Red Hat has confirmed a security incident after hackers broke into one of its GitLab instances used for consulting work. The breach was first reported by an extortion group called the Crimson Collective, which claimed to have stolen 570GB of data from 28,000 internal repositories.
The stolen data may include around 800 Customer Engagement Reports (CERs). These reports contain technical details about customer networks, configuration information, and authentication tokens. While the data is sensitive, Red Hat says it has no reason to believe personal information was exposed.
Red Hat clarified that the breach only affected its GitLab instance, not GitHub or any other Red Hat services. The company said, “The security and integrity of our systems and the data entrusted to us are our highest priority. We are confident that no other Red Hat services or products were affected.”
The hackers said the attack happened about two weeks ago. They claimed to have found authentication tokens, database URIs, and other internal information in Red Hat’s code and CERs. The group tried to contact Red Hat with an extortion demand, but only received a standard reply asking them to submit a vulnerability report.
The hackers later published a directory listing of the stolen repositories and CERs on Telegram. The reports reportedly include information from 2020 to 2025 and cover organizations such as Bank of America, T-Mobile, AT&T, Fidelity, Walmart, Costco, Mayo Clinic, Kaiser, the U.S. Navy, the FAA, and the U.S. House of Representatives.
Red Hat said it detected the unauthorized access and immediately started an investigation. The company removed the hackers’ access, isolated the GitLab instance, and contacted authorities. Red Hat has also added extra security measures to prevent future attacks.
The company confirmed that the GitLab instance only supports its Consulting division, and the breach does not affect other products or software downloads. Red Hat is now reaching out to customers who may be impacted.
GitLab confirmed that its platform was not compromised. The issue only affected Red Hat’s self-managed GitLab instance, which the company is responsible for securing.
