ctipilot.ch

888

actor · actor:888-extortion-handle

Financially motivated data-extortion/access-broker handle active on cybercrime forums since at least 2024, with a documented history of inflating breach-scope claims (a June 2024 Accenture claim of 32,826 employee records proved to contain only three genuine ones); claimed a second Accenture data theft in July 2026 (~35 GB of source code, RSA/SSH keys and Azure PATs/storage keys from a private Azure DevOps repository).

Coverage timeline
1
first 2026-07-08 → last 2026-07-08
Entries
1
1 distinct days
Sources cited
4
4 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-08Accenture confirms a data-theft incident after '888' advertises 35 GB of internal source code, keys and Azure credentials
    active-threatsAccenture confirms a data-theft incident; '888' claims 35 GB of source code, RSA/SSH keys and Azure credentials

Where this entity is cited

  • active-threats1

Source distribution

  • bleepingcomputer.com1 (25%)
  • helpnetsecurity.com1 (25%)
  • socradar.io1 (25%)
  • teiss.co.uk1 (25%)

Entries about 888 (1)

2026-07-08 · view entry permalink →

NOTABLE

Accenture confirms a data-theft incident after '888' advertises 35 GB of internal source code, keys and Azure credentials

Accenture confirmed on 7 July 2026 that it suffered a data-theft incident after a threat actor using the handle "888" began advertising roughly 35 GB of internal data for sale on a cybercrime forum (BleepingComputer, 2026-07-07). Per the actor's own screenshots, the theft artefact shown is a request against a dev.azure.com endpoint followed by a git-clone of a private Azure DevOps repository named "121123_AtriasTalentAcademy" — an internal training/talent-academy project rather than confirmed client-delivery code — and the initial-access vector into that DevOps organisation has not been disclosed (teiss, 2026-07-08). The claimed dataset spans source code, RSA and SSH keys, Azure Personal Access Tokens and storage access keys — credential classes that, if valid and unrotated, chain into further Azure tenant / CI-CD compromise (T1078.004) or into downstream vulnerability discovery via the stolen source (T1213.003, T1552.001). Accenture's on-record statement confirms an incident but does not corroborate the actor's claimed scope, and SOCRadar explicitly flags that dataset authenticity, the 35 GB figure and key validity all remain unconfirmed (SOCRadar, 2026-07-08); "888" has a documented history of scope inflation (its June 2024 Accenture claim of 32,826 employee records proved to contain only three genuine ones) (Help Net Security, 2026-07-08). Defender takeaway: treat this as a secrets-in-repository hygiene and supply-chain-exposure story, not a novel intrusion technique — Accenture is a primary digital-transformation and cloud-migration contractor for the EU Commission, multiple EU member-state governments, UK public-sector bodies and, via Accenture Schweiz AG, the Swiss public sector, so any organisation running Accenture-built or Accenture-operated systems should treat the named credential classes as a rotation prompt regardless of the claim's unverified scope, and harden Azure DevOps secret handling accordingly.

We are aware of this isolated matter, and we have remediated its source. There is no impact to Accenture operations and service delivery.

Accenture spokesperson, via BleepingComputer

Several important details remain unclear: Whether the full advertised dataset is authentic, Whether the 35GB figure is accurate, Whether the alleged data is current, Whether any keys, tokens, or credentials are still valid.

SOCRadar 2026-07-08
incident08 Jul 20:35Zmulti-sourceOpen finding ↗