Red Hat confirmed unauthorized access to its GitLab instance containing project data, and while no personal details were found, analysts warn leaked credentials, VPN profiles, and CERs may pose phishing and security risks
Red Hat has disclosed a security incident involving unauthorized access to its consulting division’s self-managed GitLab instance, resulting in the exposure of customer engagement data. The company emphasized that the breach did not impact its core products, supply chain, or services.
In a recent security advisory, Red Hat said the compromised GitLab environment was used internally for consulting projects. The breach was linked to a group calling itself Crimson Collective, which claimed responsibility via Telegram and alleged it had exfiltrated around 570GB of data from over 28,000 projects, including approximately 800 customer engagement reports.
Scope of exposure and customer impact
Red Hat said its investigation, still ongoing, confirmed that a third party accessed and copied data from the GitLab instance, which typically contains project materials such as code samples, internal communications, and specifications. The company has since blocked the unauthorized access and implemented further security measures.
While Red Hat has not found sensitive personal data in the compromised materials so far, cybersecurity analysts warn the breach could be more serious. Leaked data reportedly includes credentials, VPN profiles, CI/CD secrets, and infrastructure blueprints. Analysts from ZeroFox noted that customer engagement reports (CERs) may contain names, emails, and phone numbers—valuable information for potential phishing or social engineering attacks.
A leaked file tree suggests the incident could affect major organizations including Adobe, Citi, Boeing, HSBC, and several U.S. federal agencies. British cybersecurity expert Kevin Beaumont estimated the full dataset could amount to nearly a terabyte once uncompressed.
Crimson collective and broader activity
Crimson Collective first appeared online in late September and has since claimed multiple breaches, including of Nintendo and Claro Colombia. Cyber intelligence firm SOCRadar reports the group focuses on exploiting misconfigured cloud environments and exposed credentials, using Telegram to leak stolen data and pressure victims.
Red Hat confirmed that this breach is unrelated to a separate vulnerability (CVE-2025-10725) disclosed the day prior, which affects Red Hat OpenShift AI. That flaw allows privilege escalation and could potentially lead to full platform compromise if exploited.
Red Hat says it is continuing to notify affected customers and is committed to transparency as its investigation progresses.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
