Cisco Data Breach Exposes Active Directory Credentials

Executive Summary

In February 2025, Cisco Systems experienced a significant data breach attributed to the Kraken ransomware group. On February 10, the group claimed to have infiltrated Cisco’s internal network, exfiltrating sensitive credentials from its Windows Active Directory (AD) environment. The breach reportedly exposed usernames, security identifiers (SIDs), and NTLM password hashes, posing a severe risk to the security of affected accounts. While the Kraken group published this data on their dark web blog, Cisco refuted their claims, stating that the leaked information originated from a previously addressed incident in May 2022. The potential implications of this breach could affect numerous users, emphasizing the critical need for robust cybersecurity measures.

 Read the full breach analysis from NHI Mgmt Group here

Key Details

Breach Timeline

• February 10, 2025: Kraken ransomware group announces the breach, claiming access to Cisco’s AD credentials.
• May 2022: Cisco addressed a separate incident, which the company claims is the source of the leaked data.

Data Compromised

• Usernames and Domains: Identifying details of individual users within Cisco’s AD environment.
• Relative Identifiers (RIDs): Unique identifiers assigned to each user account.
• NTLM Password Hashes: Hashed forms of user passwords, critical for account security.

Impact Assessment

• Exposed credentials could lead to unauthorized access to sensitive systems and data.
• Increased risk of further ransomware attacks targeting Cisco and its clients.
• Potential damage to Cisco’s reputation and trust among users and stakeholders.

Company Response

• Cisco has publicly refuted the claims, asserting the data is outdated and linked to a prior incident.
• The company is likely implementing additional security measures to prevent future breaches.

Security Implications

• The breach highlights vulnerabilities in Active Directory environments that require immediate attention.
• Organizations should reassess their cybersecurity protocols and implement stronger password policies.
• Regular audits and monitoring of AD environments are essential for mitigating similar risks.

 If you want to learn more about how to secure NHIs including AI Agents, check our NHI Foundational Training Course.