What Happened
On December 18, 2025, a threat actor using the alias “888” breached external servers operated by the European Space Agency (ESA), claiming to have exfiltrated approximately 200 GB of data from private Bitbucket repositories and Jira instances. ESA confirmed the breach on December 29, 2025, stating that “only a very small number of external servers may have been impacted.”
A second breach was reported within two weeks, with a separate criminal group claiming approximately 500 GB of additional operational and contractor data.
Exposed Data
The threat actor claimed the exfiltrated data included source code from private Bitbucket repositories, API and access tokens for internal services, CI/CD pipeline configurations, Terraform infrastructure code, SQL database files, hardcoded credentials found in source code and configuration files, internal technical and operational documents, and confidential mission material including subsystem requirements related to the Ariel mission and Airbus spacecraft material marked “confidential.”
A Second Breach
Within two weeks of the initial incident, a separate criminal group claimed to have stolen approximately 500 GB of operational and contractor data. This included spacecraft procedures and subsystem documentation, as well as mission details referencing SpaceX, Airbus, and Thales Alenia Space. The group stated that the vulnerability used to gain initial access back in September 2025 had still not been patched, and they offered live system access for sale.
ESA’s Response
ESA stated that the compromised servers were external systems supporting unclassified collaborative engineering activities within the scientific community. The agency maintained that core mission systems were not directly affected, no classified or highly sensitive operations were exposed, and the impacted servers were hosted outside ESA’s internal network.
Not Their First Incident
This is not ESA’s first cybersecurity incident. In December 2024, ESA’s online shop, operated by an external service provider, was exploited by attackers to process malicious payments. That platform was also hosted outside ESA’s internal network.
The pattern of external-facing systems being compromised while core systems remain unaffected raises questions about the security posture of ESA’s supply chain and external collaboration infrastructure.
Timeline
The vulnerability was allegedly exploited for initial access in September 2025, according to the second breach group’s claim. Threat actor “888” breached external Bitbucket and Jira servers on December 18, 2025. The breach was first publicly reported on December 26, and ESA confirmed it on December 29. In early January 2026, the second criminal group claimed 500 GB exfiltration from the same or related systems.
What Organizations Should Do
Organizations operating external collaboration infrastructure should audit all externally accessible code repositories for hardcoded credentials and sensitive data. Implementing access controls and monitoring on Bitbucket, Jira, and similar platforms is essential. All API tokens and credentials that may have been exposed should be rotated. External collaboration systems should be segmented from internal mission-critical infrastructure, and regular vulnerability assessments of internet-facing development tools should be conducted.