The hacker known as IntelBroker has claimed responsibility for breaching Hewlett Packard Enterprise (HPE), exposing sensitive data, including source code, certificates, and personally identifiable information (PII), now available for sale online. This incident was revealed in a conversation with Hackread.com and later announced on Breach Forums, a cybercrime forum the hacker administers.

IntelBroker claims breach of HPE, sensitive data exposed

IntelBroker, previously linked to numerous high-profile data breaches, stated that the breach resulted from a direct attack on HPE’s infrastructure, rather than through compromising a third party, which is common in other breaches. The hacker is reportedly demanding payment in Monero (XML) cryptocurrency to maintain anonymity.

The stolen data, according to IntelBroker, includes source code, private GitHub repositories, Docker builds, both private and public cryptographic certificates, user data related to old deliveries, and access to APIs and WePay. A data tree and two internal screenshots were shared, demonstrating what appears to be a development or system environment containing both open-source and proprietary assets.

Hackread.com’s analysis of the data tree revealed references to private keys and certificates, suggesting potential exposure of sensitive cryptographic material. Source code for HPE products like iLO and Zerto was identified, indicating leaked proprietary implementations. Further analysis uncovered files associated with private repository directories, along with .tar archives pointing to compromised development resources.

The screenshots provided insights into HPE’s internal systems, with one showcasing details of the SignonService web service, including endpoint addresses and WSDL links. The second screenshot disclosed sensitive configuration details, exposing credentials for Salesforce and QIDs integrations, as well as internal URLs, which may highlight serious security vulnerabilities within HPE’s infrastructure.

This breach marks a new incident for HPE, which previously encountered a cybersecurity incident in January 2024 when it disclosed to the SEC that state-sponsored Russian hackers breached its servers, targeting mailboxes of employees in critical functions.

IntelBroker has been associated with other significant breaches, including a reported attack on Cisco in October 2024, during which terabytes of data were stolen due to a misconfigured public-facing DevHub resource. The hacker also claimed to have breached Nokia and AMD, indicating a pattern of targeting large companies for sensitive data acquisition.

Featured image credit: HPE

The HPE data breach is currently under scrutiny by Hewlett Packard Enterprise as they delve into claims of a possible incursion, with a supposed threat actor allegedly offering stolen HPE credentials for sale on a cybercrime forum. Despite the assertions surrounding the data breach, HPE has informed that their investigations have yet to confirm any security compromise, and no demand for ransom has been made in connection with the incident.

Everything you need to know about HPE data breach

Adam R. Bauer, HPE’s Sr. Director for Global Communications, communicated to BleepingComputer:

“We are aware of the claims and are investigating their veracity. At this time we have not found evidence of an intrusion, nor any impact to HPE products or services. There has not been an extortion attempt.”

The alleged seller, known by the moniker IntelBroker, provided a glimpse into the claimed breach by releasing screenshots that depict what they assert are HPE credentials. However, the origin and technique employed to acquire such data remain undisclosed.

The individual behind the alleged HPE data breach has proclaimed on a notorious hacking forum:

“Today, I am selling the data I have taken from Hewlett Packard Enterprise. More specifically, the data includes: CI/CD access , System logs , Config Files , Access Tokens , HPE StoreOnce Files (Serial numbers warrant etc) & Access passwords. (Email services are also included).”

IntelBroker, the alias used by the threat actor in question, has previously gained notoriety for the significant breach of DC Health Link. This previous infringement resulted in the exposure of personal details pertaining to members and staff of the U.S. House of Representatives, subsequently triggering a congressional hearing.

This entity has also been associated with other cybersecurity infractions, including an intrusion into the Weee! grocery delivery service and an alleged compromise of confidential data from General Electric Aviation, further underscoring the severity of the HPE data breach claims.

Russian hackers breach HPE corporate email accounts

​The HPE data breach investigation has been intensified following Hewlett Packard Enterprise’s recent disclosure that, in May 2023, their Microsoft Office 365 email system fell victim to a cyber incursion. HPE attributes this breach to what they suspect are Russian hackers affiliated with the APT29 group, which is connected to the SVR, Russia’s Foreign Intelligence Service.

HPE acknowledged that these Russian hackers were able to exfiltrate SharePoint files and pertinent data from its cybersecurity and various other departments. The intrusion extended to HPE’s cloud infrastructure, with unauthorized access persisting until December. This was when HPE was notified of another breach within its cloud-based email system.

“On December 12, 2023, HPE was notified that a suspected nation-state actor had gained unauthorized access to the company’s Office 365 email environment. HPE immediately activated cyber response protocols to begin an investigation, remediate the incident, and eradicate the activity,” HPE stated.

“Through that investigation, which remains ongoing, we determined that this nation-state actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”

This revelation from HPE about the Russian-linked HPE data breach came just days after Microsoft reported a similar incident. In Microsoft’s case, APT29 managed to compromise email accounts of its high-level executives and employees, particularly those within the cybersecurity and legal sectors.

Microsoft’s investigation found that the hackers accessed these corporate email accounts by exploiting a misconfigured test tenant account through a “password spraying” attack, wherein they guessed weak passwords until they broke through the account’s defenses.

In a historical context, HPE also suffered a security breach in 2018, which was linked to APT10, a group of Chinese hackers. This group also infiltrated IBM’s networks and utilized that breach to target HPE’s customers’ devices.

More recently, in 2021, HPE announced that its Aruba Central network monitoring platform’s data repositories were compromised. This breach allowed attackers to gain insight into information about the devices being monitored and their geographical locations.

In an update concerning the current HPE data breach, Bauer told that the data now circulating for sale was sourced from a testing environment, which may imply a potentially lower level of sensitivity compared to operational or production environments.

“Based on our investigation so far, the data at issue appears to be related to information that was contained in a test environment. There is no indication these claims relate to any compromise of HPE production environments or customer information. These are local credentials used in an isolated test environment and are not applicable to the production environment. In addition, these credentials alone would not allow access to production environments as we have multi-layered security measures in place. Furthermore, we don’t have any indication that these claims relate to any compromise of customer information. That said, we have taken additional measures to harden our environment further in relation to the credentials at issue.”

-Bauer

Featured image credit: HPE