After reports of an unauthorized, malicious actor gaining access to Cisco’s data and customer data, Cisco investigated the allegation and determined the impacted data was limited to a public-facing environment. 

Security leaders weigh in 

Eric Schwake, Director of Cybersecurity Strategy at Salt Security:

“Cisco claims that the damage was limited to a public-facing site, and Deloitte made similar assertions after a recent breach by the same actor. However, it’s important to approach such statements with cautious optimism. Even if the compromised environments were meant to be public-facing, exposing sensitive information such as source code, credentials and API tokens can have significant security implications. It’s crucial to remember that attackers often exploit seemingly minor vulnerabilities to gain a foothold and potentially pivot to more sensitive systems.

“The main problem with these intrusions is the risk of attackers using the exposed information to launch additional attacks. Exposed source code can reveal vulnerabilities that attackers can exploit in other systems. Hardcoded credentials and API tokens can grant unauthorized access to sensitive resources and data. Even seemingly harmless information, such as Jira tickets or internal documents, can provide valuable intelligence to attackers, allowing them to create more targeted and effective attacks. 

“This incident highlights the urgent need for strong API security, even in public-facing environments. Exposed API tokens can give attackers access to sensitive data and systems. Organizations should prioritize robust authentication and authorization, maintain a complete API inventory, build out API posture governance controls, and use continuous monitoring and threat detection to prevent unauthorized access and data breaches. It's also essential to securely manage secrets to protect API keys and tokens. By taking a proactive and comprehensive approach to API security, organizations can reduce the risk of intrusions and safeguard their critical assets.”

Jason Soroko, Senior Fellow at Sectigo:

“While Cisco may not have had its core systems directly compromised, the data obtained including source code, API tokens, certificates and credentials represents significant risks if leveraged for future attacks. Public-facing environments are often seen as less critical, but in reality, they can expose sensitive information that serves as stepping stones to deeper intrusions.

“The real issue with these types of breaches is twofold. First, the trust erosion as companies minimize the impact, and second, the potential for the stolen data to be used in more dangerous exploits or sold on dark web forums. Even if the data came from a less secure environment, the long-term risks from exposed credentials, code, or keys can persist.”