Red Hat Consulting GitLab breach raises concerns over customer data exposure

What you need to know

• Red Hat has confirmed a mid-September security incident affecting a Red Hat Consulting GitLab instance.
• A group calling itself Crimson Collective claims to have stolen 570GB of data, including around 28,000 internal repositories.
• The attackers allege that the data includes Customer Engagement Reports (CERs) with sensitive details such as architecture diagrams, access tokens, and configuration information.
• Red Hat is investigating and has not confirmed the attackers’ claims or the scope of data exposure.
• Customers working with Red Hat Consulting should review engagements for potential exposure and monitor for unusual activity.

Red Hat confirms GitLab breach

Red Hat has confirmed a security incident involving one of its Red Hat Consulting GitLab instances (initially incorrectly reported as GitHub) after cybercriminals claimed to have stolen a large trove of internal data. The breach was first disclosed in a Red Hat blog post, which stated that unauthorized access was detected mid-September 2025. According to Red Hat, the affected instance has been isolated while investigations continue.

Claims of large-scale data theft

A group identifying itself as the Crimson Collective has claimed responsibility, asserting that it exfiltrated 570GB of data spanning approximately 28,000 repositories. The group has also released directory listings and claims to be in possession of Customer Engagement Reports (CERs) created during Red Hat Consulting projects. Such reports may contain technical details such as network and system diagrams, authentication credentials, and configuration data.

Based on publicly released directory listings, over 800 organizations may be affected to some degree, including major commercial companies in banking, telecom, healthcare, and tech, as well as several US government agencies. 

Red Hat’s response

Red Hat has acknowledged the incident but has not verified the extent of the attackers’ claims. The company emphasized that its product source code repositories remain unaffected, clarifying that the breach was limited to the consulting GitLab environment.

Read the full statement on the Red Hat blog.

Risks for Red Hat Consulting clients

If the attackers’ claims are accurate, the breach could pose significant risks to Red Hat Consulting clients. CERs are designed to provide customers with tailored guidance and often include sensitive information about enterprise systems and deployments. Unauthorized access to these documents could enable attackers to target client environments directly, using the insights from Red Hat’s consulting work to exploit weaknesses.

“If it’s true that CERs were exposed, then the consequences could be very serious,” notes Bogdan Calin, Principal Security Researcher at Invicti Security. “Attackers might be able to map out network topologies to aid lateral movement, including the locations of any security appliances like WAFs or IDS/IPS. Some CERs could include credentials or other auth and identity information, such as the use and configuration of SSO and MFO. Even just information about specific products and vendors used internally can help with supply-chain attacks.”

Next steps and recommendations

While Red Hat has downplayed the immediate impact of the incident, it has urged customers to remain vigilant and is working with affected clients directly. The company has also reported the incident to relevant authorities and stated that it continues to investigate the full impact.

For all organizations that have engaged Red Hat Consulting, recommended immediate actions include:

• Reviewing recent consulting deliverables for sensitive data exposure
• Rotating credentials and tokens that may have been shared during consulting engagements
• Monitoring systems for suspicious access attempts that could indicate targeted follow-up attacks

As more details emerge, Red Hat customers and the broader community will be watching closely to assess the true scale of the breach and its potential downstream impacts. We will update this post as new information becomes available.