Breaches

Accenture Breached: Confirms Security Incident

Accenture Breached: Confirms Security Incident

A threat actor known as 888 is selling what they claim is 35GB of Accenture source code and cloud credentials. Accenture says it has fixed the source of the issue, but has not confirmed the scope, and no data has publicly leaked.

Accenture has acknowledged a security incident after a threat actor using the handle 888 advertised roughly 35GB of allegedly stolen company data for sale on the cybercrime forum PwnForums. The listing, dated July 6, 2026, claims the data was taken in a July 2026 breach and is being sold as a one-time deal in Monero (XMR), the privacy-focused cryptocurrency.

According to the post, the claimed data includes source code, RSA keys, SSH keys, Azure personal access tokens (PATs), Azure storage access keys, and configuration files. The most credible signal in the listing, reported by outlets including Help Net Security, is a sample screenshot pointing to a private Azure DevOps repository hosted on an Accenture-associated production URL. That detail matters because it suggests the actor reached a development environment rather than a single stray file.

Accenture, one of the world's largest IT services firms, has not confirmed the actor's numbers. In a statement provided to BleepingComputer and Help Net Security, the company said it is aware of the matter and has "remediated its source," adding that there is no impact to its operations or service delivery. Accenture did not say how the actor gained access, whether data was actually exfiltrated, or whether any client information was involved.

We reviewed the sample directory tree circulated with the listing. The file is a text listing of an Accenture folder about 263MB in size, spanning roughly 88 top-level project folders, mostly Node.js and React web application code. It references 127 environment (.env) files outside dependency folders, including production, staging, and development variants, along with SQL database scripts, an SSL certificate archive, token-handling source files, dozens of application and database config files, and hundreds of office documents and spreadsheets.

Two caveats matter. First, a directory tree only proves that these file types exist in the folder structure. It does not prove the contents of any .env file, certificate, or database script were exposed. Second, the raw file count running into the millions is heavily inflated by third-party node_modules dependencies, so a "5 million files" framing overstates the proprietary footprint.

This is not 888's first run at Accenture. In June 2024, the same handle tried to sell data on more than 32,000 current and former employees, tied to a third-party breach. Accenture disputed that claim, saying the data set contained only three real names and Accenture email addresses, according to Help Net Security. Separately, in 2021, the LockBit ransomware group claimed to have stolen about 6TB from Accenture, an incident the company acknowledged while saying disruption was limited.



International Cyber Digest

Get the ICD Newsletter

Subscribe for source-forward cyber news, OSINT notes, breach updates, and analysis. Have evidence or a lead? Send it to ICD.

Subscribe Send a tip