Ford Motor Company SA de CV Data Breach

Alleged

Ransomware claim involving Ford Motor Company SA de CV.

Published: Jun 28, 2026 Krybit
Threat Level
High
Confidence: High

Quick Summary

Alleged
Company
Ford Motor Company SA de CV
Industry
Manufacturing
Threat Actor
Krybit
Date of Incident
Jun 28, 2026

Executive Summary

Ford Motor Company, S.A. de C.V., a manufacturing entity based in Mexico, was publicly listed as a victim by the Krybit ransomware group on their dark web portal on June 28, 2026. This detection was made possible by SOCRadar’s Dark Web Monitoring service. The organization operates within the manufacturing sector, specifically in the automotive-industrial domain. Krybit has been active in targeting businesses in the business services, public sector, and technology sectors, with recent victims concentrated in Germany, Mexico, and Peru.

Technical Analysis

SOCRadar’s analysis revealed a significant exposure for the `ford.mx` domain through stealer-log telemetry. A sample containing 25 records, predominantly customer-facing credentials from endpoints like `sso.ci.ford.mx` and `login.ford.mx`, was identified. The exposure primarily involved customer account-takeover and supplier risk, with data freshness dating between June 19 and June 27, 2026. No corporate employee credentials were found in this specific sample, but this does not preclude their existence in the broader dataset. The observed credential harvesting aligns with typical initial access methods for ransomware groups like Krybit, where compromised credentials from underground marketplaces are used to access corporate networks. CTI teams are advised to enhance monitoring and implement credential hygiene measures, including a comprehensive review of corporate-domain credentials.