A cyber extortion group has publicly claimed that Danish pharmaceutical giant Novo Nordisk — the maker of blockbuster drugs like Ozempic and Wegovy — used extremely weak passwords on critical systems, including examples like “novo123.”
The group, FulcrumSec, says it spent more than two months inside Novo Nordisk’s networks, stealing over 1.3 terabytes of data before the company detected the intrusion. They are now threatening to sell portions of the stolen information after Novo Nordisk reportedly rejected their $25 million ransom demand.
What Happened
Novo Nordisk confirmed on or around June 11, 2026, that unauthorized actors had gained access to “a limited number of internal IT systems.” The company stated that the breach exposed pseudonymized data from some clinical trials, including patient IDs, sex, birth year, biomarkers, and lifestyle factors such as BMI and smoking status. Novo Nordisk emphasized that no names or directly identifiable information were taken and that there is no immediate risk to patients.
However, FulcrumSec paints a much more serious picture. In posts on their leak site and communications shared with media outlets, the group claims they exfiltrated:
- Manufacturing recipes and processes for key drugs (including semaglutide and amycretin)
- AI models and related intellectual property
- Employee records
- Clinical trial data
- Other sensitive internal documents
They have reportedly leaked samples to prove the authenticity of their claims.
The Weak Password Allegations
One of the most striking claims from the threat actor is that Novo Nordisk’s security was undermined by basic credential hygiene failures. FulcrumSec specifically mentioned weak passwords such as “novo123” being used on critical systems.
While companies of Novo Nordisk’s size typically have sophisticated security programs, the group alleges that initial access was gained through a combination of:
- Weak or reused passwords
- Phishing attacks
- Compromised GitHub tokens and API credentials
- Over-privileged service accounts that allowed lateral movement once inside the network
These details, if accurate, highlight how even large, well-resourced organizations can fall victim to relatively unsophisticated attack vectors when basic security fundamentals are not consistently enforced across all systems and teams.
Multiple Groups Claim Involvement
Reports indicate that at least two separate threat actors have claimed responsibility or partial involvement in the breach:
- FulcrumSec — Demanded $25 million and appears to be the primary group leaking data.
- TheUSERS007 — Reportedly demanded $50 million and claimed to have used an AI-powered tool called “venomware.”
It is possible the two groups operated independently or that one gained access after the other. This kind of “double extortion” or overlapping claims has become increasingly common in ransomware and data theft incidents.
Why This Breach Matters
Novo Nordisk is one of the world’s most valuable pharmaceutical companies, largely due to the massive success of its GLP-1 drugs for diabetes and weight loss. A breach involving manufacturing processes and clinical data carries several serious implications:
Intellectual Property Theft Manufacturing recipes for complex biologic drugs are extremely valuable. If the stolen data is authentic and detailed enough, it could help competitors or other actors reverse-engineer or accelerate development of similar products.
Clinical Trial Data Exposure Even pseudonymized trial data can be sensitive. While Novo Nordisk states there is no immediate patient risk, the long-term implications for privacy and trust in clinical research are concerning.
AI Model Theft The reported theft of AI models is particularly notable given the growing importance of artificial intelligence in drug discovery, clinical trial optimization, and manufacturing.
Reputational and Regulatory Damage As a major public company handling sensitive health data, Novo Nordisk faces potential regulatory scrutiny in multiple jurisdictions, along with significant reputational harm.
Lessons for Cybersecurity in Pharma and Beyond
This incident reinforces several important cybersecurity realities in 2026:
- Credential hygiene still matters enormously. Even sophisticated organizations can be compromised through basic password weaknesses, especially when service accounts and developer tools (like GitHub tokens) are not properly secured.
- Pharma and biotech remain high-value targets. Intellectual property related to blockbuster drugs and advanced manufacturing processes is extremely attractive to both ransomware groups and nation-state actors.
- AI is a double-edged sword. While AI tools can help defenders, threat actors are also leveraging AI (as claimed by one of the groups in this case) to improve their attacks.
- Data exfiltration is often the real goal. Many modern attacks focus less on encryption and more on stealing and monetizing sensitive data.
What Novo Nordisk Has Said
Novo Nordisk has stated that it is working with cybersecurity experts and law enforcement, and that it has notified relevant authorities. The company maintains that the breach was limited and that patient safety is not at risk. Like most organizations in this situation, it has not publicly confirmed or denied the specific technical details alleged by the threat actors.
The Bottom Line
The Novo Nordisk breach serves as a stark reminder that even industry leaders with substantial security resources can suffer serious compromises when fundamental controls — such as strong, unique passwords and proper credential management — are not consistently applied.
Whether the specific claim about passwords like “novo123” proves fully accurate or not, the broader message is clear: in an era of sophisticated threat actors and high-value data, basic cyber hygiene remains a critical line of defense.
As FulcrumSec continues to threaten data sales and investigations proceed, this incident is likely to become a major case study in pharmaceutical cybersecurity for years to come.
FAQs
What data was allegedly stolen from Novo Nordisk? According to the hacking group FulcrumSec, they stole manufacturing recipes, AI models, clinical trial data, and employee records — totaling over 1.3 terabytes.
Did Novo Nordisk confirm the weak password claims? Novo Nordisk has confirmed a breach but has not publicly detailed the specific attack methods. The weak password claims come from the threat actor.
Is patient data at risk? Novo Nordisk states that only pseudonymized data was accessed and that no names or direct identifiers were taken, meaning there is no immediate risk to patients.
Who is FulcrumSec? FulcrumSec is a cyber extortion group that emerged in late 2025 and has been linked to several high-profile incidents involving data theft and ransom demands.
What should companies learn from this? Even large organizations must prioritize basic security fundamentals like strong password policies, credential management, and limiting privileges — especially for developer tools and service accounts.
Leave a Comment