Vodafone — Lapsus$ source-code dump after failed extortion

Lapsus$ added Vodafone to its dark-web leak site in late April 2026, with a fifteen-day window for the company to open negotiations. On 12 May the deadline expired, Lapsus$ posted the message “Time expired. Vodafone refused to pay. Data is now public,” and uploaded an archive of approximately 7.1 GB. The archive contained source code and test environments for several Vodafone applications, with Vodafone OnePortal and a project labelled Cyberhub the most prominent, alongside a manifest of the wider GitHub repository tree the attacker had been able to reach.

Vodafone’s public position is that no customer data was affected, that the intrusion itself occurred in March 2026, and that the access route was “compromised third-party development software” rather than its own infrastructure. The company has declined to identify the specific third-party tool in question. The breach is being treated, in Vodafone’s framing, as a contained source-only exposure.

Independent researchers analysing the published archive subsequently flagged hardcoded PostgreSQL database credentials embedded in committed source files. Whether those credentials remain live by now is a Vodafone validation problem; the material point for the wider industry is the existence of working backend credentials in source-controlled code at all. Source code containing embedded credentials, internal endpoint addresses, infrastructure topology and API logic constitutes a deferred exposure rather than a contained one. The database was not breached. The keys to the database were.

The intrusion pattern is consistent with the broader Lapsus$ catalogue against Nvidia, Okta, Microsoft and Samsung — initial-access via a developer-adjacent account or supplier, location of internal source-code repositories, bulk exfiltration, extortion attempt and public dump on failure to pay. The post-2022 generation of Lapsus$ activity continues to favour large enterprises with sprawling internal source-code estates and patchy secret-management discipline, which makes the affected demographic broad and the defender prescription unromantic: secrets-scanning on every commit, short-lived workload identities in place of long-lived database passwords, and removal of standing developer access to production-grade credentials.

A deep-dive will follow if Vodafone or its regulator publishes the identity of the compromised third-party developer tool, additional dataset analysis surfaces material that contradicts the no-customer-data assertion, or a UK regulator opens a formal investigation. As of 31 May 2026 none of those have happened.