European Space Agency Data Breach via Compromised External Servers
The European Space Agency (ESA) confirmed a data breach after a threat actor claimed to have accessed and exfiltrated over 200 GB of sensitive data from external servers. The attacker, using the alias "888," advertised the stolen data for sale on BreachForums, providing screenshots as proof and claiming to have obtained source code, confidential documents, credentials, API tokens, configuration files, and a dump of private Bitbucket repositories. ESA stated that the incident affected only a small number of external servers used for unclassified engineering and scientific collaboration, and emphasized that the breach did not impact its core corporate network. The agency has initiated a forensic investigation, implemented containment measures, and notified relevant stakeholders, while continuing to assess the full scope of the compromise.
The breach was first detected when the attacker announced the sale of the data on December 18, 2025, and maintained access to the compromised servers for about a week. ESA has publicly acknowledged the incident and is providing updates as the investigation progresses. The organization has reassured the public that the affected servers were not part of its main infrastructure and that the impact appears limited, though the full extent of the data exposure is still under review. The incident highlights ongoing threats to scientific and engineering organizations from cybercriminals seeking to monetize stolen intellectual property and sensitive information.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
ESA contains incident, notifies stakeholders, and opens forensic probe
Following confirmation of the breach, ESA said it had implemented containment and security measures, notified relevant stakeholders, and launched an ongoing forensic investigation. The agency indicated that further updates would be provided as the investigation develops.
ESA confirms breach of external unclassified collaboration servers
ESA publicly acknowledged a cybersecurity incident affecting a small number of external servers supporting unclassified scientific and engineering collaboration. The agency said its core internal or corporate network was not impacted and that the compromised information was unclassified.
Hacker '888' advertises 200 GB of alleged ESA data for sale
A threat actor using the alias '888' publicly claimed to have breached the European Space Agency and offered more than 200 GB of allegedly stolen data for sale on BreachForums/DarkForums. The advertised data reportedly included source code, credentials, API tokens, configuration files, documents, and screenshots purporting to show internal ESA environments.
Threat actor '888' allegedly accesses ESA external servers for about a week
According to ESA reporting cited later, the attacker maintained access to ESA-linked external science and collaboration servers for roughly a week in mid-December 2025. The affected systems were described as external to ESA's main corporate network and used for unclassified engineering and scientific collaboration.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Hacker Claims 200GB Data Theft From European Space Agency — Here’s What We Know
techrepublic.com
Open sourceEuropean Space Agency confirms breach of “external servers”
databreaches.net
Open sourceEuropean Space Agency hit again as cybercrims claim 200 GB data up for sale
go.theregister.com
Open sourceESA disclosed a data breach, hackers breached external servers
securityaffairs.com
Open sourceHacker Claims European Space Agency Breach, Selling 200GB of Data
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
European Commission Probes Breach of Amazon Cloud Environment
The European Commission is investigating a breach after a threat actor gained unauthorized access to its Amazon cloud infrastructure and at least one account used to manage that environment. According to reports, the intrusion was detected quickly by the Commission’s cybersecurity incident response team, but the actor claims to have exfiltrated more than **350 GB** of data, including multiple databases. Screenshots shared with reporters allegedly show access to European Commission employee information and an email server used by staff. The actor reportedly said they do not intend to extort the Commission and instead plan to leak the stolen data later. The incident adds to a recent string of security problems at European institutions: the Commission had already disclosed a separate breach tied to a compromised mobile device management platform, apparently linked to exploitation of **Ivanti Endpoint Manager Mobile** code-injection vulnerabilities that affected other organizations in the region as well.
Apr 24, 2026
Massive Data Exposure via Misconfigured Elasticsearch Server Containing 6 Billion Records
A misconfigured Elasticsearch server, believed to be operated from Russia or a Russian-speaking country, was discovered leaking over 6.19 billion records to the public internet without any authentication or password protection. The exposed server contained a massive trove of 1.12 terabytes of data, including records collected from both disclosed and undisclosed data breaches, as well as information obtained through website scraping. Among the most sensitive data found were records from Ukrainian bank Accordbank, which included users’ full names, birthdates, birthplaces, addresses, phone numbers, national ID numbers, passport numbers, and tax codes. Independent cybersecurity researcher Anurag Sen was the first to identify the exposed server and report its existence to the media. The server’s index information confirmed the scale of the exposure, with over 6.19 billion records available for anyone to access. Screenshots from the server revealed that the data was stored in JSON format and included detailed personally identifiable information (PII) from various sources. The database also contained files referencing Accordbank, which were later observed being peddled by the user "tRex_Prime" on DarkForums, indicating that the data may have already been accessed and distributed by other threat actors. The leak included not only banking and contact information but also records from other breaches and data scraped from websites, making the exposure particularly broad and damaging. The server was eventually taken offline, but it remains unclear how long the data was accessible or how many unauthorized parties may have downloaded the information. Previous incidents involving hacking groups such as ShinyHunters and Nemesis were also mentioned, as they had leaked stolen data and hacking tools from other exposed cloud storage resources in the past. The incident highlights the ongoing risks associated with misconfigured cloud infrastructure and the potential for large-scale data aggregation to amplify the impact of breaches. Security experts warn that such exposed databases are prime targets for cybercriminals seeking to exploit PII for identity theft, fraud, and further attacks. The presence of both old and new breach data, as well as scraped information, demonstrates the evolving tactics of threat actors in collecting and monetizing sensitive information. Organizations are urged to regularly audit their cloud configurations and monitor for unauthorized data exposures to prevent similar incidents. The scale and sensitivity of the leaked data underscore the urgent need for improved security practices in managing large datasets, especially those containing PII from multiple sources. The incident serves as a stark reminder of the consequences of failing to secure cloud-based data storage and the far-reaching impact such exposures can have on individuals and organizations worldwide.
Mar 21, 2026
European Commission Confirms AWS-Hosted Cloud Breach and Data Theft
The European Commission disclosed a cyberattack affecting cloud infrastructure used to host websites on the `Europa.eu` platform, saying early findings indicate data was stolen from at least one AWS account in its environment. The Commission said it detected the incident on March 24 and took immediate containment measures, while stressing that its internal systems were not compromised and that AWS infrastructure itself was unaffected. It is notifying potentially affected Union entities and continues to investigate the scope and impact of the breach. Subsequent reporting linked the intrusion to **ShinyHunters**, which allegedly claimed to have taken more than **350GB** of data, including databases, and to still have access to a Commission email server. The cloud breach followed another security incident reported earlier in the year involving European Commission staff mobile devices and a mobile device management environment, with that separate intrusion reportedly associated with exploitation of **Ivanti EPMM**. Together, the incidents have intensified scrutiny of the Commission’s security posture across both cloud-hosted services and employee device management systems.
May 27, 2026