The European Space Agency (ESA) has acknowledged a recent cybersecurity incident involving unauthorized access to several external servers used for collaborative engineering activities, marking another major security event for the renowned space agency.

Founded in 1975 and headquartered in Paris, France, ESA coordinates space missions for its 23 member states and employs roughly 3,000 personnel with an annual budget of approximately €7.68 billion (~$9 billion).

What Happened?

On December 30, 2025, ESA confirmed in a public statement that attackers successfully breached several servers located outside the agency’s core corporate network. These systems supported unclassified collaborative engineering activities with the scientific community.

ESA has stated that a forensic security analysis is currently underway, and initial findings suggest that only a limited number of external servers were affected. Measures have already been implemented to secure potentially compromised systems, and all relevant stakeholders have been notified as part of the incident response process.

Claims from the Threat Actor

A threat actor using the alias “888” took credit for the breach on the BreachForums hacking forum, sharing screenshots as alleged proof of access. According to the actor, they maintained access for about one week and exfiltrated over 200 GB of data.

The threat actor claims the stolen content includes:

• Source code from private Bitbucket repositories

• CI/CD pipeline configurations

• API tokens and other access credentials

• Configuration and Terraform files

• SQL database files

• Hardcoded credentials and internal documents

ESA has not independently verified the full scope or volume of the data described by the threat actor.

What ESA Has Said

In its statement, ESA emphasized:

“Our analysis so far indicates that only a very small number of external servers may have been impacted. These servers support unclassified collaborative engineering activities within the scientific community.”

The agency also highlighted that investigation efforts are ongoing, and further updates will be provided as more information becomes available.

Scope and Impact

Although the affected servers were outside ESA’s primary corporate infrastructure and contained unclassified data, cybersecurity experts warn that the exposure of technical assets—like source code and access tokens—can still pose significant risk vectors for future attacks, credential abuse, or supply-chain exploitation if not fully remediated.

ESA’s technical community and partners have been alerted, but the exact operational impact on ongoing collaborative projects remains unclear.

Previous Security Incidents

This is not the first time the European Space Agency has faced cybersecurity challenges in recent years. In late 2024, ESA’s official web store was compromised when malicious JavaScript was injected to capture customer payment and personal data at checkout, underscoring persistent threats against its digital ecosystem.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.