Red Hat confirmed a breach of its internal GitLab server
Red Hat announced a breach of the company's internal GitLab server. The ransomware group Crimson Collective claims to have stolen nearly 570 GB of data from 28,000 internal development repositories.
This data allegedly includes about 800 customer engagement reports (CERs), which may contain sensitive information, including infrastructure details, configuration data, authentication tokens, etc., that could be used to breach customer networks.
Initially, Red Hat stated it had encountered a security incident related to its consulting business. They noted that there was no reason to believe that this security issue affected any other services or products.
The company has now confirmed that the security incident was related to a data leak from a GitLab instance used exclusively for Red Hat Consulting projects.
The hackers themselves told BleepingComputer that they carried out the attack about two weeks ago. They allegedly found authentication tokens, full database URIs, and other sensitive information in Red Hat's code and CERs to gain access to customer infrastructure. The hacker group also published a full list of allegedly stolen GitLab repositories and a list of CERs from 2020 to 2025 on Telegram. It includes organizations and agencies such as Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the U.S. Naval Surface Warfare Center, the Federal Aviation Administration, the House of Representatives, and many others.
The hackers stated that they tried to contact Red Hat but received no response other than a request to submit a vulnerability report to the security team. According to them, the created ticket was repeatedly forwarded to other individuals, including employees from the legal and security departments of the company.
The company told BleepingComputer: 'Upon discovering the leak, we immediately launched a thorough investigation, revoked the unauthorized party's access, isolated the instance, and contacted the relevant authorities. Our ongoing investigation has shown that an unauthorized third party accessed and copied some data from this instance. We have implemented additional security measures designed to prevent further access and contain the issue.'
Red Hat confirmed that the incident involved CER reports but noted that the documents generally do not contain personal information. The company is currently contacting the affected customers.
GitLab reported that the platform or user accounts were not compromised, emphasizing that the incident only affected a self-managed Community Edition instance, and customers are responsible for the security of these installations.
Previously, Red Hat introduced the Red Hat Enterprise Linux for Business Developers initiative for the free use of the Red Hat Enterprise Linux 10 distribution in enterprises for the purpose of developing and testing applications. Each participant in the Red Hat Developer program is given the opportunity to run up to 25 instances of the distribution in test environments for free.