Logitech admits data breach after zero-day exploit linked to Clop gang

Flaw patched in recent update, says vendor

Logitech has acknowledged a data theft incident after hackers exploited a zero-day vulnerability in third-party software used by the company.

In a Form 8-K filing submitted to the US Securities and Exchange Commission, the Swiss electronics manufacturer acknowledged that attackers had successfully exfiltrated data from its internal systems.

The company stressed that the incident did not disrupt production, business operations, or the performance of its products.

"Logitech recently experienced a cybersecurity incident relating to the exfiltration of data," the filing stated.

"Upon detecting the incident, Logitech promptly took steps to investigate and respond to the incident with the assistance of leading external cybersecurity firms."

According to Logitech, the attackers exploited a zero-day vulnerability in an unnamed third-party software platform. The flaw has since been patched following the vendor's release of an update.

The company says that, based on initial findings, the attackers likely accessed ‘only’ limited employee and consumer information, along with certain customer and supplier data. The company says it does not believe sensitive personal data, such as national ID numbers or payment card information, was stored in the affected system.

Though the full scope of the breach is still being assessed, Logitech said it does not expect the incident to have a "material adverse effect" on its financial performance or operations. Costs tied to forensic analysis, legal considerations, and potential regulatory actions are expected to be covered, at least in part, by the firm's cybersecurity insurance policy.

Clop claims responsibility

Logitech's disclosure comes shortly after the Clop gang posted the company to its dark-web leak site, alleging it had stolen nearly 1.8 terabytes of internal data.

Logitech did not confirm whether the attackers issued a ransom demand or whether negotiations took place. The company also declined to reveal when the intrusion occurred or when it was first discovered.

Clop has recently claimed numerous high-profile victims in what appears to be an expanding extortion campaign targeting Oracle E-Business Suite deployments.

Last month, researchers from Mandiant and Google began tracking a surge in emails sent to corporate victims, warning that data supposedly stolen from their Oracle systems would be leaked unless ransoms were paid.

Oracle has since acknowledged a new E-Business Suite zero-day vulnerability, CVE-2025-61882, and issued an emergency patch.

Several organisations, including Harvard University, The Washington Post, and Envoy Air, have publicly acknowledged breaches tied to related Oracle EBS exploits.

The Washington Post disclosed last week that threat actors infiltrated parts of its network from 10th July to 22nd August by exploiting an Oracle flaw, resulting in the exposure of sensitive information belonging to nearly 10,000 current and former employees and contractors.

In the UK, the NHS is likewise investigating potential exposure after Clop added the "NHS.uk" domain to its leak portal on 11th November. The gang has not yet published any NHS-related data, and it remains unclear which systems, if any, were compromised.

As the Clop ransomware group continues to target major institutions around the world, cybersecurity experts warn that additional victims may surface as organisations continue to assess potential exposure from Oracle E-Business Suite vulnerabilities.