Target developer infrastructure offline after alleged 860GB source code theft
Learn More
A threat actor claims to have stolen approximately 860 GB of internal source code and developer documentation from Target Corporation.
The hackers published samples of the stolen data on Gitea, a self-hosted software development platform, to prove their claims. The samples included repositories related to wallet services, gift card interfaces, and internal identity management systems.
The threat actor claims that this data is just the first set of a larger archive intended for auction on underground forums. The compromised allegedly data includes:
- Internal source code for wallet and gift card services
- Developer documentation and internal API endpoints
- Identity management (IDM) provisioning code
- Internal system architecture details and server names
- Employee names and commit metadata
Technical analysis of the leaked samples revealed commit metadata and documentation that referenced internal Target development servers and the names of several current senior engineers. The directory structure and repository naming conventions are consistent with a large-scale enterprise Git environment.
The leaked files do not match any of Target's known open-source projects on GitHub, suggesting the material originated from the company's private development infrastructure. The full dataset reportedly contains over 57,000 files and directories.
Following inquiries regarding the leak, Target took its primary developer Git server, git.target.com, offline. The subdomain, which previously redirected to a secure login page for employees, is no longer accessible from the public internet. Additionally, the sample repositories hosted on Gitea were removed shortly after the company was notified of their existence. Search engine caches indicate that some resources from the git subdomain may have been publicly indexed in the past, but it is unclear if this contributed to the breach.
The nature of the attack has not been disclosed. Target has not confirmed whether any individuals are affected by the incident. The company has not provided further comments on the current status of its internal investigation or the legitimacy of the hackers' claims.
