European Space Agency Confirms New Data Breach; Classified Info May Have Been Stolen

The European Space Agency (ESA) has confirmed yet another cybersecurity breach — this time affecting external servers used in collaborative engineering. A threat actor claiming responsibility for the attack has allegedly pilfered “classified documents.”

ESA acknowledged that attackers had gained unauthorized access to servers located outside its corporate network. According to the agency, these systems contained information relating to collaborative engineering projects.

“ESA is aware of a recent cybersecurity issue involving servers located outside the ESA corporate network,” the ESA posted Tuesday on X. “We have initiated a forensic security analysis—currently in progress—and implemented measures to secure any potentially affected devices.”

“Our analysis so far indicates that only a very small number of external servers may have been impacted,” the space org noted. “These servers support unclassified collaborative engineering activities within the scientific community. All relevant stakeholders have been informed, and we will provide further updates as soon as additional information becomes available.”

Screenshots shared by BleepingComputer of an alleged threat actor on underground forums suggest access to internal services such as ESA’s JIRA and Bitbucket systems — reportedly over the span of a week — and claims of roughly 200 GB of data exfiltrated, including “classified documents,” configuration files, credentials and source files.

Further details about the extent of the breach remain limited as investigations continue.

The ESA has been hacked before

This isn’t the first time ESA systems have been targeted. While the agency is best known for space exploration, its digital footprint has faced persistent threats.

In late December 2024, ESA’s official merchandise web shop was compromised by a sophisticated payment-skimming attack. Malicious JavaScript code was injected into the checkout process, causing visitors’ credit card information to be harvested via a fake Stripe payment page — all while the checkout appeared to originate from ESA’s own domain.

Security researchers discovered the bogus payment interface and highlighted the danger of such “supply-chain” style attacks, where trusted interfaces serve hostile code. Although the store was taken offline and the malicious code removed, the incident raised questions about vendor and third-party integrations as potential attack vectors.

In 2015, an Anonymous-linked breach exposed staff and subscriber information from multiple ESA subdomains due to SQL-injection vulnerabilities. That attack resulted in the leak of more than 8,000 passwords, emails, and other data.

You may also want to read:

What Scares You Most About AI? We Ask Netizens

How Do You Manage Your Passwords? We Ask Netizens

Update to iOS 26.2! Apple Flags Two WebKit Flaws as Exploited by Hackers