What happened
A Pax8 email error exposes MSP partner licensing and customer lists after a mis‑sent email on January 13, 2026 included a spreadsheet with internal business information for approximately 1,800 managed service provider partners, including names, Microsoft SKU details, license counts, and renewal dates in the attachment. The cloud marketplace distributor Pax8 confirmed that fewer than 40 UK‑based partner recipients received the unintended file and subsequently requested deletion, noting that the data did not contain personally identifiable information but did include commercial licensing and customer portfolio details. Some recipients reported that threat actors have approached MSPs offering to buy the dataset, which could be leveraged for competitive or malicious targeting.
Who is affected
Affected parties include approximately 1,800 MSP partners connected to Pax8, whose internal business and licensing data was exposed indirectly through the mistaken distribution of an internal spreadsheet.
Why CISOs should care
Exposure of partner‑specific business data can fuel competitive intelligence abuse, targeted phishing, business email compromise campaigns, or social engineering efforts against MSPs and their customers.
3 practical actions
- Enforce internal email safeguards: Implement DLP and review outbound communications to catch sensitive attachments.
- Notify partners promptly: Communicate transparently with affected MSP partners and guidance for secure deletion.
- Audit data handling policies: Reinforce controls around distribution of partner business data.