Red Hat GitLab Breach Results in Sale of Data From Private Repositories

A hacking group calling itself “Crimson Collective” was able to breach a self-managed GitLab instance used by the Red Hat consulting division, making off with about 570 GB of compressed data. The stolen data has since been seen for sale on Telegram channels.

Red Hat clients impacted, but GitLab not breached

The data reportedly contains sensitive information about configurations, network architecture, and even authentication tokens in some cases. About 800 customers are thought to be impacted. Red Hat clients include US government agencies as well as major tech and industrial sector companies, though it remains unclear exactly who was impacted by the breach or to what exact extent. FINRA reports having contacted individual member firms thought to be impacted.

Data was taken from over 28,000 repositories. This included exposure of about 800 Customer Engagement Reports (CERs), which contain most of the sensitive information. Red Hat revoked the threat actor’s access after learning of the breach and engaged both the FBI and CISA, but samples posted to Telegram channels appear to verify that the stolen information is legitimate. In addition to authentication tokens and configuration information, impacted customers may have had an array of additional items exposed: OpenShift deployment blueprints, database URIs and credentials, CI/CD integration details and secret management links. While these items may not be particularly damaging individually if leaked, together they provide attackers with valuable insights to use in planning future targeted attacks.

Hacking group demands large ransom

The “Crimson Collective” group has a history dating back to September 2025. The group got off to a colorful start by launching its Telegram channel with digital vandalism of some servers used to display the Nintendo website. However, it also established a willingness to embellish with this initial action; the group claimed to have breached Nintendo and stolen some internal files, but no evidence of anything beyond the defacement was ever produced.

The group also claimed a breach of major Colombian telecommunications firm Claro Colombia, which came just a day after the Telegram channel was opened. It claims to have stolen over 50 million client invoices, along with financial files, Salesforce records, phone call logs, and internal developer repositories, and has offered this data for sale for about $100,000 via Telegram. And it has enhanced its profile in the criminal underworld by partnering up with other big-name data extortion outfits in the “Scattered Lapsus$ Hunters” group.

During the course of the Red Hat breach the group claimed to have accessed data from the US National Security Agency (NSA), the US Navy, Bank of America and major US telecommunications providers among others. However, there has been no independent confirmation of any of these claims. It is also important to note that GitHub and GitLab themselves were not compromised in any way during the breach, only an instance belonging to Red Hat that the company was managing on its own. The hackers claimed that they attempted to extort Red Hat but received no response, even resorting to opening a support ticket that they say was subsequently passed around different departments before being met with generic instructions to report a vulnerability to their security team.