January 20, 2026 Hackers are advertising what they claim is internal source code stolen from Target. A sample of the reportedly stolen data was published using multiple repositories totalling around 860 gigabytes. While Target has not publicly commented on the issue, the company appears to have moved quickly to have the Gitea repositories taken down.
The claims surfaced this week after a previously unknown threat actor posted on an underground hacking forum, saying they were auctioning Target data and describing the leak as the first in a series of releases. To back up the assertion, the individual uploaded a sample of the alleged stolen material to several repositories hosted on Gitea, a self-managed Git platform commonly used for private codebases.
Those repositories appear to contain internal Target source code alongside configuration files and developer documentation. Repository names reference systems that would typically be considered highly sensitive, including wallet and payment services, identity and access management, store networking tools, secrets documentation and gift card infrastructure.
Cybersecurity researchers reviewing the listings say the structure and naming conventions resemble those of an internal enterprise development environment. However, the full scope and authenticity of the data have not been independently verified.
BleepingComputer reported that some of the content appeared to have been indexed and cached by search engines in the past, suggesting that parts of the data may have been publicly accessible at some point. It remains unclear when that exposure may have occurred, how long it lasted or whether it was the result of misconfiguration or a separate compromise.
If the claims prove accurate, the leak could pose significant risks. Internal source code can give attackers insight into how systems are built, where weaknesses may exist and how to craft more effective attacks, even if no customer data is directly exposed. Systems tied to payments, digital wallets and gift cards are particularly attractive targets due to their potential for fraud and abuse.
For now, the situation remains fluid. Without confirmation from Target or a full forensic analysis, it is unclear how the data was obtained or whether it reflects current production systems. It is also yet to be known if additional datasets are still being held by the attackers.
