200 GB Of Data Stolen In ESA Server Breach

The European Space Agency (ESA) confirmed a cybersecurity breach on December 30, 2025, involving a limited number of external servers located outside its corporate network, following claims by a hacker using the alias “888” who offered 200 GB of allegedly stolen data for sale on the BreachForums dark web marketplace.

The hacker claimed to have accessed ESA systems starting December 18, maintaining access for about a week and exfiltrating data including source code, API and access tokens, configuration files, credentials, and internal documentation.

The breach was first reported on December 26, 2025, when the hacker “888” posted on BreachForums, claiming to have stolen over 200 GB of data from ESA’s infrastructure, including private Bitbucket repositories, CI/CD pipeline configurations, Terraform and SQL files, and hardcoded credentials.

The threat actor provided screenshots as proof, allegedly showing access to internal systems such as Jira, Bitbucket, and configuration files, though the authenticity of these images has not been independently verified.

ESA confirmed the incident on December 29, 2025, and reiterated on December 30 that the impact was limited to a small set of external servers not connected to its core corporate systems.

Despite the hacker’s claims, ESA has not confirmed the full scope of the data theft but acknowledged unauthorized access and stated that all relevant stakeholders have been notified.

The agency has emphasized that the compromised systems were used for unclassified scientific collaboration, but the exposure of source code and access tokens could pose downstream security risks if credentials are reused in operational environments.

ESA has initiated a forensic investigation and stated that the affected servers supported unclassified collaborative engineering activities within the scientific community, emphasizing that no highly sensitive or classified information was compromised.

In a statement posted on X on December 30, 2025, the agency announced it had launched a forensic investigation and implemented containment measures to secure potentially affected devices.ESA.

“ESA is aware of a recent cybersecurity issue involving servers located outside the ESA corporate network,” the X post reads. “We have initiated a forensic security analysis—currently in progress—and implemented measures to secure any potentially affected devices.”

The agency stressed that the compromised servers were “outside the ESA corporate network”, suggesting that they contained data that cannot be labeled as highly sensitive.

“Our analysis so far indicates that only a very small number of external servers may have been impacted,” the tweet further explains. “These servers support unclassified collaborative engineering activities within the scientific community. All relevant stakeholders have been informed, and we will provide further updates as soon as additional information becomes available.”

This incident is not the first for ESA; in late 2024, its online merchandise store was compromised via malicious JavaScript injected during checkout, leading to the theft of customer payment and personal data.