In today’s digital landscape, source code is a prized asset for companies, with platforms like GitHub and Atlassian acting as reliable storage solutions. However, organizations must remember that, under the Shared Responsibility Model, they are responsible for their own data. A single lapse can trigger disastrous consequences, including significant leaks of source code, widespread credential theft, and lasting harm to reputation and finances.
Recent cybersecurity breaches at well-known companies highlight a troubling trend: DevOps data has become a primary target for hackers. Industry giants like Mercedes-Benz, The New York Times, and Schneider Electric, albeit from different sectors, have all suffered from security weaknesses in their DevOps practices. This serves as a stark reminder that no organization is bulletproof when it comes to cybersecurity, especially as innovation often outpaces protective measures.
Cybersecurity threats are escalating at an alarming rate. On average, a cyberattack occurs every 39 seconds—amounting to more than 2,000 incidents daily. IBM reports a 56% increase in active ransomware groups, and Cybersecurity Ventures estimates that worldwide cybercrime could cost the global economy $10.5 trillion annually by 2025, climbing to $15.63 trillion by 2029.
According to the CISO’s Guide to DevOps Threats, the most frequently targeted sectors in 2024 will include Technology and Software, Fintech and Banking, and Media and Entertainment. The U.S. is particularly vulnerable, accounting for 59% of ransomware attacks, and roughly 70% of data breaches lead to severe disruptions in operations. The fallout from such breaches rarely remains contained; it can ripple through partnerships, client relationships, and supply chains, increasing the overall impact.
Take the ransomware group HellCat, for example. Over the past two years, they have targeted multiple high-profile companies around the globe, exploiting stolen Jira credentials obtained through infostealer malware. Once hackers acquired these credentials, they accessed Atlassian Jira environments, moving laterally within systems to extract sensitive information and deploy ransomware.
HellCat’s victims include notable firms like Schneider Electric, Orange Group, Telefonica, and Jaguar Land Rover. For instance, in 2024, hackers compromised Schneider Electric’s isolated project tracking system through exposed Jira credentials, stealing 40GB of data that included user records, email addresses, and project details. The ransomware group demanded $125,000 to prevent public exposure of this data.
In 2025, the attacks continued. During the breach of Orange Group, primarily affecting its Romanian operations, hackers stole source code, contracts, invoices, customer and employee data, and 380,000 email addresses. Telefonica faced two breaches within the same year, with attackers stealing internal documents and personal data on multiple occasions. Additional fallout from these attacks included leaked sensitive internal documents from Jaguar Land Rover and a breach of Ascom’s technical ticketing system, affecting their 18 divisions.
With Jira deeply integrated into enterprise operations, it has become a key attack vector. Stolen credentials are readily available on dark web markets and can remain valid for years due to poor password management practices. Unless companies strengthen their credential hygiene and access controls, they risk ongoing and potentially more frequent attacks.
Another alarming incident involved Mercedes-Benz, where a mishandled GitHub token exposed the company’s source code to the public. An employee accidentally placed the token in a public repository, potentially granting attackers unrestricted access to Mercedes-Benz’s GitHub Enterprise server, along with API keys and other sensitive information. This incident underscores the dangers of careless handling of access tokens and the urgent need for rigorous security measures.
In a separate case, a malicious GitHub repository masquerading as “Yet Another WordPress Poster” (yawpp) is believed to have led to the exfiltration of over 390,000 credentials related mostly to WordPress accounts. Attributed to the threat actor known as MUT-1244, this campaign combined a trojanized proof-of-concept code on GitHub with targeted phishing emails and a rogue npm dependency to deploy malware effectively.
Disney faced its own security challenges when a group of Club Penguin enthusiasts exploited vulnerabilities in Disney’s Confluence server to access outdated game data and inadvertently retrieved 2.5GB of sensitive corporate files, including internal documents and API keys.
On the other hand, The New York Times experienced a massive data breach involving 270GB of internal information, including sensitive communication and purported Wordle source code. The incident was traced back to inadvertently exposed credentials on a third-party platform. While the company confirmed that they didn’t detect unauthorized system access, it emphasized the vulnerability of their sensitive information.
The real cost of DevOps data breaches extends beyond immediate financial penalties; it encompasses the arduous recovery process, potential regulatory fines, and long-term reputational damage. As security regulations become increasingly stringent, organizations must grapple with the reality that non-compliance can hit them with severe monetary consequences. Although some firms may downplay the extent of these breaches, the numbers reveal a different picture: vast amounts of leaked data, millions of exposed records, and compromised repositories depict a far more intense and damaging scenario.
In a rapidly evolving digital landscape, effective security measures are not optional—they are essential.
