Source code is a critical asset for every company, and platforms like GitHub and Atlassian serve as secure vaults for it.
However, here organizations shouldn’t forget that service providers operate within the Shared Responsibility Model, which clearly states that data is the responsibility of a user.
Thus, if something goes wrong, even a single oversight can set off a chain reaction: gigabytes of leaked source code, thousands of stolen credentials, and financial and reputational damage.
Recent breaches at household-name enterprises reveal an uncomfortable truth: DevOps data is the top priority for cybercriminals.
Mercedes-Benz, The New York Times, Schneider Electric — all of them operate in different industries, though there is something in common…
…each fell victim to DevOps security failures, a reminder that no organization, however advanced, is immune when innovation outpaces protection.
Cybersecurity content strategist at GitProtect.
Cybersecurity concerns are growing
A cyberattack strikes somewhere in the world every 39 seconds, which makes over 2,000 incidents a day. IBM reports a 56% surge in active ransomware groups, while Cybersecurity Ventures projects cybercrime will cost the global economy $10.5 trillion annually by 2025, rising to $15.63 trillion by 2029.
According to The CISO’s Guide to DevOps Threats, the most targeted industries in 2024 are Technology & Software, Fintech & Banking, and Media & Entertainment. The United States alone is the stage for 59% of ransomware attacks, and 70% of data breaches lead to major operational disruptions.
The damage rarely stops at the breached organization — it cascades across partners, clients, and supply chains, multiplying the fallout.
HellCat hackers hit Jira worldwide: Schneider Electric, Telefonica, Jaguar Range Rover are among the victims
Over the past two years, the ransomware group HellCat has breached multiple high-profile companies worldwide. The root of the incidents is the same in all the hacker campaigns — stolen Jira credentials, harvested through infostealer malware.
Once the hackers managed to obtain these credentials, they gained access to Atlassian Jira environments, enabling them to move laterally, extract sensitive data, and deploy ransomware. The HellCat victims include Schneider Electric, Orange Group, Telefonica, Ascom, Jaguar Land Rover, and others.
In 2024, the hacker compromised Schneider Electric’s isolated project tracking platform via exposed Jira credentials and stole 40GB of data. This included 400K user records, 75K unique email addresses, plugin details, and project tracking information. The attackers demanded $125,000 to prevent public disclosure.
More incidents
In 2025, more incidents took place. While breaching Orange Group, affecting primarily its Romanian operations, attackers stole source code, invoices, contracts, customer and employee data, and 380K unique email addresses.
Next in the HellCat’s list is Telefonica. The attackers managed to breach the company twice in the same year. In January 2025, attackers exfiltrated 2.3 GB of documents, tickets, and other internal data, while in May, they stole over 380K files totaling 106.3 GB, including internal communications, customer records, purchase orders, and employee data.
Around 700 sensitive internal documents and employee records were leaked on hacking forums from Jaguar Land Rover, leading to the same hacker group.
Finally, the breach of Ascom’s technical ticketing system resulted in the theft of 40 GB of data, potentially affecting all 18 divisions. Other victims include Asseco Poland, HighWire Press, Recami, and Leo Vegas Group.
With Jira deeply embedded in enterprise workflows, it has become a prime breach vector. Credentials harvested by infostealers are widely available on dark web marketplaces, and many remain valid for years due to poor password rotation practices.
Unless organizations improve credential hygiene and access controls, similar attacks may continue. Moreover, they can even increase in frequency.
Mercedes: Source code exposure due to a leaked GitHub token
A mishandled GitHub token left Mercedes-Benz’s source code exposed to the public.
The leaked token, accidentally embedded by the company’s employee in a public repository, might have provided an attacker with unrestricted access to the company’s GitHub Enterprise server. Thus, opening the door to API keys, design documents, database credentials, and other sensitive assets.
This incident highlights the risks associated with mishandled access tokens and underlines the necessity for stringent security protocols.
WordPress: Malicious GitHub repo exposes 390K+ credentials
A fake GitHub repository posing as “Yet Another WordPress Poster” (yawpp) is believed to have enabled the exfiltration of over 390K credentials, largely for WordPress accounts, to an attacker-controlled Dropbox.
The campaign, attributed to the threat actor MUT-1244, combined trojanized proof-of-concept (PoC) code on GitHub, targeted phishing emails, and a rogue npm dependency (@0xengine/xmlrpc) to deliver malware.
Victims, including pentesters, security researchers, and malicious actors, unknowingly exposed their SSH keys, AWS credentials, and other sensitive data to an attacker.
Disney: 2.5GB of corporate data leaked in Confluence breach
A group of Club Penguin fans exploited Disney’s Confluence server to retrieve old game data but ended up accessing as much as 2.5GB of sensitive corporate files.
Stolen data included developer tools, internal infrastructure documentation, advertising strategies, and business records, along with API endpoints, S3 credentials, and developer resource links.
The breach leveraged previously exposed login credentials, increasing the risk of future exploitation.
New York Times: Hackers leak 270GB of sensitive data
A 270GB trove of The New York Times’ internal data, including alleged Wordle source code, internal communications, and sensitive authentication credentials for 5K+ GitHub repositories, was exposed online.
The publisher confirmed that the incident stemmed from inadvertently exposing credentials on a third-party code platform.
While no unauthorized access to internal systems has been detected, the Times reported that its operations were not impacted.
High-stakes: the untold impact of DevOps data breaches
When one reads the catchy headings about DevOps data breaches, they hardly think about what’s behind those incidents and, what’s more important, what their cost is.
And it varies, from costly data recovery to potential regulatory penalties. And here we shouldn’t forget that security and compliance regulations tighten year to year, and penalties can go up to millions of dollars.
While some organizations publicly downplay the scope of these breaches, the numbers tell a different story: hundreds of gigabytes of leaked data, millions of exposed records, and compromised internal repositories, pointing to a far deeper and more damaging reality.
We list the best free data recovery software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
