On March 30, 2025, the threat actor known as CoreInjection claimed responsibility for a data breach involving Check Point Software Technologies. The following day, Check Point acknowledged the incident but characterized it as an old, known and very pinpointed event from December 2024 that had already been addressed.
Details of the Breach and Company Response
According to Check Point’s official statement released on March 31, 2025, the breach resulted from compromised credentials of a portal account with limited access. The company specified that the incident affected 3 organizations’ tenants in a portal that does not include customers’ systems, production or security architecture. The exposed data reportedly included a list of multiple account names with product names, three customer accounts with contact names, and the email addresses of certain Check Point employees.
Check Point emphasized that there was no security risk to the company, its customers, or employees. The company also dismissed CoreInjection’s claims, stating that the threat actor was recycling old, irrelevant information.
Expert Analysis and Concerns
Alon Gal, Co-Founder and CTO at Hudson Rock, raised questions about the company’s explanation. He pointed out that a screenshot associated with the breach showed 121,120 accounts, including 18,864 paying accounts, which is significantly more than the 3 organizations mentioned by Check Point. Gal also noted that the screenshot suggested admin-level access capabilities, such as editing accounts and resetting two-factor authentication, which contradicts the company’s claim of limited access.
Further concerns were raised regarding the lack of public disclosure or SEC filing from December 2024 about this breach, despite the Security and Exchange Commission’s requirements for such disclosures.
Context of Previous Security Incidents
This breach occurs in the context of heightened security concerns surrounding Check Point products. In May 2024, the company warned about threat actors targeting Check Point Remote Access VPN devices with insecure password-only authentication. Additionally, a serious vulnerability (CVE-2024-24919) discovered in May 2024 allowed attackers to read sensitive information on Check Point Security Gateways, including password hashes for local accounts. This vulnerability received a high severity CVSS v3 score of 8.6 and was quickly added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog.
Ongoing Questions and Implications
While Check Point maintains that the breach is contained and poses no risk to Check Point customers, security experts continue to question how the attackers initially gained access, the true extent of compromised data, and why there appears to be no public disclosure from December 2024 when the breach allegedly occurred.
As Alon Gal summarized: The intrusion method remains unknown; they mention compromised credentials but don’t say how (phishing, reuse, etc.), which is concerning for a cybersecurity firm.
