Red Hat reveals unauthorized access to a GitLab instance where internal data was copied
Crimson Collective has claimed the attack, saying it has accessed more than 28,000 Red Hat repositories
Open source software firm Red Hat has been hacked, with extortion group Crimson Collective claiming it has exfiltrated more than 570GB of data.
Red Hat has confirmed the incident, which it said related to a specific GitLab environment used by the Red Hat Consulting team.
"We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements," it said in a statement.
"Upon detection, we promptly launched a thorough investigation, removed the unauthorized party's access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance."
The compromised GitLab instance housed consulting engagement data, which the firm said, could include Red Hat's project specifications, example code snippets, and internal communications about consulting services.
However, it said, this particular GitLab instance doesn't typically house sensitive personal data, and there's no indication that any has been accessed. And there was no sign, it said, that the incident had affected any of its other services or products, including its software supply chain or downloads of Red Hat software from official channels.
Red Hat said it had now implemented additional hardening measures designed to help prevent further access and contain the issue.
"If you are not a Red Hat Consulting customer, there is currently no evidence that you have been affected by this incident, it said. "We are engaging directly with any customers who may be impacted."
The Crimson Collective
The attack has been claimed by a little-known group called Crimson Collective, which said on its Telegram channel that it had exfiltrated data from more than 28,000 internal repositories.
These, it said, included client documents, Customer Engagement Reports (CERs), that could hold details of infrastructure, configuration data, authentication tokens, and full database Uniform Resource Identifiers (URIs).
"These consulting reports contain detailed information about how these companies' networks and systems are set up, including network designs, passwords, tokens used for system access, and other technical details," said Aras Nazarovas, a senior information security researcher at Cybernews.
"For hackers, these documents are pretty much golden – a step-by-step map showing exactly how the affected companies' computer systems are built and connected – reconnaissance is no longer needed."
According to International Cyber Digest, the repositories reference major banks, telecoms firms and airlines, along with Citi, Verizon, Siemens, Bosch, JPMC, HSBC, Merrick Bank, Telstra, Telefonica, and even the US Senate.
The Centre for Cybersecurity Belgium (CCB) has issued a warning.
"The Centre for Cybersecurity Belgium (CCB) assesses this breach poses a high risk for Belgian organisations that used Red Hat Consulting services or shared sensitive information (e.g., credentials, tokens, network data) with Red Hat," it said. "There is also potential supply chain impact if your service providers or IT partners worked with Red Hat Consulting."
It recommended that Red Hat customers revoke and rotate all tokens, keys, and credentials shared with Red Hat or used in integrations; check with their IT providers or partners whether they have used Red Hat Consulting, and assess potential exposure; and ramp up the monitoring of authentication events, API calls, and system access for anomalies.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- INSERT CONTENT
-
AWS CEO Matt Garman isn’t convinced AI spells the end of the software industryNews Software stocks have taken a beating in recent weeks, but AWS CEO Matt Garman has joined Nvidia's Jensen Huang and Databricks CEO Ali Ghodsi in pouring cold water on the AI-fueled hysteria.
-
Deepfake business risks are growingIn-depth As the risk of being targeted by deepfakes increases, what should businesses be looking out for?
-
Security experts warn Substack users to brace for phishing attacks after breachNews Substack CEO Christ Best confirmed the incident occurred in October 2025
-
Everything we know so far about the Nike data breachNews Hackers behind the WorldLeaks ransomware group claim to have accessed sensitive corporate data
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
OpenAI hailed for ‘swift move’ in terminating Mixpanel ties after data breach hits developersNews The Mixpanel breach prompted OpenAI to launch a review into its broader supplier ecosystem
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
Google warns executives are being targeted for extortion with leaked Oracle dataNews Extortion emails being sent to executives at large organisations appear to show evidence of a breach involving Oracle's E-Business Suite
-
Harrods rejects contact with hackers, after 430,000 customer records stolen from third-party providerNews The luxury department store has denied any link to a failed attack on its systems in May
-
Kido nursery hackers threaten to release more details – along with the personal data of 100 employeesNews The attack is the first to be claimed by the new threat group 'Radiant'
