Mexican cybersecurity firm BePrime breached because admin accounts had no MFA - 12.6 GB leaked including pentest reports, then BePrime threatened journalists who reported it

On April 20 a threat actor using the alias 'dylanmarly' posted 12.6 GB of stolen data from Mexican cybersecurity firm BePrime, claiming compromise of admin accounts that had no MFA enabled. The dump includes plaintext credentials, financial transaction records, security audit and pentest reports detailing client vulnerabilities, plus API keys for 1,858 Cisco Meraki network devices and live surveillance camera feeds. Affected clients include Iberdrola (Spanish energy giant), ArcelorMittal, Whirlpool, and Alsea (Latin American operator of Starbucks, Domino's, Vips). BePrime then announced legal action against journalists reporting on it.

Check

If you use any managed security service provider, confirm in writing this week that they enforce phishing-resistant MFA on every admin account holding your credentials or API keys.

Affected

BePrime's enterprise clients - Iberdrola, ArcelorMittal, Whirlpool, Alsea, Vitro, and others operating in Mexico and Latin America - face direct downstream risk because the leak includes pentest reports identifying their unpatched weaknesses and Meraki API keys with operational control over their network devices.

Fix

BePrime clients should rotate every shared credential, Meraki API key, and integration token immediately and audit Meraki configs for unauthorized changes since March 2026. Cut or sandbox network trusts to BePrime infrastructure pending review. For all organizations: add MFA-enforcement attestation to vendor security questionnaires and put contractual breach-notification SLAs in place for every MSP with privileged access.