Data management and records storage firm Iron Mountain has confirmed it experienced a cybersecurity incident after an extortion group publicly claimed to have stolen a large volume of internal company data.

The threat group known as Everest posted on its dark web leak site that it had obtained roughly 1.4 terabytes of internal documents belonging to Iron Mountain. The group alleged that the stolen trove included sensitive information — potentially even client-related files — in an effort to leverage a ransom. However, according to Iron Mountain, the real impact was far more limited.

In a statement to BleepingComputer, Iron Mountain explained that attackers gained access to a single folder hosted on a third-party file-sharing service using a compromised set of valid credentials. That folder, the company said, contained mainly marketing materials intended for external vendors, not internal secrets or customer data.

The firm has confirmed that the compromised credentials have been deactivated, and there is currently no evidence that any sensitive customer or personal information was exposed as a result of the incident.

Iron Mountain also emphasized that no ransomware was deployed and no malicious software was found on its systems in connection with this breach.

The breach came to light after Everest — a threat actor group known for leaking stolen data to pressure companies into paying ransom demands — listed Iron Mountain as a victim on its leak site, claiming to have exfiltrated internal documents. Iron Mountain’s response undercuts the most serious elements of that claim, portraying the incident as limited to a third-party service and non-sensitive materials.

Iron Mountain’s services span records management, data backup, secure shredding, and other information lifecycle solutions for businesses. The company serves more than 240,000 clients worldwide, making even limited security incidents noteworthy for customers and industry observers alike.

While the exposed content appears to have been largely marketing-related, the incident serves as a reminder of how attackers increasingly exploit compromised credentials and third-party services to access corporate data — even if the ultimate impact falls short of the worst-case scenarios publicized by extortion groups.