Red Hat confirms hacking of Crimson Collective, would have stolen almost 570 GB and 28,000 private projects from Github

By Canuto

Red Hat confirmed a security incident in his consulting business after the statements of the extortion group “Crimson Collective”, which claims to have stolen almost 570 GB of data and 28,000 private repositories of GITHUB, including around 800 client participation reports (CERS).
***

• Crimson Collective claims to have stolen 570 GB tablets and 28,000 internal Github projects.
• The attackers claim to have found tokens, database uris and about 800 CERS that could expose customer infrastructure.
• Red Hat confirmed the incident in his consulting business but did not verify the allegations about the magnitude of the theft.

---

Red Hat confirmed that he suffered a security incident related to his consulting business, after the self -styled extortion group Crimson Collective claimed to have accessed private repositories in Github and stole a large amount of data. The news was originally disseminated by Lawrence Abrams in Bleepingcomputer on October 2, 2025, 02:15 am, and since then it has generated concern in financial and health sectors.

What do the attackers report

The group that is identified as Crimson Collective told Bleepingcompter that he obtained access to Github’s private repositories from Red Hat and extracted almost 570 GB of compressed data. According to the publication, the archives correspond to 28,000 internal projects.

The attackers also said that among the stolen materials there are approximately 800 client participation reports, known as CERS. Bleepingcomputer reported that these CERS cover customers and contracts from 2020 to 2025.

A CER is a consulting document prepared for customers that often contains infrastructure details, configuration data, authentication tokens and other sensitive information. The attackers claimed to have found authentication tokens, complete URIS of databases and other private information within the code and the CERS.

Crimson Collective said he used that information to access customer infrastructure downstream. The source cited by Bleepingcompter also indicated that the hackers published a list of supposedly stolen repositories and a list of Cers in Telegram.

The published list, according to the report, includes known organizations of multiple sectors: Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the Naval Surface Warfare Center of the United States Navy, the Federal Aviation Administration and the House of Representatives, among others.

Red Hat response and research status

Red Hat issued a statement recognizing that “it has knowledge of reports on a security incident related to our consulting business and we have initiated the necessary remediation measures.” The company added that “the security and integrity of our systems and the data entrusted to us are our top priority.”

In the same communication, Red Hat said: “At this time, we have no reasons to believe that the security problem affects any of our other Red Hat services or products and firmly trust the integrity of our software supply chain.” The company, however, did not publicly verify the figures or the list of CERS that the attackers mentioned.

According to Bleepingcomer coverage, hackers said the intrusion occurred approximately two weeks before the report. In addition, the attackers declared that they tried to contact Red Hat to demand extortion, but received only a generic response that indicated to present a vulnerability report to the security team.

Crimson Collective claimed that the vulnerability ticket was repeatedly reassigned to different teams, including legal and security personnel, without a substantive response. Bleepingcomputer reported that he sent additional questions to Red Hat and will update the story if he gets new information.

Risks for customers and operational recommendations

CERS can contain credentials and sensitive configurations that facilitate lateral movements and unauthorized access within business networks. For that reason, the alleged exhibition of about 800 CERS represents a direct risk for the organizations mentioned in the published list.

If the claims of the attackers are true, tokens and filtered uris could allow direct connections to databases, servers or pipelines of CI/CD. That increases the probability of data theft, service interruptions or malicious deployments in productive environments.

Organizations that work with software consultants and suppliers must review access and credentials associated with integrations with Red Hat. Practical recommendations include immediate rotation of exposed tokens, review of access policies, logs and activation of incident response equipment.

Bleepingcompter offered confidential channels for those who have information about the incident: Signal at 646-961-3731 or mail to tips@bleepingcomputer.com, according to the original Lawrence Abrams report.

Implications for the supply chain and lessons

This incident underlines the vulnerability inherent in technical consulting and the management of sensitive documents within private repositories. When the consultants maintain copies of configurations and credentials, a failure in their safety impacts multiple cascade customers.

Red Hat is a central piece of the Open Source Business ecosystem, so any problem in its consulting chain can derive in systemic risks. The affirmation of the attackers about the use of Tokens and URIS to access the infrastructure of others illustrates the importance of segmentation and the principle of less privilege.

It is also relevant to the reaction of the company itself against vulnerability reports and how internal climbs communicate. As indicated by the attackers to Bleepingcompter, the repeated reallocation of tickets without effective resolution can aggravate the exhibition and erode confidence.

While the research progresses, the institutions indicated in the list and other consulting clients should validate integrity of their environments, force critical credentials and coordinate with suppliers for a joint mitigation plan.

---

Original image of Diariobitcoin, created with artificial intelligence, for free use, licensed under public domain.

This article was written by an AI content editor and reviewed by a human editor to guarantee quality and precision.

WARNING: Diariobitcoin offers informative and educational content on various topics, including cryptocurrencies, AI, technology and regulations. We do not provide financial advice. Cryptactive investments are high risk and may not be adequate for all. Investigate, consult an expert and verify the applicable legislation before investing. I could lose all its capital.