Red Hat Breach: Crimson Collective Claims Massive Theft of Private Repositories

[Update] October 14, 2025: Crimson Collective Advertises Stolen Red Hat Data for Sale 

[Update] October 7, 2025: Crimson Collective Aligns with ShinyHunters and Scattered Lapsus$ Hunters in New Extortion Attempt

[Update] October 3, 2025: Red Hat’s Official Security Update Regarding Crimson Collective’s Cyber Attack Claim

The recent Red Hat breach has quickly become a major talking point in the cybersecurity community. Reports surfaced after a group calling itself the Crimson Collective began sharing claims of access to Red Hat’s private repositories. The stolen data allegedly includes sensitive client documents, infrastructure details, and potentially exploitable secrets.

This blog post will walk through what happened, why it matters, and the potential consequences organizations should prepare for.

What Happened in the Red Hat Breach?

On October 1, 2025, a Telegram channel linked to the Crimson Collective shared evidence of a breach targeting Red Hat’s private repositories.

According to the threat actor, they exfiltrated around 570 GB of data (compressed), from more than 28,000 Red Hat repositories, including Customer Engagement Reports (CERs) – consulting documents known to contain configuration files, network architecture, and even authentication tokens.

The proof shared by the group displayed structured directories of repositories, files such as Ansible playbooks, VPN settings, CI/CD pipeline runners, server inventories, and more. They also posted links to encrypted Paste[.]to pages listing the full file tree and allegedly stolen CERs.

A total of 800+ customers may be impacted, based on the document listings. The exposed organizations include both commercial giants like IBM, Citi, Siemens, Bosch, and Verizon, as well as U.S. government agencies including the NSA, Department of Energy, NIST, and others.

Who is Behind the Red Hat Breach?

The Crimson Collective, who’s claiming the Red Hat repositories breach, is an extortion group active on Telegram. Although newly created on September 24, 2025, their channel has nearly 350 subscribers.

Previous Breach Claims by Crimson Collective

On the same day the channel was created, they announced a defacement of Nintendo (nintendo.co.jp), likely to promote their operations.

On September 25, the group claimed a breach of Claro Colombia (claro.com.co), a telecommunications operator, alleging the theft of more than 50 million client invoices, as well as financial files, Salesforce records, phone call logs, and internal developer repositories.

Catch Data Leaks Early with SOCRadar

SOCRadar provides organizations with proactive tools to spot risks before they escalate. Its Dark Web Monitoring module keeps watch over underground forums, marketplaces, and Telegram channels to detect exposed credentials, stolen data, or brand mentions in real time. Meanwhile, Attack Surface Management offers a streamlined way to track external-facing assets and catch misconfigurations early.

What Type of Data Was Exposed in the Red Hat Breach?

The leaked CERs are particularly alarming. These are internal consulting documents that often include:

• Detailed infrastructure and cloud configurations
• OpenShift deployment blueprints
• Secret-management links
• Database URIs and credentials
• CI/CD integration details
• Authentication tokens with access to downstream systems

Such information gives attackers a clear view into a company’s architecture, drastically reducing the time needed to plan and execute follow-up intrusions.

How Did Red Hat Respond to the Breach?

Red Hat acknowledged a security incident related to its consulting business, stating that remediation efforts are already underway. The company emphasized that they have “no reason to believe” the breach extends to other Red Hat services or compromises their software supply chain.

However, Crimson Collective paints a different picture. They claim to have contacted Red Hat through official channels but received only a generic vulnerability disclosure reply. Screenshots show that the ticket was assigned to multiple Red Hat personnel before going unanswered.

Who is Affected by the Red Hat Breach?

The file tree from the alleged breach references the names of many companies. These examples include major players across sectors, such as:

• Banking: JPMorgan, HSBC, Citi, Santander
• Telecom: Telefonica, Verizon, Telstra
• Healthcare: Mayo Clinic, Kaiser Permanente
• Government: U.S. Navy, FAA, U.S. Senate, DHS
• Tech: Adobe, Cisco, IBM, Ericsson

This cross-sector exposure suggests widespread implications, especially if attackers gained access to real-time credentials or overlooked backend integrations.

Red Hat’s Official Security Update Regarding Crimson Collective’s Cyber Attack Claim

On October 2, Red Hat released a new security update confirming that the incident was tied to a specific GitLab environment used by its Consulting team. The company stated it had detected unauthorized access, removed the intruder’s access, isolated the environment, and notified the proper authorities.

According to the company, the affected GitLab instance contained consulting engagement data, such as project specifications, example code, and internal communications, but did not typically hold sensitive personal data.

Key points from Red Hat’s update:

• No impact on Red Hat products or supply chain: The company reiterated there is no evidence the issue affects other Red Hat services, products, or software downloads.
• Consulting customers only: The exposure is limited to consulting-related data. Red Hat has not found sensitive personal data within the compromised data so far, but investigations are ongoing.
• Direct outreach: Impacted consulting customers will be contacted directly by Red Hat.
• Additional security measures: The GitLab environment has been hardened to prevent further unauthorized access.

Moreover, it was clarified that the Red Hat hack is unrelated to the recently disclosed OpenShift AI vulnerability (CVE-2025-10725).

Crimson Collective Aligns with ShinyHunters and Scattered Lapsus$ Hunters in New Extortion Attempt

The Red Hat breach has taken another turn as the Crimson Collective, the group behind the original claims, forms new alliances to amplify its extortion efforts. Now, Scattered Lapsus$ Hunters and the notorious ShinyHunters have also joined in, leveraging the latter’s newly launched data leak extortion site to pressure Red Hat into paying a ransom.

A new listing for Red Hat has appeared on the ShinyHunters site, warning that the stolen data will be published on October 10 unless a ransom is negotiated. To support their claims, the attackers have released samples of Customer Engagement Reports (CERs) allegedly belonging to high-profile organizations including Walmart, HSBC, Bank of Canada, Atos Group, American Express, the U.S. Department of Defense, and Société Française du Radiotéléphone (SFR).

In a post to their Telegram channel, the Crimson Collective referred to the alliance as a new partnership and hinted at future joint operations, comparing it, ironically, to the creation of NATO. Red Hat has not yet commented on the latest extortion attempts.

Threat Actors Expand Attacks to AWS Environments

Security researchers have linked the Crimson Collective to a broader campaign targeting Amazon Web Services (AWS) accounts.

The group has been exploiting exposed long-term access keys and IAM misconfigurations to infiltrate cloud environments, escalate privileges, and exfiltrate data from S3 buckets and EC2 instances.

Using tools like TruffleHog, the attackers identify valid credentials, create new IAM users with administrative access, and send extortion emails directly via AWS Simple Email Service (SES). AWS has since urged customers to rotate credentials, enforce least-privilege IAM policies, and monitor for unusual account activity.

More technical details about this activity, including indicators of compromise (IOCs), are available in Rapid7’s full report.

Crimson Collective Advertises Stolen Red Hat Data for Sale

On October 13, the Crimson Collective announced that it is offering the Red Hat Consulting Backup dataset, reportedly 570GB of compressed material, for sale on its Telegram channel. The group listed the dataset’s “valuation” between $400,000 and $500,000 USD, claiming it had not been previously sold or distributed.

In an October 13 post on their Telegram channel, the Crimson Collective advertised two datasets for sale: ‘RedHat Consulting Backup’ & ‘Claro Colombia Internal Backup’

The same post also promoted alleged access to a 3TB dataset from Claro Colombia, priced between $50,000 and $100,000 USD, which the group said includes over 50 million client invoices and internal data. Both datasets are being marketed as “exclusive” and available only to “serious inquiries.”

The move comes amid ongoing extortion attempts involving ShinyHunters and Scattered Lapsus$ Hunters, which previously threatened to leak Red Hat’s stolen data by October 10 if no ransom was paid.

Conclusion

This event is a reminder: security extends beyond code – it also includes consulting documents, scripts, and configurations. Organizations should review their past engagements, check for exposed configurations, and rotate credentials as a precaution.

If confirmed, the incident highlights the risks of storing sensitive consulting data without strong safeguards and raises questions about Red Hat’s response.