2026-07-08 · view entry permalink →
Accenture confirms a data-theft incident after '888' advertises 35 GB of internal source code, keys and Azure credentials
Accenture confirmed on 7 July 2026 that it suffered a data-theft incident after a threat actor using the handle "888" began advertising roughly 35 GB of internal data for sale on a cybercrime forum (BleepingComputer, 2026-07-07). Per the actor's own screenshots, the theft artefact shown is a request against a dev.azure.com endpoint followed by a git-clone of a private Azure DevOps repository named "121123_AtriasTalentAcademy" — an internal training/talent-academy project rather than confirmed client-delivery code — and the initial-access vector into that DevOps organisation has not been disclosed (teiss, 2026-07-08). The claimed dataset spans source code, RSA and SSH keys, Azure Personal Access Tokens and storage access keys — credential classes that, if valid and unrotated, chain into further Azure tenant / CI-CD compromise (T1078.004) or into downstream vulnerability discovery via the stolen source (T1213.003, T1552.001). Accenture's on-record statement confirms an incident but does not corroborate the actor's claimed scope, and SOCRadar explicitly flags that dataset authenticity, the 35 GB figure and key validity all remain unconfirmed (SOCRadar, 2026-07-08); "888" has a documented history of scope inflation (its June 2024 Accenture claim of 32,826 employee records proved to contain only three genuine ones) (Help Net Security, 2026-07-08). Defender takeaway: treat this as a secrets-in-repository hygiene and supply-chain-exposure story, not a novel intrusion technique — Accenture is a primary digital-transformation and cloud-migration contractor for the EU Commission, multiple EU member-state governments, UK public-sector bodies and, via Accenture Schweiz AG, the Swiss public sector, so any organisation running Accenture-built or Accenture-operated systems should treat the named credential classes as a rotation prompt regardless of the claim's unverified scope, and harden Azure DevOps secret handling accordingly.
We are aware of this isolated matter, and we have remediated its source. There is no impact to Accenture operations and service delivery.
Several important details remain unclear: Whether the full advertised dataset is authentic, Whether the 35GB figure is accurate, Whether the alleged data is current, Whether any keys, tokens, or credentials are still valid.