TL;DR: A hacking group calling themselves "Scattered Lapsus$ Hunters" has stolen 500GB of sensitive data from the European Space Agency (ESA). The stolen data reportedly includes operational procedures, spacecraft documentation, and proprietary information from major ESA partners including SpaceX and Airbus. The hackers claim they first gained access in September 2025 through an unpatched vulnerability, and they say that vulnerability is still exploitable. This is ESA's second major breach in weeks, following a December 2025 incident where 200GB was leaked. A criminal investigation is underway.
What Was Stolen
The scope of this breach is massive. According to the hackers and security researchers, the stolen data includes:[1]
- Operational procedures for ESA missions
- Spacecraft and mission details including technical specifications
- Subsystem documentation and engineering specifications
- Environmental testing reports
- Sensitive security protocols
- System Requirements Specifications (SRS)
- Full technical roadmaps for current and future missions
But it gets worse. The breach didn't just affect ESA directly. Proprietary data from major contractors was also stolen:[2]
- SpaceX – Restricted rideshare documentation
- Airbus Group – Contractor data
- Thales Alenia Space
- OHB System AG
- EUMETSAT
- Leonardo, Sener, Teledyne
- Deimos Imaging, Sitael, SkyLabs, ISISPACE
Specific space programs compromised include Greece's national space program, ESA's Next Generation Gravity Mission, the FORUM Earth Explorer Mission, and TRUTHS satellite mission.[3]
Who Are Scattered Lapsus$ Hunters?
The group claiming responsibility describes itself as a "supergroup" formed from elements of three notorious hacking collectives:[4]
Scattered Spider
Known for targeting major tech companies using social engineering. Previously hit Okta, Microsoft, and Cisco. US-UK operations.
LAPSUS$
Gained notoriety for high-profile breaches of Microsoft, NVIDIA, Samsung, and Uber. Led by teenagers. Members arrested but group persists.
ShinyHunters
Data theft and resale specialists. Responsible for breaches affecting hundreds of millions of users. Operates on dark web forums.
The combination of these groups' techniques (social engineering, persistence, and monetization experience) makes Scattered Lapsus$ Hunters particularly dangerous.
The Vulnerability Is Still Open
Here's the most alarming detail: the hackers claim they exploited a publicly known vulnerability in September 2025 to gain initial access, and that vulnerability remains unpatched.[1]
This means:
- ESA was aware of a security flaw for months
- Attackers maintained access through the entire period
- Other attackers could potentially exploit the same vulnerability
- Any "remediation" is incomplete while the hole remains open
Whether the hackers' claim about the ongoing vulnerability is accurate hasn't been independently verified. But if true, it suggests fundamental failures in ESA's security posture.
ESA's Second Breach in Weeks
This isn't ESA's first recent security failure. In December 2025, a separate hacker leaked 200GB of ESA data on BreachForums, including:[5]
- Internal development files
- Source code
- CI/CD pipelines
- API and access tokens
- Confidential documents
ESA initially characterized that breach as affecting only "external servers supporting unclassified collaborative engineering activities." The January breach suggests the problem is far more extensive.
And this isn't new. ESA has faced cybersecurity incidents since at least 2011, including a 2024 compromise of its official web shop.[3]
Why This Matters
Space infrastructure is increasingly critical, and increasingly targeted.
National Security
Space systems support military communications, navigation (GPS), and surveillance. Technical details about these systems have intelligence value for nation-state actors.
Commercial Espionage
SpaceX and Airbus are commercial leaders. Stolen technical data could benefit competitors, including those in adversary nations.
Supply Chain Risk
Knowing how space systems are built enables targeting of component suppliers, manufacturing processes, and software vulnerabilities.
Future Attacks
Technical roadmaps reveal future capabilities. Adversaries can prepare countermeasures or plan attacks against systems not yet deployed.
ESA's Response
ESA has confirmed the breach and stated it is informing judicial authorities to initiate a criminal investigation.[6]
The agency's initial statement characterized the impact as affecting "a small number of external servers, supporting unclassified collaborative engineering activities."
Privacy advocates and security researchers are skeptical. The volume of data (500GB) and the breadth of affected programs suggest the breach goes beyond "unclassified" systems. Technical roadmaps and security protocols are rarely truly "unclassified."
A Pattern of Space Security Failures
Space agencies worldwide are proving attractive targets:
- NASA has faced numerous breaches, including a 2018 incident that exposed employee data and a 2019 breach of the Jet Propulsion Laboratory
- JAXA (Japan) confirmed breaches in 2023-2024 affecting sensitive rocket and satellite information
- ISRO (India) has been targeted by nation-state actors
- Commercial operators including SpaceX, Boeing, and Lockheed Martin face constant attacks
Space infrastructure combines high-value targets (national security, commercial secrets) with often-outdated security practices. Many space programs were designed before modern cyber threats existed.
What to Watch
As this story develops:
- Data publication: Will the hackers release stolen data publicly? Sell it privately?
- Vulnerability disclosure: Will ESA confirm or deny the unpatched vulnerability claim?
- Contractor response: How will SpaceX, Airbus, and others respond to their data being compromised?
- Nation-state involvement: Are Scattered Lapsus$ Hunters independent criminals, or is there state sponsorship?
- Policy changes: Will this finally force space agencies to modernize cybersecurity practices?
The Bottom Line
The European Space Agency (and by extension, its major partners including SpaceX and Airbus) just lost 500GB of sensitive data. Hackers had access for months. They claim the vulnerability they used is still open.
This is ESA's second breach in weeks. The pattern suggests systemic security failures, not isolated incidents.
Space infrastructure is critical infrastructure. It enables communications, navigation, climate monitoring, and national defense. The fact that a criminal hacking group can maintain access for months and exfiltrate hundreds of gigabytes should be alarming.
A criminal investigation is underway. It should be, but so should a serious reckoning with how space agencies approach cybersecurity.
References
- The Register - ESA confirms breach by Scattered Lapsus$ Hunters (January 2026)
- SC World - ESA Breach Exposes SpaceX, Airbus Data (January 2026)
- Cyber Insider - ESA Breach: 500GB of Mission Data Stolen (January 2026)
- Picus Security - Scattered Lapsus$ Hunters Threat Profile
- Infosecurity Magazine - ESA December 2025 Breach (December 2025)
- ESA - Official Statement on Cyber Incident (January 2026)