The AstraZeneca leak is dated March 20, 2026 in leaksear.ch metadata, the same day HackRead reported that LAPSUS$ claimed to have stolen about 3GB of internal data from the pharmaceutical company (hackread.com) (leaksear.ch metadata). leaksear.ch has indexed 133,196 employee and access records from the leaked archive, centered on emails, names, usernames, country values, and GitHub Enterprise access context (leaksear.ch metadata).
What happened
The incident entered public view through posts on a hacker forum and a LAPSUS$ associated leak site. HackRead reported the group advertised employee-related datasets, source code, secrets and access credentials, and cloud configuration material; SecurityWeek separately reported claims involving internal code repositories, credentials and tokens, cloud infrastructure information, and employee data (hackread.com, www.securityweek.com).
The initial access path has not been established in the verified sources reviewed. Public reporting framed the case as an alleged extortion leak, and both SecurityWeek and Bitdefender noted at publication time that AstraZeneca had not publicly confirmed the incident, leaving attribution, scope, and data validity unresolved (www.securityweek.com, www.bitdefender.com).
SOCRadar later updated its March 23 report to say LAPSUS$ claimed it released a roughly 2.66GB zipped dump for free after initially attempting to sell the archive (socradar.io).
What data was exposed
Public reports described the broader claimed archive as including source code, cloud infrastructure references, GitHub Enterprise user information, internal API keys, and credential or secret material (cybernews.com, socradar.io). leaksear.ch metadata for this index is narrower: it covers employee and access records, not every file category publicly attributed to the wider archive (leaksear.ch metadata).
The searchable fields are country, email, name, and username (leaksear.ch metadata). Stored contextual fields include assignment country, company identifiers and company names, contingent-worker type, cost center ID, employee type, first, last and preferred names, GitHub.com logins, GitHub Enterprise login and roles, GitHub member roles and profiles, organization levels, position title, worker active status, and worker type (leaksear.ch metadata).
The leaksear.ch metadata for this indexed employee/access record set does not list fields for patient data, payment card numbers, passwords, or password hashes. The broader archive's reported secrets and source-code material should be treated as separate from the searchable identity pivots available here (leaksear.ch metadata) (www.bitdefender.com).
Why this matters
The risk comes from joining corporate identity data with role, contractor, company, and GitHub access context. That combination can support targeted phishing, impersonation of IT or vendor workflows, and account reconnaissance against employees and contractors; public reporting also noted follow-on risk if any reported credentials, tokens, private keys, or cloud configuration data remained valid (www.securityweek.com, cybernews.com).
For security teams, the priority is to validate affected work accounts, review GitHub Enterprise roles and contractor access, rotate any potentially exposed secrets, and watch for phishing that reuses internal role or project context. Individuals who worked for or with AstraZeneca should use the exposure check below to see whether their email, name, username, or country appears in this leak (leaksear.ch metadata).
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include country, email, name, and username.
Sources
- HackRead: Hacker Group LAPSUS$ Claims Alleged AstraZeneca Data Breach
- SecurityWeek: Extortion Group Claims It Hacked AstraZeneca
- Cybernews: Pharma giant AstraZeneca claimed by hackers, with source code on the table
- SOCRadar: AstraZeneca Data Breach: What You Need to Know
- Bitdefender: Lapsus$ claims AstraZeneca breach exposes code and credentials