Accenture confirms break-in as hacker offers 35GB of stolen code for sale

The consulting giant says the incident is contained, but a forum seller known as 888 claims to be holding source code, Azure access keys and SSH keys taken in July 2026.

ThreatVectr Newsdesk· 4 min read
Photoreal editorial shot of a modern glass office tower at dusk with cold blue interior lighting on empty open-plan floors, a faint reflection of code-like patt
Share

Key points

  • Accenture confirmed on the record that it suffered a security incident after a hacker known as 888 advertised stolen data for sale.
  • The seller claims to hold 35GB of source code taken from Accenture in July 2026.
  • The listing also mentions RSA keys, SSH keys, Azure personal access tokens, Azure Storage access keys and configuration files.
  • Accenture says the source has been fixed and there is no impact to operations or client service delivery.
  • The same seller previously touted Accenture employee data in 2024, and the company was hit by the LockBit ransomware crew in 2021.

Accenture, one of the world's largest IT consulting firms, has confirmed a security breach after a hacker put what they say is stolen company data up for sale on a cybercrime forum.

"We are aware of this isolated matter, and we have remediated its source," the company told BleepingComputer, which first reported the confirmation. "There is no impact to Accenture operations and service delivery."

The seller uses the handle 888. In their forum post they claim to have taken just over 35 gigabytes of source code from Accenture in July 2026. They also list other sensitive material: RSA and SSH keys (the digital credentials that servers and developers use to prove who they are), Azure personal access tokens (login codes for Microsoft's cloud), Azure Storage access keys, and configuration files.

To back up the claim, 888 posted a screenshot that appears to show them cloning an internal Accenture code repository called "121123_AtriasTalentAcademy", hosted on an Azure DevOps address ending in accenture.com. The full scope of what was taken has not been independently verified.

Accenture has not said how the attackers got in, how much data actually left its systems, or whether any client information was involved.

Is this a nation-state operation?

Almost certainly not. The activity looks like straightforward financially motivated crime, not espionage.

888 is a forum persona tracked as a serial data broker. There is no public reporting from any major vendor (Mandiant, CrowdStrike, Microsoft) linking the handle to a named intrusion cluster, and no overlapping infrastructure or tradecraft has been published that would tie it to groups like Kimsuky, Sandworm or a Chinese contractor set. Treat any attribution beyond "forum-based data seller" as low confidence.

That matters because capability and intent are different things. A broker who ends up with source code and cloud keys is dangerous regardless of pedigree. Leaked Azure tokens and SSH keys can be reused to log straight back into systems, or sold on to a ransomware affiliate who will.

What could actually be in the files?

Source code from a firm like Accenture is not just Accenture's problem. The company builds and runs software for banks, insurers, hospitals and governments, so its repositories often contain client project code, internal tools and, in the worst case, hard-coded secrets that unlock client systems.

Cloud access keys are the bigger short-term worry. If any of the Azure tokens listed by 888 are still live, whoever buys them could try to read cloud storage, pivot into build pipelines, or plant malicious changes in code that flows downstream to customers. This is the same style of supply-chain risk that made the SolarWinds intrusion so damaging.

Accenture says it has "remediated the source". In plain terms, that usually means the way in has been closed and the exposed credentials rotated. It does not tell us whether copies of the data are already circulating.

What Accenture customers should do

If your organisation uses Accenture for development or managed services, this is a reasonable moment to ask two questions. Which of our systems does Accenture hold credentials for, and when were those credentials last rotated? Any shared secrets, API tokens or service accounts tied to Accenture-run projects should be treated as potentially exposed until the company says otherwise.

This is not Accenture's first bad week. LockBit stole data from the firm in 2021, and 888 themselves surfaced Accenture employee records in 2024 through a third-party breach. The pattern is worth noting even without a single-source attribution to any one crew.

© 2026 Threat Vectr