A hacking collective calling itself the Crimson Collective claims to have infiltrated Red Hat’s consulting operations, stealing an enormous cache of internal data. According to the group, nearly 570 gigabytes of compressed files were pulled from more than 28,000 development repositories hosted on a Red Hat GitLab instance.
Red Hat, a leading enterprise open-source software company, confirmed that it is investigating a security incident within its consulting division. The company acknowledged the breach of a GitLab instance used solely for consulting engagements but has refrained from confirming the attackers’ broader claims regarding the scale of data theft or specific customer exposure.
Data Allegedly Includes Sensitive Client Reports
The attackers claim the stolen data includes around 800 Customer Engagement Reports (CERs). These documents, prepared by Red Hat consultants for clients, often contain highly sensitive technical details such as infrastructure layouts, system configurations, authentication tokens, and recommendations for improvement.
Such information could be invaluable to hackers if leaked or sold, as it may provide a blueprint for infiltrating customer systems. The Crimson Collective alleges it discovered authentication tokens, full database connection details, and proprietary code within the compromised repositories—resources that could potentially be misused to access downstream customer environments.
Red Hat Confirms Breach But Minimizes Broader Impact
In response to reports of the breach, Red Hat stated that it had identified the incident and initiated remediation. The company emphasized that the issue was isolated to a GitLab environment used for consulting and stressed that its main product lines, services, and broader software supply chain remain unaffected.
Red Hat has not disclosed whether customer-facing reports were accessed or compromised. The company has also not confirmed whether affected clients have been formally notified, leaving questions about the scale of potential exposure.
How the Breach Reportedly Unfolded
According to the Crimson Collective, the intrusion took place roughly two weeks before it became public. The group claims to have exfiltrated repositories and consulting reports dating from 2020 to 2025.
To demonstrate its claims, the hackers posted what they described as a full directory listing of stolen files on Telegram. This listing included reports allegedly linked to high-profile organizations such as Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the Federal Aviation Administration, the U.S. Navy’s Naval Surface Warfare Center, and even the U.S. House of Representatives.
If genuine, the documents could create serious risks for both corporate and government entities that have relied on Red Hat Consulting’s expertise.
A Failed Attempt at Extortion
The Crimson Collective also said it tried to contact Red Hat to demand extortion payments. However, the hackers allege the company only replied with a templated message directing them to submit a vulnerability report through official security channels.
The group claims that once it submitted a ticket, it was repeatedly reassigned between Red Hat’s security and legal teams without further meaningful communication. After failing to extract a response, the hackers began leaking evidence of their alleged haul through Telegram.
Red Hat has not publicly addressed the extortion claim.
Connection to Nintendo Defacement
The Crimson Collective has only recently begun surfacing in cybersecurity circles. Just last week, the group claimed responsibility for briefly defacing a Nintendo topic page, inserting its Telegram channel links and contact information. That incident was minor and quickly fixed, but the Red Hat breach represents a much more significant escalation.
If the group’s claims are accurate, the exposure of consulting documents containing customer-specific configurations and security tokens could give attackers direct pathways into critical infrastructure.
Risks for Customers and Industries
Customer Engagement Reports, the documents at the center of the breach, are particularly sensitive because they contain detailed insights into a client’s digital ecosystem. These may include architecture diagrams, firewall configurations, password vaults, and other details meant to help organizations improve security and efficiency.
If exposed, such data could be used by malicious actors to stage highly targeted attacks against the companies listed in the stolen directory. For major corporations, healthcare providers, and U.S. government agencies reportedly named in the leaked files, the risks range from financial loss and reputational damage to national security implications.
Security professionals caution that even if Red Hat has contained the breach, the leaked material could resurface on dark web markets or be used for long-term cyber campaigns against affected clients.
Red Hat’s Limited Response So Far
To date, Red Hat has only confirmed the GitLab breach within its consulting division and reiterated that its wider products and services remain uncompromised. Beyond those assurances, the company has provided little information about whether customers were impacted or how it is addressing the fallout.
It remains unclear whether Red Hat has engaged outside forensic experts, if law enforcement is involved, or when clients might receive formal notification. For now, customers connected to Red Hat Consulting remain in the dark about whether their sensitive reports may be part of the stolen cache.
