Overview
- A threat actor using the handle 888 claimed access began on December 18 and continued for about a week on ESA-linked external systems.
- The BreachForums listing advertises roughly 200 GB of purported data, including source code, CI/CD pipelines, access tokens, credentials, configuration files, and private Bitbucket repositories.
- ESA says it has started a forensic investigation, implemented containment measures, and notified stakeholders, with no indication so far that corporate networks are affected.
- The attacker posted screenshots as evidence, but the contents and sensitivity of the dataset have not been independently verified.
- Coverage places the event in a pattern of prior compromises to non-core ESA assets, including a 2015 domain incident and last year's online store attack.