Red Hat Confirms Breach After Hackers Steal 570GB of Client Network Blueprints and Auth Tokens from GitLab
Red Hat, the American developer of enterprise Linux solutions, has confirmed a cybersecurity incident shortly after a group calling itself Crimson Collective claimed responsibility for stealing nearly 570 GB of data from the company’s private GitLab repositories.
The hackers allege they gained access to 28,000 internal projects, including roughly 800 Customer Engagement Reports (CERs) containing sensitive details of client network infrastructures, system configurations, authorization tokens, and other confidential data. These documents, typically used in consulting engagements, could directly endanger the security of corporate networks.
In its official statement, Red Hat acknowledged the incident but declined to specify what data had been compromised. The company clarified that the breach impacted its consulting division only and did not affect other services or products. Red Hat emphasized its confidence in the integrity of its software supply chain and announced that mitigation measures had been initiated.
Crimson Collective, in communications with BleepingComputer, insisted that the stolen tokens and databases embedded in code and reports had enabled them to infiltrate the infrastructure of several clients. To substantiate their claims, the hackers published on Telegram a complete list of stolen repositories and CERs, dated from 2020 through 2025. The organizations referenced include Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the U.S. Federal Aviation Administration, the House of Representatives, and the Naval Surface Warfare Center.
According to the hackers, the intrusion occurred roughly two weeks ago. They claim to have attempted contacting Red Hat with a ransom demand but received only an automated reply directing them to submit a standard vulnerability disclosure form. The group further asserts that their request was repeatedly redirected between Red Hat’s legal and security teams without resolution.
In parallel, Crimson Collective also claimed responsibility for a recent attack on Nintendo’s website, during which one page temporarily displayed contact information and links to the group’s Telegram channel. This incident reinforced suspicions that Crimson Collective aims not only to extort but also to amplify its visibility by targeting high-profile organizations.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
