Accenture Confirms Breach as Hacker Advertises 35GB of Source Code and Keys
Accenture has confirmed a security incident after a threat actor known as "888" advertised 35GB of stolen source code, RSA and SSH keys, Azure access tokens and configuration files on a cybercrime forum. The consultancy says the source is remediated and operations are unaffected, but the leak underlines how quickly developer secrets become an attacker's launchpad.

Mark Fermor
Director & Co-Founder, Firevault

Accenture, the world''s largest IT services firm and No. 1 on CRN''s 2026 Solution Provider 500, has confirmed a security incident after a threat actor using the alias "888" claimed on 6 July 2026 to be selling roughly 35GB of source code and credentials stolen from the consultancy. In a statement to CRN, Accenture said it was aware of the "isolated matter", had remediated its source, and reported no impact to operations or service delivery.
What Happened
On 6 July 2026, the actor known as "888" posted on a cybercrime forum offering data allegedly taken from an Accenture Azure DevOps repository. Screenshots shared with security researchers at BleepingComputer, Cyber Security News and SOCRadar showed the attacker cloning a repository and included a free sample to prove the haul. Two days later, Accenture confirmed the incident in a statement to CRN, saying the source had been remediated and that there was no impact to operations or service delivery. The company declined to say how the data was accessed, how current it was, or whether any client information was involved.
What Data Was Claimed
According to the forum listing, the 35GB archive included:
- Application source code from an Azure DevOps repository.
- RSA and SSH private keys used for server and code-signing access.
- Azure Personal Access Tokens and storage access keys.
- Configuration files that typically expose infrastructure and database endpoints.
This is not the first time "888" has targeted Accenture. In 2024, the same handle tried to sell Accenture employee records taken through a third-party breach.
Why This Matters
A source-code leak is rarely just a source-code leak. Repositories are where an organisation''s live secrets sit next to the logic that uses them, and the credentials named in this listing (SSH keys, RSA keys, Azure PATs, storage access keys) are exactly what an attacker needs to pivot from a stolen archive into production systems. Even if Accenture has now rotated every key that touched that repository, downstream customers using shared integrations, pipelines or managed services should assume the blast radius is wider than the initial statement suggests until proven otherwise.
It also reinforces a pattern Mark Fermor has flagged repeatedly at Firevault: the most damaging breaches of 2025 and 2026 have not started with a zero-day in the perimeter. They have started with a developer secret, a supplier login, or a forgotten token sitting somewhere it could be reached from the internet.
The Offline Alternative
Firevault provides Layer 1 physical air gap storage. The keys, recovery credentials and master copies of critical data held inside a Firevault unit sit on media that is physically disconnected from any network for the majority of its life. There is no repository to clone, no token to lift, and no remote path an attacker on a cybercrime forum can walk down.
For an organisation the size of Accenture, that principle applies less to day-to-day source control and more to the crown jewels behind it: root certificate authority keys, disaster-recovery vaults, offline copies of client escrow data, and the recovery material used to rebuild identity systems if the live environment is ever compromised. Kept online, those assets are one credential leak away from being enumerated. Kept in a physically air-gapped vault, they cannot be reached by an "888" logging into an Azure tenant from the other side of the world.
Key Takeaways
- Confirmed, not resolved: Accenture confirms the incident and says the source is remediated, but has not disclosed scope, access path, or whether client data was involved.
- Credentials, not code, are the payload: The listing''s value is the SSH and RSA keys, Azure PATs and storage keys inside the archive, not the source itself.
- Assume rotation is not enough: Any secret that lived in the affected repository should be treated as burned across every downstream system it authenticated to.
- Repeat targeting: The same threat actor targeted Accenture in 2024 through a third-party breach, showing sustained interest in the supplier''s ecosystem.
- Keep the recovery keys offline: The credentials that let you rebuild after a breach must not live in the same environment attackers can reach. Physical air gap storage removes the network path entirely.
Suggested Reading
- What is Offline Secure StorageThe foundation of physical disconnection
- Why Offline Secure StorageThe case for physical control
- Ransomware DefenceHold gold copies offline
- Firevault ControlPhysical path control for IT and OT
- Knowledge VaultAll articles, guides and whitepapers
- Book a DemoSee Firevault in action





