A threat actor has listed an allegedly exfiltrated 34 million-record database belonging to Cylance (now part of BlackBerry) for sale on a monitored dark web forum, with an asking price of $500,000 USD routed through escrow. The listing, confirmed by Brinztech cybersecurity intelligence on 19 April 2026, explicitly markets the dataset as "Great for Hack targeting!" and is linked to the broader campaign exploiting vulnerable Snowflake cloud data warehousing environments.

What Happened

Brinztech analysts identified an active listing on a monitored hacker forum offering a corporate dataset attributed to Cylance, the endpoint security vendor acquired by BlackBerry. The seller is demanding $500,000 USD and requires an escrow middleman to complete the transaction, a signal that the actor expects high-value buyers among nation-state proxies, initial access brokers, or competing espionage operators. Industry intelligence links the exfiltration to the ongoing wave of intrusions abusing third-party Snowflake cloud data warehouse tenants, where stolen or weakly-protected credentials have repeatedly enabled bulk extraction of customer and marketing tables from Fortune-scale vendors.

What Was Taken

The advertised dataset spans internal corporate telemetry and CRM records across approximately 34 million entries. Confirmed contents include:

Why It Matters

A breach of a major endpoint security vendor is not a routine CRM leak. The customer list itself is an attack map: every record names an organization that has deployed Cylance's EDR stack, giving adversaries a pre-qualified target set of environments where they already know which defensive product is installed. Combined with product usage telemetry, threat actors can prioritize victims, estimate license tiers, and anticipate detection coverage before ever touching a target network. This is a force multiplier for ransomware affiliates, BEC crews, and espionage actors alike.

The Attack Technique

Brinztech attributes the exfiltration to the broader Snowflake-targeting intrusion campaign, in which adversaries leverage credentials harvested from infostealer logs or weak authentication configurations to access customer-managed cloud data warehouses. The named tables (DIM_LEAD, CAMPAIGNMEMBER, DIM_MKT_EMAIL_6_SEND) match naming conventions used by Salesforce and Marketo integrations commonly synced to Snowflake, consistent with warehouse-level extraction rather than an application-layer compromise. No evidence currently suggests compromise of Cylance's EDR agent infrastructure or signing keys.

What Organizations Should Do

  1. Assume any Cylance-related email correspondence, invoice, or renewal notice received in the coming weeks could be a spear-phishing lure and route it through out-of-band verification.
  2. Enforce mandatory MFA and network policy restrictions on all Snowflake, Salesforce, and Marketo tenants, and rotate any service account credentials that may have been exposed in infostealer logs.
  3. Hunt for anomalous queries and bulk exports across cloud data warehouse environments, paying particular attention to access from residential proxy IP ranges.
  4. Brief executive and sales leadership on heightened BEC risk, as prospect and pipeline data in the leak will enable highly credible impersonation of known vendor contacts.
  5. Coordinate with BlackBerry/Cylance account teams to confirm notification status and obtain any indicators of compromise or affected-record scoping as it becomes available.
  6. Review EDR configuration hardening and tamper-protection settings, on the assumption that adversaries now have visibility into defensive baselines across the customer base.

Sources: 34M Cylance Database & Corporate Intelligence Sale