A threat actor identified as “303” has allegedly compromised Deloitte’s internal systems, exposing GitHub credentials and proprietary source code from the consulting giant’s U.S. division. The breach announcement surfaced through a dark web forum post, where the perpetrator shared configuration files and repository information as evidence of the successful infiltration.
The exposed data reportedly includes GitHub credentials that could allow unauthorized access to Deloitte’s infrastructure, along with source code from internal development projects. Snippets of configuration files and repository details have circulated on underground forums, though the full scope and authenticity of the breach remain unconfirmed by Deloitte officials.
Security analysts have flagged the public disclosure of this sensitive information through cybersecurity monitoring services. This incident poses significant risks given Deloitte’s wide-ranging client base of high-profile global corporations. The leaked credentials could potentially grant unauthorized access to sensitive client data and corporate systems, whereas the compromised source code threatens both system security and intellectual property protections.
The consulting firm’s role in serving major enterprises amplifies concerns about potential downstream impacts on client organizations. As one of the Big Four accounting firms, Deloitte’s reputation and client relationships could face substantial scrutiny following this security incident. The alleged breach follows a troubling pattern of security incidents affecting Deloitte over recent years. In 2017, the company experienced credential leaks involving corporate VPN passwords and usernames exposed through GitHub, with multiple systems inadvertently made accessible to the public internet.
These historical incidents resulted in extended unauthorized access and substantial financial and reputational damage, highlighting persistent vulnerabilities in the firm’s security infrastructure. Threat actor “303” has demonstrated similar attack patterns in previous campaigns targeting large corporations, suggesting sophisticated capabilities and methodical approaches to system infiltration. The actor previously targeted an Indian software company in December 2024, causing significant impact on major insurance providers.
The consistency of these tactics raises concerns about ongoing threats to professional services firms, regardless of substantial cybersecurity investments across the industry. Deloitte has yet to issue a thorough public statement addressing the specific claims made by the threat actor.
The company has previously denied certain breach allegations, sometimes attributing incidents to third-party or client system compromises rather than direct attacks on its infrastructure. Security experts highlight the critical need for continued monitoring to detect potential follow-up exploitation attempts using the allegedly compromised credentials.
