Accenture confirms a data-theft incident after '888' advertises 35 GB of internal source code, keys and Azure credentials
Accenture confirmed on 7 July 2026 that it suffered a data-theft incident after a threat actor using the handle "888" began advertising roughly 35 GB of internal data for sale on a cybercrime forum (BleepingComputer, 2026-07-07). Per the actor's own screenshots, the theft artefact shown is a request against a dev.azure.com endpoint followed by a git-clone of a private Azure DevOps repository named "121123_AtriasTalentAcademy" — an internal training/talent-academy project rather than confirmed client-delivery code — and the initial-access vector into that DevOps organisation has not been disclosed (teiss, 2026-07-08). The claimed dataset spans source code, RSA and SSH keys, Azure Personal Access Tokens and storage access keys — credential classes that, if valid and unrotated, chain into further Azure tenant / CI-CD compromise (T1078.004) or into downstream vulnerability discovery via the stolen source (T1213.003, T1552.001). Accenture's on-record statement confirms an incident but does not corroborate the actor's claimed scope, and SOCRadar explicitly flags that dataset authenticity, the 35 GB figure and key validity all remain unconfirmed (SOCRadar, 2026-07-08); "888" has a documented history of scope inflation (its June 2024 Accenture claim of 32,826 employee records proved to contain only three genuine ones) (Help Net Security, 2026-07-08). Defender takeaway: treat this as a secrets-in-repository hygiene and supply-chain-exposure story, not a novel intrusion technique — Accenture is a primary digital-transformation and cloud-migration contractor for the EU Commission, multiple EU member-state governments, UK public-sector bodies and, via Accenture Schweiz AG, the Swiss public sector, so any organisation running Accenture-built or Accenture-operated systems should treat the named credential classes as a rotation prompt regardless of the claim's unverified scope, and harden Azure DevOps secret handling accordingly.
We are aware of this isolated matter, and we have remediated its source. There is no impact to Accenture operations and service delivery.
Several important details remain unclear: Whether the full advertised dataset is authentic, Whether the 35GB figure is accurate, Whether the alleged data is current, Whether any keys, tokens, or credentials are still valid.
Defender actions
- Organisations running Azure DevOps: audit repository clone/download volume and clones from unfamiliar egress IPs/ASNs; monitor Entra ID sign-in logs for PAT-authenticated Azure Resource Manager / DevOps REST calls from unusual geolocations or impossible-travel.
- Rotate long-lived Azure DevOps PATs and storage access keys to short-lived Entra Workload Identity Federation / OIDC tokens; run Advanced Security secret scanning + push protection across all repos; enforce IP-restricted Conditional Access on the DevOps organization.
Entities & scope
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.