Red Hat GitLab Breach: 570GB of Consulting Data Stolen – Official Statement & What You Need to Know

Breaking News: Red Hat Confirms Major GitLab Security Breach

Update – October 3, 2025: Red Hat has officially confirmed a significant security incident involving unauthorized access to its GitLab instance used by Red Hat Consulting. The breach, claimed by the threat actor group “Crimson Collective,” allegedly exposed approximately 570GB of sensitive consulting data from 28,000 internal repositories, potentially affecting major organizations including government agencies and Fortune 500 companies.

IMPORTANT: This breach affected Red Hat’s GitLab instance, NOT GitHub as some initial reports incorrectly stated. Red Hat has clarified this was specifically their consulting team’s GitLab environment.

Official Red Hat Statement

Red Hat published an official security update on their blog, stating:

“We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities.”

Official Red Hat Security Advisory: Security update: Incident related to Red Hat Consulting GitLab instance

Red Hat Customer Portal: Security Update Article (Customer Portal)

What Was Breached: GitLab, Not GitHub

To clarify the confusion in early reports:

• BREACHED: Red Hat’s private GitLab instance used by Red Hat Consulting
• NOT AFFECTED: GitHub repositories, Red Hat’s main product infrastructure, or software supply chain
• SCOPE: Limited to consulting engagement data only

Red Hat explicitly stated: “The attack is related to a GitLab instance used solely for Red Hat Consulting on consulting engagements, not GitHub.”

Breach Details and Timeline

When It Happened

• September 24, 2025: Crimson Collective created their Telegram channel and shared initial proof of breach
• Mid-September 2025: Estimated time of unauthorized access (approximately 2 weeks before public disclosure)
• October 2, 2025: Red Hat published official security update
• October 3, 2025: Ongoing investigation and customer notifications

What Was Stolen

According to the threat actors’ claims and Red Hat’s confirmation:

• Data Volume: Approximately 570GB of compressed data
• Repositories: Claims of 28,000+ internal development repositories accessed
• Customer Engagement Reports (CERs): Approximately 800 consulting documents
• Sensitive Information: Configuration files, network architecture diagrams, authentication tokens, and internal communications

What CERs Contain

Customer Engagement Reports are detailed consulting documents that may include:

• Infrastructure specifications and network topology
• Configuration files and system settings
• Authentication tokens and API credentials
• Database connection strings and URIs
• Project code examples and snippets
• Internal communications about consulting services

Potentially Affected Organizations

Based on the leaked directory listings, the following organizations may have had consulting data exposed:

Government Agencies

• U.S. Navy (Naval Surface Warfare Center)
• Federal Aviation Administration (FAA)
• Department of Homeland Security (DHS)
• U.S. Senate and House of Representatives
• National Security Agency (NSA) – alleged

Financial Institutions

• Bank of America
• Fidelity Investments
• Capital One
• Various other banking institutions

Major Corporations

• T-Mobile
• AT&T
• Walmart
• Costco
• Kaiser Permanente
• Mayo Clinic
• Amazon
• Microsoft

Note: Presence in the directory listing indicates Red Hat provided consulting services to these organizations, but does not necessarily confirm data exposure for all listed entities.

The Threat Actor: Crimson Collective

Who They Are

Crimson Collective is a relatively new threat actor group that emerged in September 2025. They operate an extortion model, stealing data and threatening public release unless demands are met.

Their Claims

• Exfiltrated 570GB of compressed data from Red Hat’s GitLab
• Accessed over 28,000 private repositories
• Discovered authentication tokens and credentials in code and CERs
• Claimed to use stolen credentials to access downstream customer infrastructure

Other Activities

On the same day they announced the Red Hat breach (September 24, 2025), Crimson Collective also claimed responsibility for defacing Nintendo systems as part of their initial operations.

What Red Hat Says Is NOT Affected

Red Hat has been clear about the scope limitations:

✅ NOT Compromised

• Product Infrastructure: RHEL, Fedora, CentOS Stream, and other Red Hat products remain secure
• Software Supply Chain: No impact to software downloaded from official Red Hat channels
• Package Repositories: RPM packages and container images are unaffected
• Customer Portal: access.redhat.com and subscription services remain secure
• GitHub Repositories: Red Hat’s GitHub presence is NOT affected
• Non-Consulting Customers: If you don’t use Red Hat Consulting, you’re likely not impacted

❌ What IS Affected

• Red Hat Consulting GitLab: The specific instance used for consulting engagements
• Customer Engagement Reports: Consulting documents for select customers
• Consulting Project Data: Internal collaboration data for consulting work

Red Hat’s Response and Remediation

Immediate Actions Taken

1. Access Removed: Unauthorized party’s access was immediately revoked
2. Instance Isolated: The affected GitLab instance was isolated from other systems
3. Investigation Launched: Comprehensive forensic investigation initiated
4. Authorities Notified: Law enforcement and appropriate authorities contacted
5. Customer Notifications: Affected consulting customers being contacted directly

Ongoing Measures

• Continuous monitoring for unauthorized access attempts
• Review of security controls on consulting infrastructure
• Assessment of data exposure for each affected customer
• Regular updates through official channels

Security Implications and Risks

For Affected Organizations

Organizations whose CERs were exposed face several potential risks:

• Credential Compromise: Authentication tokens and API keys in CERs could be used for unauthorized access
• Infrastructure Exposure: Network diagrams and configurations reveal attack surface
• Lateral Movement: Threat actors could use exposed information to pivot into customer networks
• Supply Chain Risks: Database URIs and connection strings could expose backend systems

Recommended Actions for Affected Customers

1. Rotate Credentials: Immediately rotate all authentication tokens, API keys, and credentials that may have been in consulting documents
2. Review Access Logs: Check for unauthorized access attempts using potentially compromised credentials
3. Update Configurations: Change database connection strings and other sensitive configurations
4. Monitor Network Traffic: Watch for unusual activity patterns that could indicate breach attempts
5. Implement Additional Controls: Add extra authentication layers where possible
6. Contact Red Hat: Reach out to your Red Hat account team for specific guidance

Industry Expert Analysis

Consulting Data Sensitivity

Security experts note that consulting engagement reports are particularly valuable to threat actors because they often contain:

• Real-world infrastructure configurations from major organizations
• Working examples of enterprise security implementations
• Credentials and access tokens used in actual production environments
• Detailed network maps showing security architecture

Supply Chain Concerns

While Red Hat maintains the software supply chain is unaffected, security researchers emphasize the importance of:

• Verifying package signatures and checksums
• Monitoring for any unusual updates or changes
• Reviewing Red Hat security advisories regularly
• Maintaining defense-in-depth strategies

How to Verify If You’re Affected

For Red Hat Consulting Customers

1. Check Communications: Red Hat is directly contacting affected consulting customers
2. Review Your Engagement: If you’ve worked with Red Hat Consulting in the past year, contact your account team
3. Monitor Official Channels: Watch for updates on Red Hat’s security blog and customer portal
4. Proactive Measures: Even if not notified, consider rotating credentials as a precaution

For Other Red Hat Customers

According to Red Hat: “If you are not a Red Hat Consulting customer, there is currently no evidence that you have been affected by this incident.”

However, best practices include:

• Stay informed through official Red Hat security advisories
• Ensure systems are fully patched and updated
• Monitor for any unusual activity
• Review access controls and authentication mechanisms

Lessons for Enterprise Security

Key Takeaways

1. Segmentation Matters: Red Hat’s isolation of consulting infrastructure limited the breach scope
2. Sensitive Data in Code: Hardcoded credentials and tokens in repositories create risk
3. Consulting Documents: CERs and similar documents should be treated as highly sensitive
4. Rapid Detection: Early detection and response minimized potential damage
5. Transparency: Clear communication helps affected parties take protective action

Best Practices

• Secrets Management: Use dedicated secrets management solutions (HashiCorp Vault, AWS Secrets Manager)
• Code Scanning: Implement automated scanning for credentials in code repositories
• Access Controls: Apply principle of least privilege to all repositories
• Audit Logging: Maintain comprehensive logs for GitLab/GitHub access
• Regular Reviews: Periodically audit repositories for sensitive information
• Incident Response: Have plans ready for git repository compromises

GitLab vs GitHub: Understanding the Difference

Since there was initial confusion about which platform was breached:

Why the confusion? Early reports misidentified the platform. Red Hat quickly clarified it was their private GitLab instance, not GitHub.

Ongoing Developments

This is a developing story. Key areas to watch:

• Investigation Findings: Red Hat’s forensic analysis may reveal additional details
• Customer Impact: More information about which organizations were specifically affected
• Threat Actor Actions: Whether Crimson Collective publishes or sells the stolen data
• Legal Actions: Potential law enforcement investigations and prosecutions
• Security Improvements: Changes Red Hat implements to prevent future incidents

Official Resources and References

Red Hat Official Communications

• Primary Security Update: Red Hat Blog – Security Update: Incident related to Red Hat Consulting GitLab instance
• Customer Portal Article: Red Hat Customer Portal – Security Update
• Security Advisories: Red Hat Security Updates

For Red Hat Customers

• Contact your Red Hat account team directly
• Monitor the Customer Portal for updates
• Review security best practices documentation
• Subscribe to Red Hat security mailing lists

Frequently Asked Questions

Was this GitHub or GitLab that was breached?

This was GitLab, specifically a private GitLab instance used by Red Hat Consulting. Initial reports incorrectly stated it was GitHub, but Red Hat clarified that it was their self-hosted GitLab environment. Their GitHub repositories were NOT affected.

Are Red Hat Enterprise Linux and other products compromised?

No. Red Hat explicitly states they have “no reason to believe the security issue impacts any of our other Red Hat services or products” and are “highly confident in the integrity of our software supply chain.” The breach was limited to the consulting team’s GitLab instance.

How do I know if my organization’s data was exposed?

Red Hat is directly contacting affected consulting customers. If you’re a Red Hat Consulting customer and haven’t been contacted, you should still reach out to your account team proactively. If you’re not a consulting customer, Red Hat states there’s currently no evidence you’ve been affected.

What should I do if I’m an affected organization?

Immediately rotate all credentials, authentication tokens, and API keys that may have been in consulting documents. Review access logs for unauthorized activity, update sensitive configurations, and contact your Red Hat account team for specific guidance on your engagement.

Can I still trust Red Hat software and packages?

Yes. The breach affected only the consulting GitLab instance, not the software development or distribution infrastructure. Continue to download software from official Red Hat channels, verify package signatures, and follow normal security practices.

Who is Crimson Collective and what do they want?

Crimson Collective is a relatively new threat actor group that emerged in September 2025. They operate an extortion model, stealing data and threatening to publish it unless demands are met. They’ve also claimed other breaches and defacements.

Will the stolen data be published online?

This remains uncertain. Extortion groups typically demand payment before publishing data. Organizations should assume the data could become public and take appropriate protective measures regardless of whether it’s published.

How did the attackers gain access to the GitLab instance?

Red Hat has not yet publicly disclosed the attack vector. The investigation is ongoing, and details about how unauthorized access was obtained may be shared once the forensic analysis is complete.

What are Customer Engagement Reports (CERs) and why are they sensitive?

CERs are detailed consulting documents that Red Hat creates for clients. They often contain infrastructure specifications, network architecture, configuration files, authentication tokens, database connection strings, and other sensitive technical information about customer environments.

Should I change my Red Hat Customer Portal password?

While the Customer Portal was not affected, changing passwords as a general security practice is always recommended. Use strong, unique passwords and enable two-factor authentication where available.

Conclusion

The Red Hat GitLab breach serves as a critical reminder that even leading enterprise software companies can fall victim to sophisticated cyber attacks. What’s particularly concerning is the sensitivity of consulting engagement reports, which contain real-world infrastructure details and credentials that could be weaponized against affected organizations.

Red Hat’s response has been relatively swift and transparent, with clear communication about what was and wasn’t affected. The company’s architectural decision to segregate consulting infrastructure from product development and software supply chain infrastructure appears to have limited the blast radius of this incident.

For Red Hat Consulting customers: Take immediate action to rotate credentials, review access logs, and implement additional security controls. Don’t wait for official notification—be proactive in protecting your infrastructure.

For all Red Hat users: Continue following security best practices, keep systems updated, and monitor official Red Hat channels for updates. The integrity of Red Hat’s software supply chain remains intact.

For the broader IT community: This incident highlights the critical importance of secrets management, repository security, and the risks associated with storing sensitive customer information in development environments.

Stay tuned to The Linux Club for ongoing updates as this story develops. We’ll continue monitoring official statements, investigation findings, and any new developments in this significant security incident.

Last Updated: October 3, 2025

Official Red Hat Statement: https://www.redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance