Accenture Confirms Breach After Hacker Offers Stolen Data for Sale
What happened
Accenture confirmed it suffered a security breach after a threat actor claimed to have stolen 35 GB of source code and other company data. The company described the incident as isolated, said it had remediated the source of the issue, and stated that there was no impact to Accenture operations or service delivery.
The claim came from a threat actor using the handle “888,” who said the stolen data included source code, RSA keys, SSH keys, Azure personal access tokens, Azure Storage access keys, and configuration files. The attacker offered the data for sale on a cybercrime forum and claimed the breach occurred in July 2026.
To support the claim, the threat actor shared a screenshot that appeared to show an Azure DevOps repository being cloned from a redacted Accenture-hosted domain. The full scope of the alleged stolen data has not been independently confirmed, and Accenture did not comment on the attacker’s claims about the amount or types of data accessed.
Accenture did not disclose how the attackers gained access or whether customer data was affected. The same threat actor previously attempted to sell Accenture employee data following a third-party breach in 2024, and Accenture also suffered a separate breach in 2021 after LockBit stole data from its systems.
Who is affected
Accenture is directly affected, particularly teams responsible for source code, cloud access, DevOps infrastructure, and incident response.
Customers and partners may also be concerned because the alleged stolen data included development and cloud-related materials, though Accenture has not confirmed whether customer data was accessed or affected.
Organizations that rely on large consulting, managed services, cloud, engineering, or technology partners should also pay attention to the broader third-party and supply-chain risk.
Why CISOs should care
This incident highlights the risk created when source code, cloud tokens, SSH keys, storage access keys, and configuration files are exposed. Even if operations are not disrupted, stolen development and access materials can create follow-on risk.
For CISOs, the Azure DevOps angle is especially important. Source code platforms and DevOps repositories often contain not only code but also secrets, deployment scripts, infrastructure details, and integration paths into cloud environments.
The lack of confirmed details also reflects a common response challenge. When attackers claim to have stolen sensitive data, defenders must quickly determine what was accessed, whether secrets were valid, and whether any customer or production systems are exposed.
The case also reinforces the need to treat third-party and service-provider environments as part of enterprise risk. Large service firms often sit close to customer systems, cloud projects, and operational workflows.
3 practical actions
Rotate exposed development and cloud secrets: If source repositories, SSH keys, Azure personal access tokens, storage keys, or configuration files may have been exposed, security teams should revoke and rotate them quickly rather than waiting for full confirmation.
Review DevOps access and repository exposure: CISOs should audit Azure DevOps, Git repositories, CI/CD secrets, service connections, and access logs for unusual cloning, token use, or repository access from unfamiliar locations.
Assess supplier breach impact paths: Organizations working with consulting or managed service providers should confirm what access those partners have, which systems they can reach, and how quickly partner-side incidents would trigger customer notification and credential rotation.
More in cybersecurity:


