Red Hat Confirms Major Data Breach

Tech giant Red Hat has acknowledged that it is investigating a security incident affecting its consulting arm, following public claims by a hacking group, Crimson Collective, that it gained unauthorized access to internal repositories and obtained sensitive customer data. While Red Hat affirms the breach, it says it “has no reason to believe” that its core product services or software supply chain is affected.

The hackers shared their claims on a Telegram channel launched on September 24, 2025. To support their assertions, they posted the full file directory, a list of supposedly stolen CERs, and several additional screenshots.

National Security Agency (NSA), The Department of Energy, The National Institute of Standards and Technology (NIST), IBM, Citi, Verizon, Siemens, Bosch, JPMorgan Chase, HSBC, Telefónica as well as other leading telecom providers, banks, and numerous other companies.

According to posts and evidence shared by Crimson Collective, the group alleges the following:

• They claim to have accessed private GitHub/GitLab repositories tied to Red Hat’s consulting business, extracting around 570 GB of compressed data across 28,000 internal repositories.
• Included in the haul: ~800 Customer Engagement Reports (CERs). These are Red Hat’s internal consulting deliverables for clients, which may contain detailed architecture diagrams, system configurations, network maps, access credentials, authentication tokens, database URIs, and operational notes.
• The group claims to have found authentication tokens, database connection strings, VPN configurations, CI/CD pipeline secrets, and other sensitive operational files capable of facilitating access to downstream customer environments.
• They say the incident occurred roughly two weeks ago.
• Crimson Collective also asserts that it attempted to extort Red Hat, but received only generic replies (e.g. referencing vulnerability disclosure channels) rather than meaningful engagement.
• As supporting proof, the group has published directory listings of repositories, a list of CERs (from 2020–2025), and some sample files via Telegram or Paste-like services.
• Among the named organizations in the exposed CERs are major institutions such as Bank of America, AT&T, T-Mobile, Walmart, the U.S. Navy’s Naval Surface Warfare Center, the FAA, Fidelity, the Mayo Clinic, and others.
• The hackers claim that they have already gained (or attempted to gain) access to some of the customers’ infrastructure, using the stolen credentials and tokens.

If accurate, these allegations point not just to a supply-side compromise at Red Hat, but also to a cascading risk to Red Hat’s customer base.

Red Hat has issued public statements acknowledging the incident, though with caveats.

Their main points are as follows:

• The incident is associated with Red Hat’s consulting arm, not its product engineering or core software repositories.
• The company says it “has initiated necessary remediation steps.”
• Red Hat claims it cannot verify the hackers’ allegations concerning stolen client CERs or data access.
• They emphasize that, at present, they “have no reason to believe” the issue impacts other Red Hat products, services, or their software supply chain.
• In clarifying the incident’s locus, Red Hat notes that the breach relates to a GitLab instance used solely for consulting engagements, rather than the main public or engineering code hosting infrastructure.
• Historically, Red Hat has managed supply chain risk — for example, in 2024 it disclosed that the XZ Utils compression library had been tampered with by a malicious actor, though that incident was quickly remediated.

Red Hat has declined to provide more granular details so far, including the breach vector, whether insider access was involved, how long the intruders had access, or which customers (if any) have been confirmed impacted.

Even if some claims are exaggerated or unverified, the scenario put forward by Crimson Collective is deeply concerning.

Below are key reasons why:

1. Consulting Documents as Attack Vectors

CERs are not generic documents — they often map real-world client architectures (e.g. cloud setups, network topologies, firewall rules, identity flows). If attackers obtain valid credentials or tokens inside them, they effectively hold a blueprint of target environments. This greatly accelerates lateral movement, privilege escalation, and targeted attacks.

2. Supply-Chain & Downstream Risk

Red Hat is a major component of many enterprise stacks (e.g. OpenShift, RHEL, integration tooling). If internal scripts, CI/CD pipelines, or secret management workflows are leaked, attackers could exploit those to pivot into customer systems — even if those systems are otherwise isolated or hardened. This is a classic example of compromise propagation via software supply chains.

3. Credential Reuse and Token Exposure

The risk is magnified if customers reuse credentials or tokens (e.g. same API keys across environments). A token exposed in a consulting doc could grant unwitting access to databases, storage accounts, monitoring tools, or management consoles.

4. Reputational & Legal Fallout

If customers’ sensitive data or system configurations have been exposed, Red Hat could face regulatory scrutiny, liability claims, or damage to trust among enterprise customers. Even perceived weakness in security practices can erode confidence — especially for a company built on open source and enterprise-grade offerings.

5. Challenges of Verification & Attribution

Red Hat’s inability (so far) to verify the hackers’ claims means uncertainty remains. Attackers may exaggerate or plant false data. On the flip side, silence or partial disclosures can hamper customers’ ability to respond or assess risk.

6. Scale of Potential Impact

The hackers claim 28,000 repositories and 800 clients may be affected. Whether fully accurate or not, that scale suggests a broad exposure surface. The leak allegedly spans years (2020–2025), meaning historical engagements could also be involved.

Critical questions remain unanswered:

• Breach Path & Vector: Was the attack via stolen credentials, misconfiguration, phishing, insider access, third-party dependency, or zero-day exploit?
• Scope of Verified Impact: Which customers were actually affected? Which systems or tokens were compromised?
• Depth of Access: Did hackers merely exfiltrate static project files, or did they gain write/run access?
• Duration & Detection: How long were the intruders inside? Did they operate stealthily?
• Remediation Progress: Which tokens, credentials, or systems have been rotated or secured?
• Notification to Affected Parties: Which customers have been or will be informed, and when?
• Legal/Regulatory Response: Will regulators demand disclosure or impose penalties, especially in jurisdictions with strict data protection laws?

Until these are clarified, both Red Hat and its customers must operate under uncertainty.

Even if you’re not directly named, this incident offers useful lessons and precautions:

1. Assume Compromise & Rotate Keys/Tokens Treat any tokens, API keys, database URIs, or embedded credentials (especially in consulting or project documents) as potentially compromised. Rotate them proactively.
2. Audit All Access Paths & Enforce Least Privilege Review who has access to what systems, especially via scripted deployment tools, automation pipelines, and IaC (Infrastructure as Code). Remove unused or stale privileges.
3. Check Configuration Drift & Infrastructure Integrity Compare live environments with known good baselines. Look for unexpected changes, unusual accounts, or wildcard permissions.
4. Strengthen Secrets Handling & Vaulting Use secrets management (e.g. HashiCorp Vault, AWS Secrets Manager) that decouples credentials from code and restricts their lifetime and scope.
5. Endpoint & Network Monitoring / Threat Detection Increase logging, monitor for anomalous behavior (e.g. unusual API calls, failed login attempts), and activate alerting for suspicious lateral movement.
6. Incident Response Readiness & Communication Plans Prepare to respond to breach claims or customer inquiries. Have legal, technical, and PR teams ready. Consider participating in threat intelligence sharing for early warnings.
7. Engage with Red Hat / Demand Transparency Affected customers should push Red Hat for detailed impact assessments, forensic evidence, and remediation steps. Consider seeking assurance or independent audit where possible.
8. Consider Cyber Insurance Implications If your organization carries cyber insurance, confirm coverage for supply-chain and third-party breach exposure, and ensure compliance with required security standards.

• Open Source & Trust Boundaries The incident underscores that open-source or public-facing vendors still host private or internal assets that, if compromised, can propagate risk. The boundary between “public” and “private” code must be tightly managed.
• Consulting Arm as Attack Surface Many technology firms have consulting or professional services divisions with access to customer environments. These arms may lack the same security rigor as core product teams, yet harbor sensitive client data and credentials.
• Escalation of Supply-Chain Threats This is part of a growing trend: attackers targeting not just target organizations, but their software providers, tools, and third-party consultants, to maximize leverage.
• Verification vs. Public Claims Not all hack claims are genuine, but even the plausibility of such a large-scale breach forces vendors and customers to zero-trust assumptions and stronger scrutiny.
• Legal Landscape & Disclosure Pressure In regulated jurisdictions, a breach of this magnitude (if validated) could trigger mandatory disclosure under data protection, financial, or critical infrastructure regulations. For enterprise software vendors, reputational risk is tightly correlated with security.

This event is a reminder that security isn’t limited to code—it also covers documents, scripts, and configurations. Organizations should revisit past engagements, verify that no configurations are exposed, and rotate credentials as a precaution.

If validated, the incident underscores the dangers of storing sensitive consulting data without robust protections and raises concerns about Red Hat’s response.

Red Hat, Inc. is an American software company, founded in 1993 and is a subsidiary of IBM. Headquarters in Raleigh, North Carolina and offices worldwide, the company provides open source software products to enterprises focusing on hybrid cloud, AI, automation, and application development