Cloud marketplace and distributor Pax8 has confirmed that it mistakenly sent an email to fewer than 40 UK-based partners containing a spreadsheet with internal business information, including MSP customer and Microsoft licensing data.
Pax8 is a fast-growing cloud commerce marketplace with more than 1,700 employees, over 47,000 partners worldwide, and operations in 18 countries. The company recently surpassed $2 billion in annual revenue, with particularly strong growth in Europe.
CSV exposes customer and licensing data
The email, titled “Potential Business Premium Upgrade Tactic to Save Money,” was sent on January 13 by an EMEA-based strategic account manager and included a CSV attachment.
According to Pax8, the file contained internal pricing and Microsoft program information affecting approximately 1,800 partners, primarily in the UK, with one in Canada—and was accidentally distributed to fewer than 40 UK-based recipients.
MSPs who received the message told BleepingComputer that the CSV file listed customer organization names, Microsoft SKUs, license counts, and New Commerce Experience (NCE) renewal dates.
Artifacts shared with BleepingComputer directly by multiple recipients reveal that the leaked spreadsheet contained more than 56,000 entries with fields such as:
Partner Name and ID
Customer Name and ID
Vendor Name and Product Name
Gross & Net Bookings
Currency Total Quantity
Territory
Account Owner
Provision Date
Cancelled Book Date
Postal Code
Transaction Type
Commitment Term End Date
Shortly after the email was sent, the sender attempted to recall the message and later followed up with another email asking recipients to delete the original message and attachment, acknowledging it had been sent in error:
In the follow-up notice, Pax8 told partners that the file did not contain personally identifiable information but limited business information that may reveal MSP pricing and Microsoft program management details. Such information, including customer portfolios and licensing footprints, would normally be visible only to the MSP managing those tenants and Pax8 itself.
Multiple recipients shared the wording from Pax8’s follow up with BleepingComputer:
“Dear Partner,
Earlier today, 13 January 2026, a Pax8 employee mistakenly sent an email with an attached spreadsheet to fewer than 40 UK-based partners. The attachment did not contain personally identifiable information. However, the file included limited internal business information reflective of your Pax8 pricing and some Microsoft program management.
Importantly, there is no impact to Marketplace availability or security controls as a result of this incident.
What we did immediately
* Contacted each recipient directly and requested deletion of the email and attachment
* Required confirmation of deletion and non-forwarding
* Are conducting 1:1 follow-up calls with recipients to reinforce deletion and confirm completion
* Launched an internal review to determine how this occurred and to prevent recurrence
What you need to do
No action is required from you.
If you have questions, please reach out to us at trust@pax8.com.
We recognize the responsibility we have to protect partner-confidential information.
Sincerely,
Pax8 Alerts”
Threat actors reportedly seeking the dataset
BleepingComputer has also learned from industry sources that threat actors are now approaching some affected MSPs, offering to buy copies of the exposed dataset.
Such information could be valuable both to competitors and cybercriminals. For rival MSPs, the list could reveal which organizations use Pax8 as their distributor, the size of each customer’s Microsoft environment, contract renewal timelines, and potentially the pricing tiers being paid—data that could be used for competitive targeting or poaching.
For threat actors, the dataset could function as a high-quality targeting list, identifying organizations running specific Microsoft products, the scale of their deployments, and which MSP manages their environment. This could enable more convincing phishing campaigns, business email compromise attempts, or extortion efforts timed around license renewals and contract negotiations.
BleepingComputer approached Pax8’s media team for comment prior to publication, but messages to the listed press address repeatedly bounced. We also reached out to members of the communications team, the support desk, the trust@pax8.com inbox, and personnel familiar with the incident.
A Pax8 spokesperson later confirmed the incident to BleepingComputer, aligning with details already disclosed in the company’s public notices and partner communications.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
