Hackers Claim Massive Haul From Red Hat’s Consulting GitLab, Exposing Hundreds of Major Companies

Red Hat has confirmed a breach of a self-hosted GitLab instance used by its consulting division, while a new group calling itself Crimson Collective claims it exfiltrated 570 GB of compressed data. The cache reportedly contains source code, credentials, configurations, and hundreds of Customer Engagement Reports that map client infrastructure. Red Hat says its core products and software supply chain are not affected, but the potential downstream risk to customers is significant.

The company says it detected unauthorized access, removed the intruder, isolated the system, and engaged authorities. The incident underscores how a single weak link in a service partner can ripple across a large client base.

What the attackers say they took and why it matters

Crimson Collective claims it pulled 570 GB from some 28,000 private repositories tied to Red Hat Consulting projects. The most sensitive material appears to be Customer Engagement Reports, or CERs. These reports often include environment diagrams, security assessments, configuration notes, and sometimes the secrets that make those environments run. For an attacker, that is a shortcut to understanding where to probe, how to authenticate, and which defenses to sidestep.

Early file listings circulating in security circles suggest references to organizations across finance, telecom, technology, and government. Names such as Bank of America, IBM, Verizon, T-Mobile, and U.S. agencies including the Navy and the FAA have been cited in discussions about the leaked folder names. If even a slice of those reports are genuine, the resulting exposure could enable highly targeted follow-on attacks. This aligns with how AI-assisted intrusion campaigns profile and automate exploitation once they get detailed environment data.

Early confusion gave way to a clearer picture

Initial chatter pointed to Red Hat’s private GitHub. Red Hat later clarified the affected system was a self-managed GitLab instance used by its consulting team, separate from its core engineering and product delivery infrastructure. GitLab has said there was no compromise of its hosted platform and reminded customers that self-hosted security is a customer responsibility.

What we know about timing and tradecraft

Crimson Collective surfaced publicly in late September and started posting breach claims in early October. Red Hat has not shared the exact intrusion vector. Based on what has been claimed, the attackers likely harvested repositories at scale, sifted for embedded credentials in reports and configuration files, and tried to pivot into client environments. This playbook echoes other recent supply chain and vendor-adjacent incidents, where attackers convert one foothold into many.

Why downstream exposure is the main concern

The immediate Red Hat system has been isolated. The bigger worry is what adversaries can do with detailed environment maps and secrets from customer-facing work. Security teams are treating the leak as a potential blueprint for lateral movement. Incidents like the Okta support case compromise and the MOVEit exploitation showed how quickly vendor-originated data can fuel widespread targeting. The same principle applies here. Knowing what works in defense often starts with inventorying where your data and credentials live outside your walls.

The group has hinted at access to some customer systems. Those claims have not been verified, yet they are enough to prompt precautionary credential rotation and closer monitoring. It is a reminder that perimeter security is only part of the story. Partner and supplier controls matter just as much when consultants touch production-like data or live environments, especially when data security concerns already run high.

What Red Hat says and what happens next

Red Hat says it removed unauthorized access, isolated the consulting GitLab, and notified law enforcement. The company is contacting customers with potential exposure tied to that instance. It emphasized that product development, software downloads, and its software supply chain remain secure. The investigation continues.

Steps organizations are taking now

Companies that have worked with Red Hat Consulting are moving fast. Teams are rotating credentials, API keys, and tokens that may have been shared during engagements. They are reviewing identity provider and VPN logs, checking for unusual access patterns, and tightening network controls around admin interfaces and jump hosts. Detecting leaked secrets in internal code and CI pipelines is another priority, along with revoking and reissuing long-lived tokens.

Recommended Tech

In the wake of breaches like this, where personal and corporate data can be exposed, it’s more important than ever to safeguard your digital identity. The TechBull recommends considering a comprehensive service like Aura, which offers all-in-one protection against identity theft, financial fraud, and online threats. It can monitor your credentials, alert you if they appear in data breaches, and help you secure your accounts before attackers can exploit them.

If in-house coverage is thin, bringing in outside help for rapid triage can speed up containment. Platforms like Fiverr offer access to freelance incident responders and cloud security assessors who can perform targeted reviews and harden the most exposed paths.

What this breach teaches the wider market

This event shows how much trust we place in consulting workflows and how often sensitive material drifts into documentation and repos. Secrets should be ephemeral and vaulted, not parked in reports or code. Least privilege and time-bound access should be the default when third parties touch core systems. The practical lesson is simple. Audit what partners can see, minimize what they store, and expire everything else quickly. Understanding why IT security is a shared responsibility helps reduce the blast radius when something goes wrong.

FAQ