DevOps Tools Open Doors to High-Level Cyberattacks

Source Code is a critical asset for every company, and platforms like GitHub and Atlassian serve as its secure vaults. However, organizations must not forget that service providers operate under a Shared Responsibility Model, which clearly states that data is the user's responsibility. The Shared Responsibility Model is an security and compliance framework that clearly defines the responsibilities of Cloud Service Providers (CSPs) and customers in securing all aspects of the cloud environment, including hardware, infrastructure, endpoints, data, configurations, settings, and operating systems. Consequently, if something goes wrong, a single simple error can lead to a chain reaction: gigabytes of Source Code leaked, thousands of credentials stolen, and financial and reputational damage.

Recent breaches in well-known companies reveal an uncomfortable truth: DevOps data is cybercriminals' top priority. Mercedes-Benz, The New York Times, and Schneider Electric have all suffered DevOps security failures, reminding us that no organization, however advanced, is immune when innovations outpace protection.

Cybersecurity Concerns Are Growing

Internet networks are subjected to a cyberattack every 39 seconds, meaning over 2,000 incidents daily. IBM reports a 56% increase in active ransomware groups, while Cybersecurity Ventures predicts that cybercrime will cost the global economy $10.5 trillion annually by 2025, rising to $15.63 trillion by 2029.

According to the CISO's Guide to DevOps threats, the most targeted industries in 2024 are Technology and Software, FinTech and Banking, and Media and Entertainment. The United States alone is the scene of 59% of ransomware attacks, and 70% of data breaches lead to significant operational disruptions. The damage rarely stops at the breached organization but spreads across partners, customers, and supply chains, multiplying the impact.

HellCat Hackers Breached Jira Worldwide: Schneider Electric, Telefónica, Jaguar Land Rover Among Victims

Over the past two years, the HellCat ransomware group has breached numerous major companies worldwide. The root of the incidents was the same across all hacker campaigns – stolen Jira credentials, collected through malicious spyware. Once the hackers obtained these credentials, they gained access to Atlassian Jira environments, enabling them to move laterally, extract sensitive data, and deploy ransomware. HellCat's victims include Schneider Electric, Orange Group, Telefónica, Ascom, Jaguar Land Rover, and others.

In 2024, hackers breached Schneider Electric's isolated project tracking platform via exposed Jira credentials and stole 40 GB of data. This included 400,000 user records, 75,000 unique email addresses, plugin details, and project tracking information. The attackers demanded $125,000 to prevent public disclosure.

More Incidents

In 2025, more incidents occurred. During the Orange Group breach, primarily affecting its Romanian operations, attackers stole Source Code, invoices, contracts, and customer and employee data, and 380,000 unique email addresses.

Next on HellCat's list is Telefónica. Attackers managed to breach the company twice in the same year. In January 2025, attackers leaked 2.3 GB of documents, tickets, and other internal data, while in May, they stole over 380,000 files totaling 106.3 GB, including internal communications, customer records, purchase orders, and employee data.

Approximately 700 sensitive internal documents and employee records were leaked in hacking forums from Jaguar Land Rover, attributed to the same hacker group.

Finally, the breach of Ascom's technical ticketing system led to the theft of 40 GB of data, potentially impacting all eighteen departments. Other victims include Aseco Poland, Hiwire Press, Rekami, and LeoVegas Group.

With Jira deeply integrated into organizational workflows, it has become a primary vector for compromise. Credentials collected by spyware are widely available on dark web marketplaces, and many remain valid for years due to poor password rotation practices. Unless organizations improve credential hygiene and access controls, similar attacks may continue, and even increase in frequency.

Mercedes: Source Code Exposure Due to Leaked GitHub Token

Mismanaged GitHub code caused Mercedes-Benz's Source Code to be exposed to the public. The leaked token, accidentally embedded by a company employee in a public repository, could have provided an attacker with unrestricted access to the company's GitHub Enterprise server. Consequently, it opened the door to API keys, design documents, database credentials, and other sensitive assets. This incident highlights the risks associated with mishandled access tokens and underscores the need for stringent security protocols.

WordPress: Malicious GitHub Repository Exposes Over 390,000 Credentials

A fake GitHub repository masquerading as "Yet Another WordPress Poster" (yawpp) is believed to have enabled the leak of over 390,000 credentials, mostly for WordPress accounts, to a Dropbox controlled by an attacker. The campaign, attributed to threat actor MUT-1244, combined modified Proof-of-Concept (PoC) code on GitHub, targeted phishing emails, and a rogue npm package (@0xengine/xmlrpc) to deliver malware. Victims, including penetration testers, security researchers, and malicious actors, inadvertently exposed SSH keys, AWS credentials, and other sensitive data to the attacker.

Disney: 2.5 GB of Company Data Leaked in Confluence Breach

A group of Club Penguin enthusiasts exploited Disney's Confluence server to retrieve old game data, but ended up accessing 2.5 GB of sensitive company files. The stolen data included developer tools, internal infrastructure documentation, advertising strategies, and business logs, along with API endpoints, S3 credentials, and developer resource links. The breach leveraged previously exposed login credentials, increasing the risk of future exploitation.

New York Times: Hackers Leak 270 GB of Sensitive Data

270 GB of internal data from The New York Times, including alleged Wordle Source Code, internal communications, and sensitive authentication credentials for over 5,000 GitHub repositories, was exposed online. The publisher confirmed that the incident resulted from unintentional credential exposure on a third-party code platform. While no unauthorized access to internal systems was detected, the Times stated that its operations were not affected.

High Stakes: The Unspoken Impact of DevOps Data Breaches

When one reads the sensational headlines about DevOps data breaches, one rarely considers what lies behind those incidents, and more importantly, what they cost. This cost varies, from costly data recovery to potential regulatory penalties. Here, we must not forget that security and compliance regulations are becoming stricter year after year, and penalties can reach millions of dollars. While some organizations publicly downplay the scope of these breaches, the numbers tell a different story: hundreds of gigabytes of leaked data, millions of exposed records, and compromised internal repositories, pointing to a deeper, more damaging reality.

“Portrait of Madame X - graph animation of knowledge graph” — Source: Wikimedia Commons. License: CC BY-SA 4.0.

“Puzzle” — Source: Pixabay. License: Free to use.

via Pixabay