{ "id": "72bd8577-7c84-433e-b1d7-c71a0acbb442", "created_at": "2026-04-06T00:06:52.830706Z", "updated_at": "2026-04-10T03:34:54.552804Z", "deleted_at": null, "sha1_hash": "ba083fa0d04e1a3f7c8600b3be8047b752819510", "title": "What we know so far about Red Hat's GitLab instance breach", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37316, "plain_text": "What we know so far about Red Hat's GitLab instance breach\r\nBy Berry Zwets\r\nPublished: 2025-10-03 · Archived: 2026-04-05 16:12:12 UTC\r\nRed Hat is investigating a security incident involving a self-managed GitLab Community Edition instance\r\nused solely for Red Hat Consulting. On October 3, the company published a short blog post on the incident.\r\nRed Hat says it acted immediately after detecting the compromise, the attacker lost access, the instance was\r\nisolated, and the incident was reported to the authorities. The investigation is ongoing.\r\nHackers calling themselves Crimson Collective claim to have stolen data from 28,000 internal Red Hat projects,\r\ntotaling nearly 570 GB. BleepingComputer reports that data from about 800 Customer Engagement Reports was\r\nalso taken. These reports can contain infrastructure details, configuration data, authentication keys, and other\r\nsensitive customer information. The hackers say the breach occurred about two weeks ago. On Telegram, they\r\npublished a directory listing of stolen repositories and a list of customer reports from 2020 to 2025. The CER list\r\nincludes organizations from various sectors, with names such as Bank of America, T-Mobile, AT\u0026T, Fidelity, and\r\nWalmart.\r\nAt 5:30 PM CEST on October 2, Red Hat issued a correction to reporting we covered. We erroneously stated a\r\nGitHub environment was exposed, while instead the compromise revolved around a self-managed GitLab\r\ninstance: “The security incident we are investigating and is related to a GitLab instance used solely for Red Hat\r\nConsulting on consulting engagements, not GitHub,” a spokesperson said. Red Hat has confirmed the incident\r\nrelating to its GitLab instance, but declined to comment on specific claims about the repositories and customer\r\nreports. The company says there is no reason to believe the issue affects other Red Hat services or products and\r\nadds that it is very confident in the integrity of its software supply chain.\r\nGitLab, which is not directly involved in the breach, also commented: “There has been no breach of GitLab’s\r\nmanaged systems or infrastructure. GitLab remains secure and unaffected.” GitLab added: “The incident refers to\r\nRed Hat’s self-managed instance of GitLab Community Edition, our free open-core offering. Customers who\r\ndeploy free, self-managed instances on their own infrastructure are responsible for securing their instances,\r\nincluding applying security patches, configuring access controls, and maintenance.” GitLab encourages all self-managed customers to update to the latest version and follow security guidance available in its Handbook:\r\nhttps://about.gitlab.com/security/hardening/\r\nWhat the attackers claim\r\nCrimson Collective says it found authentication keys, full database URIs, and other private information inside Red\r\nHat code and CERs, and used these to access downstream customer infrastructure. The group says it attempted to\r\ncontact Red Hat with extortion demands but received only a standard response to submit a vulnerability report to\r\nthe security team. According to the hackers, the ticket they created was repeatedly forwarded to various people,\r\nincluding employees in Red Hat’s legal and security departments.\r\nhttps://www.techzine.eu/news/security/135120/red-hat-hit-by-github-breach-570gb-stolen-including-client-info/\r\nPage 1 of 2\n\nThe same group also claimed responsibility for briefly vandalizing Nintendo’s topic page last week. Red Hat has\r\nnot responded to further questions and continues to state that the security and integrity of systems and entrusted\r\ndata are its highest priority.\r\nAlso read: Google refutes reports of major Gmail breach\r\nSource: https://www.techzine.eu/news/security/135120/red-hat-hit-by-github-breach-570gb-stolen-including-client-info/\r\nhttps://www.techzine.eu/news/security/135120/red-hat-hit-by-github-breach-570gb-stolen-including-client-info/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.techzine.eu/news/security/135120/red-hat-hit-by-github-breach-570gb-stolen-including-client-info/" ], "report_names": [ "red-hat-hit-by-github-breach-570gb-stolen-including-client-info" ], "threat_actors": [ { "id": "93d94f09-e09e-4597-b926-3417f8dc77c8", "created_at": "2025-10-05T02:00:04.681998Z", "updated_at": "2026-04-10T02:00:03.891223Z", "deleted_at": null, "main_name": "Crimson Collective", "aliases": [], "source_name": "MISPGALAXY:Crimson Collective", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434012, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba083fa0d04e1a3f7c8600b3be8047b752819510.pdf", "text": "https://archive.orkl.eu/ba083fa0d04e1a3f7c8600b3be8047b752819510.txt", "img": "https://archive.orkl.eu/ba083fa0d04e1a3f7c8600b3be8047b752819510.jpg" } }