European Space Agency Hit Again; Cybercriminals Claim 200 GB of Data

TL;DR

The European Space Agency reported a security incident it says likely affected a small number of external servers, while a user on BreachForums has offered over 200 GB of alleged ESA data for sale. ESA has begun a forensic investigation and notified stakeholders; the authenticity and scope of the claimed theft remain unverified.

What happened

The European Space Agency acknowledged a security incident and said the impact appears confined to a limited set of external servers used for unclassified engineering and scientific collaboration. The agency said a forensic security analysis is underway and that measures have been taken to secure potentially affected devices; relevant stakeholders have been informed. Screenshots circulated from the cybercrime forum BreachForums show an offer posted after Christmas claiming more than 200 GB of ESA data. The alleged intruder says they accessed ESA-linked external servers from around December 18 for about a week and exfiltrated items they identify as source code, CI/CD pipelines, API tokens, configuration and Terraform files, SQL dumps, hardcoded credentials, confidential documents and private Bitbucket repositories. Journalists seeking further detail received an automated response noting ESA offices were closed for the New Year holiday.

Why it matters

• If authentic, exposed source code, tokens and credentials could enable further intrusions or misuse of systems.
• Repeated incidents targeting external ESA systems raise questions about the security of collaboration-facing infrastructure.
• Public disclosure and potential leaks of confidential documents may affect partner confidence and contractual relationships.
• Uncertainty about the data's authenticity and scope complicates response efforts and risk assessments for affected parties.

Key facts

• ESA says the incident may have affected a "very small number of external servers" used for unclassified collaboration.
• The agency has initiated a forensic security analysis and said it has implemented measures to secure affected devices.
• A post on BreachForums claims more than 200 GB of ESA data is available for sale; screenshots of that post circulated publicly.
• The alleged attacker said they had access beginning December 18 and were connected for about a week, per the screenshots.
• Claimed items for sale include source code, CI/CD pipelines, API and access tokens, configuration and Terraform files, SQL files, hardcoded credentials, confidential documents and private Bitbucket repositories.
• Requests for further information received an automated reply noting ESA offices were closed for the New Year holiday.
• ESA has experienced previous incidents — including an online store compromise last year and domain compromises in 2015 and 2011 — and has repeatedly said internal networks were not affected in prior cases.
• The authenticity of the data on offer and whether internal ESA systems were impacted have not been publicly verified.

What to watch next

• Verification of whether the files offered on BreachForums are genuine and what specific data they contain — not confirmed in the source
• Results of the ESA forensic analysis and whether any internal networks or mission systems were affected beyond external collaboration servers — not confirmed in the source
• Whether any exposed credentials or tokens remain active and whether partners or customers are instructed to rotate keys or take mitigation steps — not confirmed in the source

Quick glossary

• BreachForums: An online forum known for hosting stolen data and facilitating cybercrime transactions.
• CI/CD pipeline: A set of automated processes for building, testing and deploying software changes.
• API token: A credential used to authenticate and authorize programmatic access to an application programming interface.
• Terraform file: Configuration files used by Terraform to provision and manage infrastructure as code.
• Bitbucket repository: A hosted storage location for source code and version history, provided by the Bitbucket service.

Reader FAQ

Did ESA confirm that its internal networks were breached?
ESA said the impact may be limited to a very small number of external servers used for unclassified collaboration; it did not confirm internal network compromise.

Is the 200 GB of data on sale verified as authentic?
Not confirmed in the source.

Has ESA completed its investigation and shared full details?
ESA has started a forensic analysis and said it will provide updates as additional information becomes available; no final report was published in the source.

Have any credentials or tokens been revoked?
Not confirmed in the source.

CYBER-CRIME European Space Agency hit again as cybercrims claim 200 GB data up for sale As in past incidents, ESA says the impact was limited to external systems Brandon Vigliarolo…

Sources

• European Space Agency hit again as cybercrims claim 200 GB data up for sale
• European Space Agency hit again as crims claim 200 GB …
• European Space Agency (ESA) Hit by Cyber Attack
• ESA confirms data breach

Related posts

• US drugmakers lift prices on 350 medicines despite mounting pressure
• France to ban social media for under-15s, aims for September 2026 start
• Net neutrality keeps flipping: rules return, then disappear again