Red Hat confirms security breach after hackers infiltrate GitLab instance

570GB of data may have been stolen

Red Hat, the open-source software giant owned by IBM, has confirmed a security incident involving one of its GitLab instances.

The confirmation follows claims by a hacker affiliated with the cybercrime group "Crimson Collective," who said they have exfiltrated nearly 570GB of compressed data from more than 28,000 private repositories tied to Red Hat's consulting business.

Red Hat acknowledged the breach in a statement to BleepingComputer, clarifying that it affected a GitLab instance used exclusively by Red Hat Consulting, and not the company's GitHub repositories, as had been speculated in earlier reports.

Red Hat said the breach appears isolated to the consulting unit's GitLab instance.

"Red Hat is aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps," the company said.

"At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain."

The company also clarified that the attack did not compromise GitLab's infrastructure.

"There has been no breach of GitLab's managed systems or infrastructure. GitLab remains secure and unaffected," it said.

Crimson Collective claimed that the compromised repositories contained not only source code but also highly sensitive client documents, referred to as Customer Engagement Reports (CERs).

These CERs often include infrastructure details, configuration data, authentication tokens and full database URIs, elements that could potentially be exploited to access customer networks.

The group published a complete directory listing of the stolen repositories and CERs, spanning the years 2020 through 2025, on Telegram. It warned that if victims fail to engage in negotiations, they would begin publishing the stolen files.

The extent of the alleged infiltration has not yet been independently verified.

Government advisory warns of potential fallout

The Centre for Cybersecurity Belgium (CCB) issued an advisory on Thursday warning of "high risk" to organisations using Red Hat Consulting services.

The advisory notes that exposed CERs may include network information, configuration data, authentication tokens, and cryptographic keys, which could lead to further intrusions if not mitigated promptly.

The CCB is urging affected organisations to rotate all tokens, keys and credentials shared with Red Hat Consulting; conduct internal security reviews for any Red Hat-related integration points; and contact third-party IT providers to assess exposure if Red Hat Consulting services were used.

The breach has drawn widespread attention from cybersecurity experts.

Ev Kontsevoy, CEO of infrastructure security firm Teleport, criticised the industry's reliance on secrets-based access systems.

"The scale of damage in the Red Hat cyber incident was made possible by enterprises' overreliance on secrets and secret management as a frontline defense to infrastructure," said Kontsevoy.

"Customer tokens were stored in a GitHub repository. This is a common error that makes repositories a goldmine for attackers."

Kontsevoy advocated for a paradigm shift in infrastructure security.

"Cryptographic identities should be paired with best practices like zero-trust and just-in-time access. Even if attackers breach the perimeter, they have nowhere to pivot, keeping infrastructure secure," he added.