Crimson Collective Claims Red Hat GitLab Breach, 570GB Data Stolen

Extortion Group Claims Massive Data Theft

An extortion group calling itself the Crimson Collective claims to have stolen 570GB of compressed data across 28,000 internal development repositories belonging to Red Hat’s consulting division.

The group said the stolen information includes roughly 800 Customer Engagement Reports (CERs)—internal consulting documents that can detail client infrastructure, configurations, and authentication data, potentially exposing corporate networks to follow-on compromise.

Red Hat Confirms Consulting GitLab Breach

After the claims surfaced, Red Hat confirmed that the incident involved a self-managed GitLab instance used exclusively by its Consulting organization—not GitHub as initially reported.

“We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements,” Red Hat said in a security update.

“Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities.”

Red Hat emphasized that the intrusion did not affect any of its other products or its software supply chain, noting that the GitLab environment was segregated from production systems.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Scope of Exposure

The company acknowledged that the compromised instance contained consulting engagement reports (CERs) and related project data. These documents may include technical specifications, example code, and internal communications, but Red Hat said no personal information has been found so far.

Red Hat is now contacting impacted customers directly to share findings and mitigation guidance.

Hacker Claims and Extortion Attempt

The Crimson Collective told BleepingComputer the breach occurred two weeks before disclosure, during which they allegedly exfiltrated authentication tokens, database URIs, and other private credentials.

They published what they describe as directory listings of stolen GitLab repositories and CERs dated from 2020 through 2025 on their Telegram channel.

The listings name customers across sectors including Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the U.S. Navy, FAA, and the U.S. House of Representatives.

The group said it attempted to extort Red Hat, but only received an automated response directing them to submit a vulnerability report—a ticket they claim was later passed among Red Hat’s legal and security teams.

GitLab Clarifies Platform Not Compromised

In a statement to BleepingComputer, GitLab Inc. confirmed that its hosted platform and customer accounts were not affected, noting that the breach involved Red Hat’s self-managed Community Edition instance.

GitLab reiterated that customers are responsible for securing self-hosted installations and urged administrators to review access controls, audit logs, and network isolation policies.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Sources:
Bleepingcomputer