1" ip-address 192.168.3.181 one-time-password "aaaa" firewall true vpn true
Such commands demonstrate how administrators interact with Check Point systems via API keys—a process that must be rigorously secured to avoid breaches.
Implications for Cybersecurity
The incident underscores the importance of robust security measures in centralized management platforms like Check Point’s Infinity Portal.
Features such as snapshot management in Gaia OS allow administrators to revert systems to previous states in case of major changes or breaches.
However, these tools are only effective when paired with proactive security practices.
Check Point’s CloudGuard Code Security solution offers advanced capabilities like detecting hardcoded secrets in source code and identifying compliance violations in Infrastructure-as-Code templates.
Such tools are designed to mitigate risks associated with sensitive data exposure.
While Check Point insists there is no ongoing risk to its customers or employees, the claims by CoreInjection have raised serious concerns about cybersecurity practices within one of the industry’s leading firms.
As investigations continue, this incident serves as a stark reminder for organizations worldwide to prioritize securing administrative accounts and API keys while maintaining transparency during potential breaches.
Cybersecurity experts will be closely monitoring how Check Point addresses these allegations and whether further vulnerabilities are exposed in its network architecture.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The threat actor, operating under the alias "CoreInjection," has listed the stolen dataset for five bitcoins (approximately $410,000),){kind=link}