Cisco takes DevHub portal offline following threat actor data leak

Multinational technology conglomerate Cisco confirmed that it has taken its public DevHub portal offline after a threat actor leaked "non-public" data, although the company maintains there is no evidence of a breach in its systems. The DevHub portal, a public-facing resource used to provide software code and scripts for customers, became the target of a cyber incident involving unauthorized data exposure.

In an updated statement, Cisco clarified the scope of the issue: "We have determined that a small number of files that were not authorized for public download may have been published." The company reassured that, at this point in the investigation, there are no signs that personal or financial data was compromised. However, the investigation into what data may have been accessed is ongoing.

The incident stems from claims made by a threat actor known as IntelBroker, who alleged that they had breached Cisco and obtained access to source code and internal data. According to IntelBroker, the access was gained through an exposed API token connected to a third-party developer environment. Screenshots and files, reportedly shared with both Cisco and the cybersecurity outlet BleepingComputer, indicate access to a significant amount of data from the DevHub portal, including source code, database credentials, and technical documentation.

Despite these claims, Cisco has consistently stated that no internal systems were compromised. The company’s ongoing investigation continues to focus on a breach within the third-party developer environment, not Cisco’s core systems. However, the leaked data and screenshots indicate a substantial amount of DevHub-related information was accessible.

IntelBroker further claimed that they maintained access to Cisco’s portal and other development environments until Cisco recently shut down the compromised systems. Although the threat actor suggested that they did not attempt extortion, they admitted to not trusting the company to keep any potential agreement for non-disclosure of stolen data.

While Cisco has blocked access to the affected portals and servers, the full impact of the breach remains under investigation. Cisco has yet to respond to additional queries regarding the breach’s specifics and the potential exposure of customer data.