Red Hat, a prominent American provider of open-source enterprise software solutions, has confirmed that a recent security incident has resulted in a data breach affecting some of its systems. The company disclosed that the breach stemmed from a compromised GitLab instance used for consulting and development purposes. This instance, which was not part of Red Hat’s core infrastructure, was accessed by unauthorized parties who managed to copy sensitive data.
The hacking group calling itself “Crimson Collective” has taken responsibility for the breach. According to the group, they infiltrated Red Hat’s systems nearly two weeks prior to the public disclosure and are now revealing the scope of the incident. Their claims suggest that the breach involved the theft of over 570GB of data from more than 28,000 internal repositories.
While Red Hat’s executive leadership maintains that the affected GitLab instance did not contain classified or production-level data, they have acknowledged the seriousness of the breach. The company emphasized that its core systems were not impacted, and that no customer credentials or financial data were stored within the compromised environment. As such, Red Hat has categorized the immediate risk as low, but investigations are ongoing.
In response to the incident, GitLab issued a public advisory urging users—especially those utilizing free GitLab instances—to implement best security practices. These include regularly applying security patches, properly configuring access controls, and conducting routine maintenance to mitigate potential vulnerabilities.
However, Crimson Collective claims the breach is far more serious than Red Hat’s initial assessment. In a recent statement, the group alleged it had exfiltrated sensitive materials, including:
a.) Red Hat deliverables for corporate clients
b.) Detailed architecture diagrams
c.) System configuration files
d.) Internal network maps
e.) Access credentials and authentication tokens
f.) Database URLs
g.) Operational notes
Adding to the severity of the situation, Crimson Collective reportedly attempted to extort Red Hat by demanding a ransom in exchange for not leaking the stolen data. According to sources close to the incident, Red Hat did not engage in ransom negotiations. Instead, the company responded with standard inquiries regarding the group’s disclosure process and the data involved—without showing willingness to negotiate or pay.
A source on LinkedIn, allegedly close to the matter, claims the stolen data includes information related to several major organizations, including T-Mobile, Bank of America, Walmart, the U.S. Navy’s Naval Surface Warfare Center, the Federal Aviation Administration (FAA), Fidelity Investments, and the Mayo Clinic.
This raises significant concerns that the attackers, using the exposed credentials and tokens, may attempt to access the IT infrastructure of these high-profile clients. If validated, this breach could have far-reaching consequences across multiple sectors, including finance, healthcare, retail, and national defense.
As of now, Red Hat has not confirmed the identities of any affected customers, and investigations into the full scope and impact of the breach remain underway.
Join our LinkedIn group Information Security Community!
