Vulnerabilities & Alerts

Red Hat data breach: analysis for CISOs, CERTs, CSIRTs and SOC teams

by  • 

Executive summary

On 2 October 2025, the extortion group Crimson Collective announced on Telegram that it had compromised Red Hat Consulting’s private Git repositories. Reports indicate that the attackers stole approximately 570 GB of compressed data from around 28 000 internal repositories. Among the stolen files were Customer Engagement Reports (CERs), which contain architecture diagrams, configuration details, authentication tokens and network maps. The leak also includes CI/CD secrets, pipeline configurations, VPN profiles and infrastructure blueprints. Red Hat confirmed that the incident affected a self‑managed GitLab instance used solely for consulting, noting that its products and services remain unaffected. Security agencies have urged organizations to rotate credentials and assess their supply‑chain exposure.

Incident overview

Crimson Collective, an emerging extortion group, claims to have accessed more than 28 000 private repositories belonging to Red Hat Consulting. Cyber Security News reports that the attackers stole nearly 570 GB of data. The compromised repository tree allegedly references thousands of organizations from sectors such as finance, telecoms, aviation and government, including Citi, Verizon, Siemens, Bosch, JPMC, HSBC, Telstra and the U.S. Senate. The Register states that the hackers shared file listings and samples showing configuration snippets and database connection strings typical of CERs. The reports, spanning 2020 to 2025, describe customer infrastructures in detail.

Red Hat explained that the incident involves a self‑hosted GitLab repository used exclusively by its consulting business and not the company’s GitHub presence. It confirmed that remediation steps are under way and that the company is confident in the integrity of its broader software supply chain. According to 404 Media, the company’s vice president of communications said Red Hat is investigating the incident and has taken necessary measures.

Nature of the stolen data

Preliminary analysis highlights several categories of sensitive data exposed:

  • Authentication secrets and tokens: the stolen archives include authentication tokens, database connection strings and CI/CD secrets. The Register notes that the attackers claim to have already used some of these tokens to compromise downstream customers.
  • Configuration files and deployment guides: the data includes VPN profiles, infrastructure blueprints, OpenShift installation guides, Ansible playbooks and inventory files. These documents outline network architectures and configuration details.
  • Customer Engagement Reports (CERs): advisory documents containing architecture diagrams, network information, configuration data and keys. The Belgian Centre for Cybersecurity (CCB) warns that CERs may contain network information, configuration data and authentication tokens.
  • Third‑party data: the list of stolen CERs includes high‑profile organisations across banking, telecom, aviation and government sectors such as Bank of America, Carrefour, Lumen, Samsung, Bank of Canada, Novo Nordisk, PepsiCo, Intelsat, Accenture, Boeing and the U.S. Department of Homeland Security.

Such information offers attackers deep insight into clients’ environments, enabling targeted attacks or extortion.

Potential supply‑chain and client impact

The leak poses a significant supply‑chain risk, as exposed secrets could allow adversaries to infiltrate clients via CI/CD pipelines, container registries or automation systems. With references to hundreds of organisations, cascading effects could disrupt multiple critical sectors. The CCB has warned that Belgian organisations using Red Hat Consulting face a high risk, and that service providers working with Red Hat should assess their exposure.

CERs map real‑world infrastructures. Attackers can use these blueprints to craft tailored attacks, move laterally or compromise critical systems. The Register highlights that a recently disclosed critical vulnerability (CVSS 9.9) in Red Hat’s OpenShift AI platform could heighten concerns if combined with the leaked information.

Response from Red Hat and authorities

Red Hat stated that the breach is confined to a self‑managed GitLab Community Edition instance. GitLab clarified that its managed infrastructure was not compromised and reminded customers that securing self‑hosted instances, including patching and access control, is their responsibility. The Crimson Collective described itself as a profit‑driven extortion group and threatened to publish the data if victims did not negotiate.

The CCB recommended organisations immediately rotate tokens, keys and credentials shared with Red Hat and review integrations for possible exposure. Some clients reportedly ignored the attackers’ warnings, allowing them to exploit stolen credentials.

Recommendations for CISOs, CERTs, CSIRTs and SOC teams

  • Incident response and communication: Update incident response plans to address data‑leak and extortion scenarios. Communicate with internal stakeholders and external partners about potential risks and ongoing mitigation efforts.
  • Immediate credential and token rotation: Identify all tokens, API keys and credentials associated with Red Hat Consulting, CI/CD pipelines, VPN profiles and container registries, and rotate them promptly. Monitor for any reuse of revoked secrets.
  • Supply‑chain and dependency assessment: Inventory software dependencies and processes leveraging Red Hat playbooks or pipelines. Engage third‑party providers to verify they have updated and secured their own tools.
  • Harden and update self‑hosted platforms: Apply security patches to GitLab or other self‑hosted tools and enforce multi‑factor authentication. GitLab emphasises that customers must maintain the security of self‑hosted instances.
  • Enhanced monitoring and intrusion detection: Strengthen logging and monitoring across CI/CD pipelines and networks to detect anomalous behaviour. Implement alerts for unexpected access or changes in configuration repositories.

Enjoy !

Sources used