IKEA has launched an investigation following claims that the Lapsus$ extortion group is advertising approximately 180GB of data allegedly stolen from Ingka Group, IKEA's largest franchisee. The listing references internal source code, e-commerce systems, employee platforms, supply chain logistics, cloud infrastructure, and AI-related repositories. Cybernews researchers have reviewed sample data and identified references to thousands of directories, though authenticity remains unverified.
What Happened
Reports surfaced that threat actors were attempting to sell large volumes of internal company data attributed to IKEA. The group claiming responsibility is Lapsus$, previously linked to high-profile intrusions against Microsoft, Uber, Nvidia, Samsung, and Okta. The advertised dataset reportedly totals around 180GB and is said to originate from Ingka Group, the holding company operating the majority of IKEA retail locations worldwide. IKEA has publicly acknowledged awareness of the claims and stated it is assessing the situation, but has declined further comment while enquiries continue. No confirmation has been issued regarding whether systems were actually accessed or data successfully exfiltrated.
What Was Taken
If the claims are validated, the alleged dataset includes:
- Internal source code repositories
- References to IKEA's global e-commerce platform systems
- Internal employee platform data
- Supply chain and logistics system information
- Cloud infrastructure configurations and references
- AI-related code repositories
The 180GB volume and references to thousands of directories observed by Cybernews researchers suggest, if genuine, a sprawling exposure touching multiple business-critical domains. The blend of source code, infrastructure references, and operational platforms would represent significant intellectual property and operational risk.
Why It Matters
Lapsus$ has historically focused on source code theft and extortion rather than ransomware deployment, building leverage by exposing proprietary code, internal tooling, and infrastructure secrets. Ingka Group operates the vast majority of global IKEA stores, meaning any genuine exposure of e-commerce, supply chain, or cloud infrastructure data could carry downstream risk for customers, suppliers, and partners. Source code leaks commonly contain hardcoded credentials, API tokens, and architectural details that downstream attackers weaponize for follow-on intrusions. Even unverified claims of this scale frequently trigger increased phishing and impersonation activity targeting the named victim and its ecosystem.
The Attack Technique
The initial access vector has not been disclosed, and IKEA has not confirmed any breach occurred. Lapsus$ historically favors social engineering, SIM swapping, insider recruitment, and credential abuse rather than novel exploitation. Past Lapsus$ campaigns have leveraged purchased corporate credentials, MFA fatigue attacks, and bribed insiders to gain initial footholds, then pivoted toward source code repositories and internal developer tooling. Investigators have not confirmed whether the dataset in question was obtained through direct compromise, third-party exposure, or fabrication.
What Organizations Should Do
- Audit access to source code repositories and enforce least-privilege controls, MFA, and session monitoring on code hosting platforms.
- Rotate credentials, API tokens, and secrets stored in code repositories and CI/CD pipelines, and implement automated secret scanning.
- Harden against MFA fatigue and social engineering by deploying phishing-resistant authentication such as FIDO2 hardware keys, particularly for developers and administrators.
- Monitor dark web and underground forums for mentions of your organization, supplier ecosystem, and exposed credentials.
- Review identity provider and helpdesk procedures to prevent SIM swap and social engineering bypass of account recovery workflows.
- Brief employees and supply chain partners on increased phishing and impersonation risk tied to publicized incident claims, even when unconfirmed.
Sources: IKEA investigates after alleged data leak claims emerge