Red Hat has confirmed a security breach affecting one of its GitLab instances, exposing data tied to its consulting division after a cybercrime group claimed responsibility for the intrusion.
Quick Summary – TLDR:
- Red Hat confirmed a breach of a GitLab instance used solely by its consulting team
- Cybercriminal group Crimson Collective claims to have stolen 28,000 internal repositories
- Exposed files may include sensitive data like network details, credentials, and customer engagement reports
- Red Hat states the attack does not affect its products, GitHub, or broader software supply chain
What Happened?
Red Hat, a leading provider of open-source enterprise solutions and an IBM subsidiary, has acknowledged a breach in one of its internal GitLab instances. The breach, confirmed by Red Hat, involves a server used exclusively for consulting projects and not related to GitHub or Red Hat’s core product infrastructure. A cybercrime group calling itself Crimson Collective claims to be behind the attack.
Security update: Incident related to Red Hat Consulting GitLab instance https://t.co/EzKzoaEktM
— Red Hat (@RedHat) October 2, 2025
Breach Involved 28,000 Internal Repositories
The breach, first reported by members of the cybersecurity press, stems from an unauthorized access incident in Red Hat’s self-managed GitLab Community Edition instance used internally by its Consulting division. According to Crimson Collective, they extracted approximately 570GB of compressed data containing over 28,000 private repositories, many of which held Customer Engagement Reports (CERs).
These CERs often include:
- Project infrastructure details.
- Configuration data.
- Authentication tokens and database URIs.
- Internal code snippets and communications.
Red Hat confirmed that such reports were part of the compromised content but stated that these typically do not contain sensitive personal information. So far, no personal data has been identified in the ongoing investigation.
Claims and Fallout
Crimson Collective publicly listed affected entities on Telegram, showcasing a broad spectrum of clients allegedly exposed in the incident. The list includes high-profile names such as:
- Bank of America
- Walmart
- T-Mobile
- Mayo Clinic
- The U.S. Navy
- Federal Aviation Administration
- The House of Representatives
The hackers allege that by analyzing exposed CERs and code, they obtained credentials and tokens that could lead to downstream compromise of customer networks. They attempted to contact Red Hat for an extortion deal, but received only a templated reply directing them to submit a vulnerability report. The hackers claim the ticket was passed among Red Hat’s legal and security teams without a direct response.
Red Hat’s Response and Remediation
In its official statement and security update, Red Hat stated:
Red Hat emphasized that:
- The GitLab instance was not connected to any Red Hat product or GitHub presence.
- The company’s software supply chain remains secure.
- No indication of broader Red Hat product compromise has been found.
As a precaution, additional hardening measures have been implemented and affected customers are being contacted directly. Red Hat also noted that the instance is used only for certain consulting engagements, limiting the scope of exposure.
Meanwhile, the Centre for Cybersecurity Belgium (CCB) issued a warning, stating that the breach poses a high risk to organizations using Red Hat Consulting. They flagged the potential for stolen credentials and configuration data to be used in follow-on attacks.
SQ Magazine’s Takeaway
I think this incident serves as a critical reminder that even internal collaboration tools need robust security practices. While it’s reassuring that Red Hat quickly isolated the data breach and protected its core systems, the fact that customer engagement data was stolen is concerning. Trust is everything in enterprise software, and even if personal data wasn’t exposed, the idea that infrastructure blueprints or tokens might be out there should put everyone on alert. I hope Red Hat brings more transparency as they learn more.
