ESA confirms two breaches: 200 GB in December, 500 GB in early January.

What happened

The European Space Agency confirmed a December 26, 2025 breach on its external science servers after a threat actor calling itself “888” advertised roughly 200 gigabytes of stolen data on BreachForums. Within weeks, a second group tying itself to Scattered Lapsus$ claimed another 500 gigabytes of material, including mission procedures, satellite documentation, and supplier secrets.

Timeline

• Dec 18–26, 2025: “888” gains access to external servers, hoards source code, API tokens, Terraform files, and internal Bitbucket/JIRA snapshots, then posts proof on BreachForums.
• Dec 29–30, 2025: ESA acknowledges the breach, describing the affected servers as limited to unclassified science endpoints.
• Early Jan 2026: Scattered Lapsus$ “Hunters” claim 500 GB more stolen via the same flaw; ESA launches a criminal probe. Data includes contractor notes from SpaceX, Airbus, and Thales Alenia Space.

What was at risk

The stolen troves were said to contain CI/CD pipeline configurations, JIRA tickets, API keys, and credentials for platforms like Bitbucket. The sheer quantity of Terraform and SQL files creates a stepping stone for attackers to pivot to more sensitive networks by reusing credentials or misconfiguring new infrastructure. Even if ESA called the servers “unclassified,” the stolen engineering context gives attackers narratives on upcoming missions and system dependencies.

ESA’s own note warns that the attackers had access to “source code, CI/CD pipelines, API/access tokens, hardcoded credentials, private repositories, and configuration artifacts,” which means any builder or supplier tied to those tools must now rotate secrets and verify supply chain integrity.

Why this keeps matters

Reusing the same vulnerability twice — once for 200 GB, once for 500 GB — highlights a patch management gap. Without an isolated bastion or a proper zero-trust policy on the science networks, attackers simply re-entered the same external portal. The doubled exposure also shows why mission data is only as safe as the vendor ecosystems that feed it.

The incident has historical context: ESA’s 2024 merchandise store skimming attack and a 2015 breach keep resurfacing as proof that sophisticated intruders remain interested in the space agency’s supply chain.

Defender takeaways

• Treat “unclassified” systems as high-risk if they expose CI/CD or developer tools.
• Rotate API tokens and keys as soon as an external server shows evidence of odd downloads or persistence.
• Isolate contractor portals with MFA, least privilege, and separate monitoring so a breach on an external system cannot cascade inward.