The European Space Agency (ESA) has confirmed a cybersecurity incident involving servers located outside its corporate network, following online claims that attackers exfiltrated and offered for sale roughly 200GB of data.
ESA says it has launched a forensic security analysis and implemented short-term remediation measures. Based on the investigation so far, the agency says the impact appears limited to a “very small number” of external servers supporting unclassified collaborative engineering activities within the scientific community.
Advertisement
What is confirmed by ESA
In its public statement, dated December 30, ESA acknowledged a “recent cybersecurity issue” affecting servers outside the ESA corporate network, with a forensic investigation still in progress.
According to the agency’s initial findings, only a small subset of external servers may have been impacted, and these systems support unclassified collaboration rather than operational corporate infrastructure. ESA also said relevant stakeholders have been informed and further updates will follow as the investigation develops.
The incident gained traction after a threat actor—reported by multiple outlets as using the alias “888”—claimed on the BreachForums hacking forum that they compromised ESA systems and stole more than 200GB of data.
Public reporting says the threat actor shared screenshots as alleged proof of access to ESA tools and repositories — including Jira (issue-tracking for tasks and bug reports) and Bitbucket (a Git platform for hosting code repositories) — and claimed the stolen dataset includes internal development materials such as source code, configuration files and credentials like API/access tokens (digital keys that can grant system access).
These allegations have not been independently verified by ESA in public updates so far.
Advertisement
Why “unclassified” data can still matter
Even if affected servers are truly limited to unclassified research collaboration, exposed development assets (e.g., tokens, credentials, configuration files) can create follow-on risk—such as targeted phishing, credential reuse attacks, or supply-chain style pivoting—depending on how access is segmented and secrets are managed. ESA has not yet disclosed the intrusion vector or validated the attacker’s full scope.
ESA is aware of a recent cybersecurity issue involving servers located outside the ESA corporate network. We have initiated a forensic security analysis—currently in progress—and implemented measures to secure any potentially affected devices.
— European Space Agency (@esa) December 30, 2025
Our analysis so far indicates that…
This is not the first ESA-linked security incident reported in recent years. In December 2024, ESA’s official online shop (hosted and operated externally) was compromised via injected malicious code designed to capture customer payment details during checkout—another case involving a platform outside ESA’s internal infrastructure.
Separately from this incident, ESA has publicly described efforts to strengthen cyber resilience, including the inauguration of a Cyber Security Operations Centre (C-SOC) in 2025 to help monitor and protect ESA’s digital assets across different environments.
Advertisement
