European Space Agency confirms breach after hacker claims stolen data

The European Space Agency (ESA) has confirmed a cybersecurity breach affecting external science servers after a threat actor using the alias "888" claimed to have stolen approximately 200 gigabytes of data and offered it for sale on the BreachForums cybercrime platform. The Paris-headquartered intergovernmental organization, which coordinates space activities across 23 member states, stated that its initial forensic analysis indicates only a limited number of servers outside its corporate network were impacted, though the attacker claims the stolen data includes source code, API tokens, confidential documents, and credentials.

What happened

On December 26, 2025, reports emerged on social media that ESA had suffered a data breach after a hacker posting under the alias "888" advertised over 200 gigabytes of allegedly stolen data for sale on BreachForums. According to the threat actor's listing, they gained access to ESA-linked systems on December 18, 2025, and maintained connectivity for about a week.

The hacker claims to have exfiltrated source code, CI/CD pipelines, API and access tokens, confidential documents, configuration files, Terraform files, SQL files, hardcoded credentials, and a complete dump of private Bitbucket repositories. Screenshots shared as proof of access suggest the attacker had access to ESA's JIRA and Bitbucket development systems.

ESA acknowledged the allegations on December 29, 2025, and launched a forensic investigation. The following day, the agency confirmed that a breach had occurred but characterized the impact as limited.

The big picture

The European Space Agency operates as a central hub for Europe's space activities, coordinating satellite development, launch systems, space science missions, Earth observation programs, and human spaceflight projects across its 22 member states. With approximately 3,000 staff and a 2025 budget of €7.68 billion ($9 billion), ESA handles sensitive technical information spanning both scientific research and commercial aerospace development.

Why it matters

The exposure of source code, API tokens, and hardcoded credentials creates risks that extend beyond the immediate data theft. Stolen credentials and access tokens can enable attackers to maintain persistent access to systems, move laterally through connected networks, or sell access to other threat actors. Configuration files and CI/CD pipeline information can reveal security weaknesses and operational details valuable for future attacks.

Flashback

This breach marks another entry in ESA's history of cybersecurity incidents targeting systems outside its core corporate network.

In December 2024, ESA's official merchandise web shop was compromised by a payment-skimming attack. Malicious JavaScript code was injected into the checkout process, harvesting visitors' credit card information through a fake Stripe payment page while appearing to originate from ESA's own domain.

In 2015, three ESA domains were compromised via SQL injection vulnerabilities, resulting in the theft and leak of information belonging to thousands of subscribers and some ESA staff, including over 8,000 passwords and emails.

What they're saying

In a statement posted on X, ESA acknowledged the severity of the incident while emphasizing containment measures, "ESA is aware of a recent cybersecurity issue involving servers located outside the ESA corporate network. We have initiated a forensic security analysis—currently in progress—and implemented measures to secure any potentially affected devices."

The agency added, "Our analysis so far indicates that only a very small number of external servers may have been impacted. These servers support unclassified collaborative engineering activities within the scientific community. All relevant stakeholders have been informed, and we will provide further updates as soon as additional information becomes available."

An ESA spokesperson told BleepingComputer that the agency "maintains a robust framework and governance structure to address such incidents effectively."

What to watch

The forensic investigation remains ongoing, and ESA has indicated it will provide updates as more information becomes available. Key questions include whether the threat actor successfully exfiltrated all claimed data, whether any classified or sensitive mission information was accessed despite ESA's characterization of affected servers as "unclassified," and whether the stolen credentials or access tokens have been used to maintain ongoing access to connected systems.

FAQs

What is BreachForums?

BreachForums is a cybercrime marketplace where threat actors buy, sell, and trade stolen data, hacking tools, and access credentials. Despite repeated law enforcement actions, the forum has repeatedly resurfaced under various administrators, serving as a primary venue for advertising data breaches.

What are hardcoded credentials?

Hardcoded credentials are usernames, passwords, API keys, or authentication tokens embedded directly in source code or configuration files rather than stored securely in separate credential management systems. When source code is stolen, these embedded credentials provide attackers with ready-made access to connected systems and services.

What is a CI/CD pipeline?

CI/CD (Continuous Integration/Continuous Deployment) pipelines are automated workflows that developers use to build, test, and deploy software. Access to pipeline configurations can reveal security controls, deployment processes, and integration points that attackers can exploit to inject malicious code or gain access to production systems.