The Lapsus$ extortion crew has dumped roughly 7.1GB of internal Vodafone source code online after the telecom giant refused to enter ransom negotiations. The leak, confirmed and analyzed by Cybernews researchers, exposes development repositories tied to multiple Vodafone applications including Vodafone OnePortal and Cyberhub, and arrives after a 15-day deadline expired with no payment.

What Happened

Lapsus$ claimed responsibility for breaching Vodafone, one of the world's largest telecommunications providers, and posted the stolen data to its leak site with the message: "Time expired. Vodafone refused to pay. Data is now public." According to the group, Vodafone was given a 15-day window to negotiate before the archive was published. The dump went live publicly, with no paywall or access gating, making the contents available to any threat actor or researcher who downloads it. Cybernews retrieved the archive and verified its contents, confirming it contains genuine internal repository material rather than recycled or fabricated data.

What Was Taken

The published archive weighs approximately 7.1GB and contains a mixture of source code and repository structure metadata tied to multiple Vodafone applications. Researchers identified source code and testing environments for several named Vodafone projects, including Vodafone OnePortal and Cyberhub. The dataset also includes a .txt file enumerating the tree structure of the entire dump, giving outsiders a high-level map of Vodafone's internal codebase organization. The leak appears to involve internal development repositories rather than customer records, but the inclusion of testing environment code is significant because such repositories often carry internal configuration files, hardcoded credentials, API endpoints, and infrastructure references that production-only dumps would omit.

Why It Matters

Source code leaks at this scale function as a blueprint for follow-on attacks. With backend application logic, configuration patterns, and infrastructure references in hand, secondary threat actors can hunt for authentication weaknesses, hardcoded secrets, exposed internal endpoints, and logic flaws far more efficiently than through black-box probing. For a telecommunications operator at Vodafone's scale, that risk compounds across customer-facing portals, internal tooling, and partner integrations. The incident also extends a long pattern: at least 30 distinct data leaks tied to Vodafone have been reported between 2022 and 2025, and in June 2025 Germany's data protection authority levied a €45 million fine against the company for failures in partner agency vetting, customer authentication, and data protection.

The Attack Technique

Lapsus$ has not publicly disclosed the initial access vector for the Vodafone intrusion, and Vodafone has not confirmed the breach mechanics. The group's historical tradecraft, observed across prior intrusions at major technology and telecom targets, has leaned heavily on social engineering of help desks, SIM swapping, MFA fatigue attacks, and insider recruitment rather than novel exploit development. The Vodafone incident's focus on internal development repositories is consistent with access obtained through compromised developer credentials or source control tokens, though this remains unconfirmed pending official disclosure.

What Organizations Should Do

1. Rotate any credentials, API keys, tokens, and certificates referenced in code repositories that share dependencies, vendors, or integration points with Vodafone, particularly partner agencies and downstream resellers.
2. Audit source control access in your own environment for stale developer accounts, overly permissive service tokens, and missing MFA enforcement on Git platforms.
3. Run secret scanning across internal repositories to find and revoke hardcoded credentials before they become the next leaked archive.
4. Monitor for impersonation, phishing, and SIM-swap attempts targeting employees, executives, and customers in the wake of the leak, as exposed internal documentation often fuels targeted social engineering.
5. Review help desk identity verification procedures, which remain a primary Lapsus$ attack vector, and require out-of-band verification for password and MFA resets.
6. Threat-hunt for indicators of compromise involving anomalous repository cloning, large outbound transfers from developer workstations, and unusual access to CI/CD systems.

Sources: "Time expired": Hackers leak Vodafone source code after company refuses to pay