Check Point Software Technologies has confirmed a data breach following claims by threat actor CoreInjection on March 30th, 2025, but insists the incident is an βold, known and very pinpointed eventβ from December 2024 that had already been addressed.
The cybersecurity giant released an official statement on March 31st through their support portal, downplaying the significance of the breach while security researchers raise questions about its true scope.
Breach Details and Company Response --
According to Check Pointβs security alert, the breach stemmed from βcompromised credentials of a portal account with limited accessβ and affected β3 organizationsβ tenants in a portal that does not include customersβ systems, production or security architecture.β
According to the firm, the exposed data consisted of a list of multiple account names with product names, three customer accounts with contact names, and the emails of certain Check Point employees.
βWe believe that at no point was there a security risk to Check Point, its customers or employees,β the company stated in their response to Co-Founder & CTO at Hudson Rock Alon Gal.
Check Point emphasized that the breach did not match the description detailed in CoreInjectionβs dark web forum post, calling it βrecycling of old, irrelevant information.β
Alon Gal, who first publicized Check Pointβs acknowledgment, highlighted several inconsistencies in the companyβs explanation.
βThe screenshot they confirm shows 121,120 accounts (18,864 paying), which is far more than β3 organizations,β and suggests admin-level access (edit accounts, reset 2FA), which doesnβt align with their βlimited accessβ claim,β Gal noted in his LinkedIn update.
Further raising concerns, no public report or SEC filing from December 2024 regarding this breach has been identified, despite the Security and Exchange Commissionβs requirements for such disclosures.
The breach comes amid heightened security concerns for Check Point products. In May 2024, the company warned about threat actors targeting Check Point Remote Access VPN devices with insecure password-only authentication.
Additionally, a serious vulnerability (CVE-2024-24919) discovered in May 2024 allowed attackers to read sensitive information on Check Point Security Gateways, including password hashes for local accounts.
This vulnerability received a high severity CVSS v3 score of 8.6 and was quickly added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog.
While Check Point maintains the breach is contained and poses βno risk to Check Point customers,β security experts continue to question how the attackers initially gained access, the true extent of compromised data, and why there appears to be no public disclosure from December 2024 when the breach allegedly occurred.
As Gal summarized: βThe intrusion method remains unknown; they mention compromised credentials but donβt say how (phishing, reuse, etc.), which is concerning for a cybersecurity firm.β