35GB of Accenture secrets appear on hacker forum, company confirms incident
Did 35GB of secrets get exfiltrated from a Fortune 500 provider?

Image from Shutterstock
- A hacker claims they stole 35GB of Accenture source code, cloud credentials, and development files.
- The alleged data includes keys, Azure access tokens, configuration files, and possible .env files containing secrets.
- Cybernews researchers say exposed .env files could indicate data came from a developer machine, raising security risks.
- Accenture says operations and service delivery were not affected, and that the incident source has been remediated.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Exploitation fears hit Accenture after a hacker listed 35GB of the company's source code and cloud credentials for sale.
A threat actor going by the alias "888" has claimed responsibility for an Accenture data breach. The cybercriminal announced on a cybercrime forum that they’re selling 35GB of stolen Accenture source code.
"Today I am selling the Accenture Data Breach, thanks for reading and enjoy!" the threat actor wrote in a forum post on a well-known cybercrime marketplace. According to the listing, the alleged breach occurred in July 2026.
Accenture is one of the world's largest IT services companies, employing more than 700,000 people globally and providing services to tech giants such as Microsoft, Google, AT&T, and Verizon.
The same attacker has previously been linked to alleged breaches at Decathlon, Credit Suisse, Shell, Heineken, and UNICEF.
Hacker claims source code and sensitive credentials were stolen
The threat actor claims the dataset contains highly sensitive development materials, including:
- Source code
- RSA keys
- SSH keys
- Azure Personal Access Tokens (PATs)
- Azure Storage access keys
- Configuration files
This type of exposed data could provide attackers with valuable insight into Accenture's internal infrastructure and development environment and could lead to larger-scale cyberattacks.
Access to proprietary code gives potential attackers an advantage, as they can analyze applications offline, identify previously unknown vulnerabilities, and develop exploits before organizations have an opportunity to patch weaknesses.
Combined with exposed authentication keys or cloud access tokens, such information could increase the risk of unauthorized access to internal systems.
One worrying detail stands out
Cybernews researchers have reviewed samples shared by the threat actor. While the samples do not show actual source code, they include a directory tree outlining the structure of Accenture's codebase.
"The threat actor added a tree file that allegedly represents Accenture's source code structure as a sample. While it doesn't expose source code, one concerning thing I noticed is that there are multiple mentions of various .env files," our researchers said.
Developers typically use .env files to store sensitive information such as API credentials and secrets, so that they don't end up hardcoded in the application.
"If the threat actor got hold of these files, it could mean that this data was exfiltrated from a local developer machine rather than, for example, a GitHub repository, because .env files are usually ignored when uploading code there," the researchers explained.
If true, such a scenario significantly increases the risks associated with the incident. Stolen environment files could expose credentials for internal APIs, cloud services, and development systems, potentially allowing attackers to move beyond source code theft and attempt further compromises of internal infrastructure.
Accenture initially told media outlets it was "not aware of a cyberattack at the moment," before confirming the breach the following day.
The company stated that there was “no impact to Accenture operations and service delivery,” and the source of the incident has been remediated. As of now, Accenture has not issued a more detailed public statement.
Cybernews reached out to the company for comment and will update this article once we receive a response.
The same attacker hits twice?
The same threat actor has previously posted Accenture data. In June 2024, the attacker posted a database allegedly containing sensitive data on 32,826 current and former Accenture employees.
The data was allegedly stolen from an internal video conferencing tool called "Media Exchange." At the time, Accenture pushed back on the claims, saying that only 3 individuals were actually affected.
Cybernews researchers who reviewed the previous listing confirm that the currently distributed data differs from that dump.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.