The European Space Agency (ESA) has confirmed a data breach after a group of infamous hackers on the previously defunct BreachForums claimed to have breached its servers and exfiltrated sensitive information.
“ESA is aware of a recent cybersecurity issue involving servers located outside the ESA corporate network. We have initiated a forensic security analysis – currently in progress – and implemented measures to secure any potentially affected devices,” it stated on X.
ESA says the data breach affected a limited number of servers that “support unclassified collaborative engineering activities.”
Upon learning of the breach, the space agency responded by notifying all relevant stakeholders and launching an investigation, promising to provide details when more information becomes available.
Scattered Lapsus$ Hunters claims ESA data breach
The prolific Scattered Lapsus$ Hunters hacking collective has taken credit for the ESA data breach, claiming to have exfiltrated over 200GB of data after compromising the space agency’s JIRA and Bitbucket servers for at least a week.
According to the hacking coalition’s post on BreachForums, the exfiltrated data includes source code repositories, CI/CD pipelines, API and access tokens, configuration files, Terraform files, SQL files, hardcoded credentials, and more. The leaked technical details could expose the space agency’s infrastructure to various forms of cyber attacks.
Meanwhile, the attacker is offering the stolen data for sale in exchange for the privacy-based Monero (XMR) cryptocurrency.
Scattered Lapsus$ Hunters has operated on European soil before. In September 2025, the English-speaking hacking collective claimed responsibility for the Jaguar Land Rover cyber attack that disrupted manufacturing and distribution across various facilities.
“Although the ESA states that core mission systems are secure, the leaked JIRA and Bitbucket data indicates the attackers had access for potentially a week, possibly mapping CI/CD pipelines and uncovering hardcoded credentials,” warned Damon Small, Board of Directors, Xcape. “This information is invaluable for supply chain attacks, enabling adversaries to understand space infrastructure’s inner workings and identify potential vulnerabilities.”
The European Space Agency breached again
Scattered Lapsus$ Hunters claims to have breached the European Space Agency again and exfiltrated over 500GB of data, including mission-critical information, by exploiting an external vulnerability that was reportedly unpatched at the time of disclosure.
According to the Register, the stolen files expose ESA’s operational procedures, contingency plans, system capabilities, security protocols, spacecraft tolerances and failure modes, Earth Observation (EO) satellite constellation details, and information on managing satellite orientation and position.
The stolen information belongs to various high-profile contractors, including SpaceX, Airbus, Thales, Leonardo, SkyLabs, Deimos Imaging, EUMETSAT, ISISPACE, OHB System AG, Sener, Sitael, and Teledyne.
The data breach affected various ESA’s projects, including Greece’s national space program and the UK Space Agency’s climate-themed TRUTHS (Traceable Radiometry Underpinning Terrestrial- and Helio-Studies) project.
The space agency’s Next Generation Gravity Mission, FORUM (Far-infrared Outgoing Radiation Understanding and Monitoring Earth Explorer Mission) projects were also affected.
“As space agencies increasingly rely on distributed partnerships, vendors, and cloud services, their attack surface grows. This problem is so pervasive, in fact, that the US DoD implemented the Cybersecurity Maturity Model Certification to ensure that all subcontractors are protecting controlled unclassified information,” added Small.
No stranger to data breaches
The European Space Agency has experienced numerous data breaches in the past. In December 2024, hackers injected a JavaScript skimmer on the space agency’s online store to steal the personal information of its customers.
In 2015, ESA’s domains were also compromised via an SQL vulnerability, exposing the personal information of thousands of people, including subscribers and staff.
In 2011, the space agency downplayed another hacking incident in which the attacker leaked its FTP login credentials and server configuration files.
