The European Space Agency (ESA) has confirmed it is responding to a cybersecurity incident involving several externally hosted science servers, following claims by hackers that they exfiltrated up to 200 gigabytes of internal data. While ESA says no classified or mission-critical systems were affected, cybersecurity experts warn the incident highlights growing vulnerabilities across the increasingly interconnected global space sector.
In a statement, ESA said the affected infrastructure consisted of a “very small number” of servers located outside its core corporate network and used for collaborative engineering work with external scientific partners. The agency emphasized that the compromised systems contained only unclassified information and that its primary operational, corporate, and classified environments remain secure.
“ESA is aware of a recent cybersecurity issue involving servers located outside the ESA corporate network,” the agency said. “A forensic security analysis is currently in progress, and measures have been implemented to secure any potentially affected devices.”
Claims of 200 GB of Data Stolen
The agency’s acknowledgement follows a post on the BreachForums cybercrime website by an individual using the alias “888,” who claimed responsibility for the breach and offered more than 200 GB of data for sale. According to multiple cybersecurity outlets, the cache allegedly includes source code, private Bitbucket repositories, API and access tokens, configuration files, credentials, Terraform and SQL files, and internal documentation.
Screenshots posted by the purported attacker show access to ESA’s JIRA and Bitbucket systems for approximately one week, though independent verification of the authenticity of these screenshots has not yet been made public.
There is a concern that such a volume of stolen assets could facilitate supply chain attacks or lateral movement into more sensitive networks if exploited by advanced threat actors — even if the files themselves were classified as unclassified.
Try 99% unique intel verified by 15k SOCs. Integrate TI Feeds today
ESA Response and Investigation
ESA’s official statement did not address whether the claimed data theft has been confirmed. The agency’s public messaging reiterated that:
“Our analysis so far indicates that only a very small number of external servers may have been impacted.”
ESA said it has taken steps to secure potentially affected systems and will share further details as investigations progress. The organisation did not identify which specific servers were affected or whether internal credentials or engineering artifacts have been definitively compromised.
Broader Context: Persistent Threats to Space Sector Infrastructure
This incident underscores a persistent trend: organisations that operate external, collaborative platforms often face exposure due to their distributed nature. Reports by security researchers suggest attacks on development services such as Atlassian’s JIRA and Bitbucket are increasingly attractive to attackers seeking source code or tokens that can unlock further access into an organisation’s network.
The ESA breach also draws attention to the wider space technology security landscape, where satellites, research collaborations, and international partnerships expand the digital attack surface. While ESA insists no core systems or classified networks were accessed in this incident, the potential theft of development assets and credentials does raise concerns about future exploitation if those assets are reused or insufficiently rotated.
This is not the first time ESA has faced cybersecurity challenges. Historical records show that in 2015, hackers associated with Anonymous breached ESA subdomains, leading to credential leaks.
More recently, in late 2024, a different intrusion involved a compromised ESA merchandise web shop, where malicious code was injected to harvest customer payment card data — though that attack targeted external commerce infrastructure rather than development or engineering systems.
In addition, broader European Union cybersecurity assessments highlight that sectors associated with critical space infrastructure often struggle to meet stringent regulatory requirements such as those under NIS2, in part due to limited cybersecurity expertise and reliance on third-party components. (Note: while NIS2 context isn’t reported directly by ESA, this pattern is described by security analysts as part of the wider threat landscape.)
What Happens Next
As ESA continues its forensic analysis, several key questions remain:
Verification of the data claims: Independent examination of the alleged files and screenshots is still pending.
Scope of potential credential exposure: Whether access tokens or hardcoded credentials could allow escalation into additional systems.
Implications for satellite projects and international partnerships: If data relates to collaborative missions or tools shared with member states, it may have broader operational impact.
ESA has committed to updating stakeholders and the public as more information becomes available, and the incident underscores an increasingly urgent imperative for enhanced cybersecurity across space agencies and scientific collaborations.