IKEA targeted by teenage hackers who hit Microsoft and Uber
The same attackers who hit Microsoft and Uber are now targeting IKEA, according to a recent breach claim. IKEA told Cybernews that they are investigating.
-
Lapsus$ claims to have stolen 180GB of internal data from Ingka Group, the largest IKEA franchisee operating hundreds of stores across 32 countries. IKEA has not officially confirmed the breach.
-
The allegedly stolen data relates to source code, not customer records. The listing references internal source code repositories, e-commerce architecture maps, supply chain logistics systems, cloud infrastructure, and AI/MLOps repositories.
-
Even without customer data, the leak poses serious security risks. Exposed source code could reveal unpatched vulnerabilities, internal system architecture, and communication patterns between applications, giving attackers a detailed roadmap for more targeted future attacks.
-
In the data sample, Cybernews researchers found roughly 6,300 directory names referencing internal tools, CMS platforms, and the IKEA Android app, but the actual contents of those directories remain unverified.
-
The Lapsus$ gang has previously claimed breaches at Adidas, AstraZeneca, Microsoft, Uber and Vodafone
The threat actor known as Lapsus$ claims to be selling 180GB of internal data allegedly stolen from Ingka Group, the largest franchisee of the IKEA brand, operating hundreds of stores and digital channels across 32 countries.
The allegedly exposed data includes internal source code. IKEA has not yet officially confirmed a data breach, but if the claims prove to be legitimate, leaked data could put the furniture giant at risk.
Founded in Sweden in 1943, IKEA has grown into the world's largest furniture retailer, operating over 500 stores across 63 countries. The company had €44.6 billion in retail sales in 2025 and employs more than 200,000 people worldwide.
What IKEA data was allegedly stolen?
The listing was posted on the gang’s site. Attackers claim that the listed dataset includes “full mapping of global e-commerce architecture and internal coworker platforms,” also “supply chain logistics, cloud infrastructure, and AI/MLOps repositories.”
To support their claims, the threat actor published a single sample file that appears to contain a directory tree structure.
At this stage, it is impossible to clarify what data is allegedly affected or what the scope is. Cybernews researchers have reviewed the sample and found that it contains references to roughly 6,300 directories. However, the file does not contain the actual contents of the directories.
“The sample only shows the directory structure. The directory names are where the details end,” Cybernews researchers explained.
The researchers say the naming of directories offers clues about the nature of the data allegedly exposed.
“Based on the naming of these directories, I would guess that the threat actor obtained source code repositories representing various tools and applications developed by IKEA.”
The exposed repositories may allegedly include:
- Internal data analysis tools
- Content management systems (CMS)
- IKEA Android app
- Internal business applications
However, without access to the underlying files, it remains impossible to determine whether the repositories actually contain source code, configuration files, credentials, or customer information.
Source code exposure puts IKEA at risk
While the alleged dataset does not currently appear to contain customer records or employee information, researchers warn that source code repositories can still become highly valuable targets for attackers.
The repositories could provide cybercriminals with a detailed roadmap of internal systems.
“If this source code gets published, it could expose internal company data and potential security weaknesses that have not been patched yet, which could be escalated further,” our researchers explained.
Exposing internal development projects may also reveal how applications communicate, which technologies are deployed internally, and where potential weak points exist within a company's infrastructure.
Even older or incomplete repositories can provide valuable intelligence that helps threat actors craft more targeted attacks against corporate environments.
“Even though the full dataset isn’t published as of now, this could cause reputational backlash for the company.”
Cybernews has reached out to IKEA for comment. IKEA's spokesperson said that the company is aware about the claims. "We are investigating the matter and assessing the information available. As this work is ongoing, we are unable to comment further," the spokesperson said.
What do we know about Lapsus$?
Lapsus$ is a financially motivated extortion group. Rather than encrypting files and demanding decryption keys, the collective relies on stealing sensitive information and threatening to publish it unless payment is made. The group relies on social engineering as its primary attack tactic.
Many core members are believed to be teenagers or young adults. Despite the arrest and prosecution of several members in both the UK and Brazil, the group has consistently continued its operations.
In mid-2025, Lapsus$ merged with two other cybercrime gangs, Scattered Spider and ShinyHunters, to form a conglomerate known as Scattered Lapsus$ Hunters (SLH), referred to by researchers as the "Trinity of Chaos."
Throughout 2026, Lapsus$ claimed responsibility for breaches at Adidas. Attackers also targeted the pharmaceutical giant AstraZeneca, during which they posted stolen source code, AWS credentials, and employee records.
Vodafone was also listed among the gang’s victims, with 7.1GB of internal source code being leaked after the company declined to meet the group's negotiation deadline.
Among the gang's other high-profile victims are Rockstar Games, Microsoft, Nvidia, Samsung, Uber, and Okta.
Updated on June 2nd [5:00 p.m. GMT+2] with a statement from IKEA.
Unlock more exclusive Cybernews content on YouTube.
