BePrime, a Mexican cybersecurity and managed network services firm headquartered in Nuevo Leon, was breached in April 2026 after an attacker exploited administrator accounts that lacked multifactor authentication. The intrusion exposed 12.6 GB of data, handed the attacker control of 1,858 client network devices, and provided live video feeds from surveillance cameras at major corporate clients including Iberdrola, ArcelorMittal, Whirlpool, and Alsea.

What Happened

The breach was first disclosed on a cybercrime forum, where the attacker published proof of access including screenshots, plaintext credentials, and data samples pulled from BePrime's environment. BePrime publicly acknowledged a "cybersecurity incident" on April 21, 2026, and engaged Cisco Talos for incident response and remediation.

By the time the disclosure landed, the scope had already escalated well beyond BePrime itself. The attacker had pivoted from BePrime's internal systems into the networks and physical security infrastructure of its corporate clients, leveraging stolen credentials and API keys to move laterally across the managed services footprint.

What Was Taken

The attacker exfiltrated approximately 12.6 GB of data from BePrime's systems, including:

• Plaintext credentials for client networks and internal systems
• Security audit reports and penetration test results detailing vulnerabilities across client infrastructure
• Transaction records and internal business documents
• API keys for Cisco Meraki cloud network management

Using the stolen Meraki credentials, the attacker took control of 1,858 network devices, including switches and routers, and gained visibility into traffic from more than 2,600 connected devices across BePrime's client base. The attacker also accessed live video feeds from Cisco Meraki cloud managed cameras at client offices, publishing screenshots of the Meraki Vision dashboard showing real time footage of corporate workspaces.

Why It Matters

A managed security provider holds the keys to its customers' kingdoms by design. When that provider is compromised, the blast radius extends to every client whose credentials, audit reports, and network management infrastructure it stores. In this case, the leaked penetration test results function as a turn by turn map of exploitable weaknesses across BePrime's client portfolio, accelerating any follow on intrusion.

The exposure of live surveillance camera feeds at Iberdrola, ArcelorMittal, Whirlpool, and Alsea (operator of Starbucks, Domino's, and Vips across Latin America) raises the stakes from data theft into physical security and corporate espionage territory. An adversary with persistent visibility into executive offices, trading floors, manufacturing lines, and points of sale can time fraud, social engineering, and physical operations with precision.

There is also a trust dimension. As cybersecurity researcher Alberto Daniel Hill put it, "The irony that a firm selling cybersecurity was breached for not having two factor authentication on its administrator accounts results in a total loss of trust." For any MSP or MSSP, this incident is a case study in how a single missing control can vaporize a brand.

The Attack Technique

The initial access vector was straightforward credential compromise of administrator accounts that were not protected by multifactor authentication. From those privileged footholds, the attacker pulled plaintext credentials and API keys, including Cisco Meraki keys, then used those keys to authenticate directly to client cloud management consoles.

With Meraki access, the attacker enumerated and asserted control over 1,858 network devices and pivoted to the cloud managed camera platform, where they captured and published live video as proof of access. No zero day, no novel malware, no exotic tradecraft: just unprotected admin accounts at the top of a managed services supply chain.

What Organizations Should Do

1. Enforce phishing resistant MFA (FIDO2 or hardware tokens) on every administrator account, with no exceptions for legacy systems, break glass accounts, or service consoles.
2. Audit and rotate all API keys for cloud management platforms such as Cisco Meraki, AWS, Azure, and SaaS admin consoles. Scope keys to least privilege and bind them to source IPs where supported.
3. Eliminate plaintext credential storage. Move secrets into a vault with access logging and short lived tokens, and scan repositories and shared drives for legacy credential files.
4. If you are a customer of an MSP or MSSP, demand evidence of MFA enforcement, credential storage practices, and audit report handling. Treat your provider's security posture as part of your own attack surface.
5. Monitor cloud management portals for anomalous logins, new API key creation, bulk device configuration changes, and unusual camera or dashboard access patterns.
6. Assume any penetration test report or audit document held by a third party could be exposed. Track remediation of every finding and retire findings that are no longer accurate so leaked reports lose value.

Sources: A Cybersecurity Firm Got Hacked for Not Using Two Factor Authentication