Dark Web user 888 offers sensitive stolen credentials for sale, but the affected enterprise denounces the breach as “an isolated matter”
On 6 July 2026, a 35GB set of internal company files was put up for sale on the Dark Web by a user called “888”. The material was presented on a cybercrime forum as an “Accenture Data Breach”, with the seller saying the archive included source code, RSA keys, SSH keys, Azure Personal Access Tokens, Azure Storage access keys, configuration files, and other technical data.
The sales description had also included a screenshot that appeared to show a cloned Azure DevOps repository named “121123_AtriasTalentAcademy” under a censored Accenture domain.
Subsequently, Accenture had confirmed it was dealing with an “isolated matter”, had investigated the matter and remediated its source, but stopped short of explicitly calling it a breach. Its spokesperson Andy Rowlands said there was no impact to Accenture operations or service delivery. The firm did not answer follow-up questions about how the compromise happened, which systems were affected, or what information, if any, was actually taken — according to a report on The Register.
User 888 had mentioned in the ad that the data was being offered for Monero, a cryptocurrency often used in criminal transactions. If authentic, the files would be far more valuable to attackers than routine corporate records because code, credentials, and keys can be used to reach into other systems or services.
Threat intelligence firm SOCRadar has noted that a threat actor of the same ID had previously claimed involvement in another Accenture-related incident in 2024, when data allegedly tied to more than 32,000 current and former employees was said to have been exposed through a third-party compromise. That earlier allegation has not been clearly verified, and the latest claim remains unconfirmed as well.
With Accenture withholding technical details, it is still unclear whether the incident involved a single exposed repository or something broader. For now, the firm is acknowledging an issue, while the exact scope of the alleged data exposure remains unresolved.
