It has just been a few weeks since we reported on the Christmas cyber attack suffered by the European Space Agency (ESA), and the situation has already become worse.
When ESA revealed that it had been hacked over the Christmas period by a hacker known as “888” it was quick to reassure the public that the impact was “limited” to external servers containing unclassified engineering data.
The hacker, however, claimed to have exfiltrated some 200GB of data, including source code, API and access tokens, hardcoded credentials, and SQL files. Some of the stolen documents were said to be related to the Ariel space telescope mission which aims to launch in 2029 in a mission to find out the atmospheric composition of exoplanets.
In light of the latest data breach to impact ESA, the December 2025 incident doesn’t look too bad.
Because this month the Scattered Lapsus$ Hunters cybercrime group was quick to pick up where “888” had left off, exploited what they claim was an unpatched vulnerability to steal an additional 500GB of data – more than double the initial haul.
Furthermore, this latest breach reportedly involves data that might be more concerning – such as operational procedures, spacecraft and mission details, subsystems documentation, and proprietary contractor data from ESA partners including SpaceX, Airbus Group, and Thales Alenia Space.
As a consequence of this latest incident, ESA has now confirmed that a criminal investigation is underway.
Some have suggested that poor cybersecurity practices at ESA may have helped the hacking group gain unauthorised access to systems.
Cybersecurity researcher Clémence Poirier told Space.com that she frequently comes across the email credentials of ESA staff (as well as NASA) up for sale on dark web forums.
Unfortunately for ESA, it has suffered from a history of cybersecurity incidents. These have ranged from its official online merchandise store being compromised with payment card-skimming code just days before Christmas 2024, to an Anonymous-linked breach that exposed employee and subscriber passwords and other data in 2015.
The high profile of organisations that work in outer space means that they are common targets for both bug hunters and malicious hackers, with vulnerabilities being disclosed “almost every day” to BugCrowd about NASA, for instance.
