A group is hawking records of more than 12,000 Frost & Sullivan’s employees and customers on a hacker folder.

“The breach occurred to a misconfigured backup directory on one of Frost and Sullivan public-facing servers,” Cyble CEO Beenu Arora said in a BleepingComputer report. “The backup directory had its employees and customers records, along with other confidential information.”

The KelvinSecurity Team said they put the information – which includes names, email addresses, company contacts, login names and hashed passwords – for sale in a hacking forum to sound the “alarm” after Frost & Sullivan didn’t respond to the group’s attempt to alert it to the exposed database.

“As some hashed passwords can be easily deciphered, cybercriminals can use this information to log in to Frost & Sullivan’s database as the employee, gaining access to client personal information and other employee details,” said Jumio CEO Robert Prigge. “As enterprises across all industries have trusted Frost & Sullivan for over 60 years, the company has a responsibility to keep customer and employee data safe, as do all companies with a digital presence.”

Ben Goodman, senior vice president of global business and corporate development at ForgeRock, called for organizations to “end the need for usernames and passwords during the login experience” to prevent breached login credentials from being used for credential stuffing attacks or targeted account hijacking.”