LIVE · cybersecurity feed
data breachhigh

Accenture Confirms Security Incident After Hacker Claims 35GB Source-Code Theft

zeroday.news·1h ago
ShareXLinkedInWhatsAppFacebook

Accenture has confirmed it is investigating a security incident after a cybercriminal put what they describe as a large trove of the company's internal data up for sale. The consulting and technology firm said it is aware of the matter and has already dealt with its source, but it has not confirmed that any data was actually taken.

The listing appeared in early July on a cybercrime forum, where a seller using the handle "888" claimed to have breached Accenture and walked away with just over 35GB of source code. The post advertised the material to potential buyers.

The seller says the cache extends well past source code. It supposedly also contains RSA and SSH keys, Azure personal access tokens, Azure Storage access keys, and a range of configuration files. As proof, the post included screenshots, one of which appeared to show a private Azure DevOps repository, named 121123_AtriasTalentAcademy, being cloned from a redacted address hosted on Accenture's own infrastructure.

A screenshot can lend weight to a claim of repository access, but it does not establish the total volume of stolen data or verify that every file type in the listing is genuine. For now, the seller's inventory remains unproven.

Accenture has characterized the situation as an isolated issue and said it remediated the source, adding that client operations and service delivery were not affected. Beyond that, the company has left key questions unanswered: it has not confirmed how much data was taken, whether the source code and keys are authentic, whether any of the exposed credentials were still active, how the attacker gained access, or whether customer data was involved. Until those details emerge, the confirmed incident is narrower than the seller's advertisement suggests.

The nature of the claimed data is what sets this apart from an ordinary breach. A leaked list of names and emails typically fuels phishing or fraud. Source code and cloud credentials are a different category of exposure. Code can reveal how internal tools are built and how systems connect, while tokens and storage keys, if still valid, can act like keys to live environments, potentially letting an intruder reach development tools or cloud storage without having to break in a second time.

That is also why stolen engineering data can keep causing harm long after an incident is declared contained. Attackers can comb source code for vulnerabilities, test whether old credentials still work, and borrow internal naming conventions to make future phishing far more convincing. Configuration files and connection details can point them toward vendors, customers, or shared infrastructure. In other words, a single breach can become the blueprint for the next one.

Firms like Accenture are attractive precisely because of where they sit. Large consulting and services companies operate close to the systems that keep major enterprises and governments running, from cloud platforms and identity tools to codebases and transformation projects. A single foothold can offer outsized insight into how those environments are assembled and secured, even when it does not translate into direct client compromise.

The company has weathered security scares before. In 2017, researchers discovered misconfigured cloud storage buckets exposing details about an Accenture platform and its customers. In 2021, the LockBit ransomware group struck the firm and threatened to publish stolen files. And in 2024, the same "888" persona attempted to sell what was billed as data on tens of thousands of employees, a claim Accenture later said was almost entirely inaccurate.

With the scope still unverified, the practical response for organizations that depend on outside development partners is familiar: rotate any credentials that could plausibly be exposed, much like changing the locks after losing a master key, tighten and review access to source-code repositories, and watch for unusual logins or unexpected changes to build and deployment settings while the situation is assessed.

data breachaccenturesource codecloud securityextortion
ShareXLinkedInWhatsAppFacebook
← Back to latest

More News

view all →
zeroday.news · 4h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 4h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 5h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 5h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 5h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.

zeroday.news · 5h ago·critical

Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

CISA has issued a warning regarding a critical vulnerability (CVE-2026-55255) in the Langflow AI framework, which is being actively exploited by attackers. The flaw allows authenticated users to execute arbitrary flows belonging to other users, potentially leading to the theft of sensitive credentials and data exposure, especially in multi-tenant environments. US federal agencies have been mandated to patch this vulnerability by July 10th.