Lapsus$ has claimed responsibility for a dump of Vodafone’s internal source code, exposing what researchers say could be a blueprint for the telecom giant’s backend infrastructure.

Lapsus$ claims to have breached Vodafone, one of the world’s largest telecommunications providers, and has now publicly dumped what appears to be internal company source code after the company allegedly refused to negotiate.

“Time expired. Vodafone refused to pay. Data is now public,” wrote Lapsus$ on its leak site, dropping the entire dataset publicly online. Before publishing the files, the attackers claimed they had given Vodafone 15 days to enter negotiations.

The leak appears to involve internal development repositories rather than customer records, but Cybernews researchers warn the exposure could still create serious downstream security risks.

What Vodafone data was allegedly leaked?

The Cybernews research team downloaded and analyzed the published archive. According to our researchers, the extracted dataset weighs approximately 7.1GB and contains a mixture of source code and repository structure information tied to multiple Vodafone applications.

The dataset contains source code and testing environments of several Vodafone projects, including Vodafone OnePortal and Cyberhub.

Researchers say the leak includes not only production application code but also repositories tied to testing environments, which often contain internal configurations and infrastructure references.

“The dataset contains a .txt file of the dataset tree structure and source code of various applications,” our researchers explained.

“Additionally, not only the source code of the apps themselves, but also the code of their testing environments as well.”

Vodafone may have been breached through GitHub

Based on the leak's structure, our researchers suspect the attackers may have gained access via an internal GitHub account linked to Vodafone repositories.

“By the looks of it, I would guess that this attack was done by somehow compromising an internal GitHub account that ultimately gave access to all these repositories,” one of the researchers noted.

Our team reports identifying multiple files containing hardcoded PostgreSQL database credentials embedded directly inside the codebase.

“Besides the source code, I found multiple files with hardcoded PostgreSQL database credentials, which could result in unauthorized access and data tampering.”

Hardcoded credentials remain one of the most dangerous software security mistakes because they can potentially provide attackers with direct access to backend systems without needing additional exploitation.

The researchers noted that other secrets do not appear to have been hardcoded into the source code.

Vodafone says no customer data affected

Vodafone confirmed to Cybernews that in March, a "criminal organization" gained unauthorized access to a "limited amount of software source code files" on GitHub. The company's spokesperson said that most of the stolen data related to Vodafone Business, and the company had no contact with attackers.

"No sensitive information related to Vodafone customers was stolen, and there was no access to, or interruption of, internal infrastructure, network or production services," the spokesperson said in a statement.

Vodafone states that the main cause was the compromise of third-party development software.

Vodafone is under constant threat

This is far from the first time Vodafone has found itself at the center of a cybersecurity storm. Back in 2022, the Lapsus$ hacking group already tried to extort Vodafone.

The gang claimed to have stolen 200GB of proprietary source code from the company’s GitHub repositories. The breach spanned roughly 5,000 of them.

Just a year and a half later, Vodafone's name surfaced again in the so-called mother of all breaches, a staggering supermassive leak of 26 billion records compiled from hundreds of previous data incidents.

Between 2022 and 2025, at least 30 distinct Vodafone-related data leaks were publicly documented across multiple subsidiaries and regions, showing that the telecommunications giant is a tempting target for cybercriminals.

The regulatory consequences have been catching up, too. In June 2025, Germany's data protection authority slapped Vodafone with a €45 million fine.

Part of the ruling was tied specifically to the company's failure to adequately vet and monitor its partner agencies, and the rest was for lapses in customer authentication and data protection practices.

What we know about Lapsus$ ransomware

Lapsus$ operates as an extortion group. Rather than encrypting files and demanding decryption keys, the collective relies on stealing sensitive information and threatening to publish it unless payment is made.

The group's signature entry vector is social engineering, not malware. Members have been documented using SIM-swapping to hijack phone numbers and intercept one-time passwords.

Among the techniques used by the gang is MFA bombing, which means that attackers flood the target's authentication app with approval requests until the exhausted employee taps "accept."

The gang also uses vishing, voice-phishing calls in which attackers impersonate IT and helpdesk staff to extract credentials in real time.

In mid-2025, three of the most prolific cybercrime brands, Scattered Spider, Lapsus$, and ShinyHunters, merged into a single conglomerate calling itself Scattered Lapsus$ Hunters, sometimes dubbed "the Trinity of Chaos."

The alliance is loosely federated, as members share infrastructure, leak sites, and Telegram channels while preserving individual operational autonomy.

Many core members are believed to be teenagers or young adults. A detail was confirmed when London police arrested seven individuals aged 16-21 in March 2022, linked to the gang.

Later, an 18-year-old member, Arion Kurtaj, was sentenced to an indefinite hospital order after being found guilty of hacking Rockstar Games, Uber, and other firms.

Among the Lapsus$ hit list are such well-known companies as Adidas, AstraZeneca, Mercor, and Rockstar Games

---

Unlock more exclusive Cybernews content on YouTube.