Red Hat has acknowledged a cybersecurity incident involving one of its GitLab instances after a hacker group calling itself Crimson Collective claimed to have stolen a significant amount of company data.
The enterprise software provider clarified that the breach did not affect its GitHub repositories, as initially reported, but rather a GitLab instance used internally by its Consulting division.
According to the attackers, they obtained around 570 GB of compressed data from roughly 28,000 private repositories, which allegedly contained source code, credentials, configuration files, and customer engagement reports (CERs).
The group also asserted that the stolen information gave them access to customer systems.
Reports indicate that the hackers attempted to extort Red Hat, but the company did not comply.
Sources told International Cyber Digest that Red Hat had minimal contact with the threat actors and refused to meet their demands.
A separate analysis by SOCRadar suggested that data from as many as 800 Red Hat customers could have been exposed.
The list of potentially affected entities reportedly includes large corporations such as IBM, Siemens, Verizon, and Bosch, as well as several U.S. government bodies, including the Department of Energy, NIST, and the NSA.
In a blog post addressing the incident, Red Hat explained that the compromised GitLab system was used mainly for collaborative consulting work and contained materials such as sample code, project details, and internal communications.
The company emphasised that the instance does not usually store personal or highly confidential information and that no evidence of sensitive data exposure has been found so far.
“At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain,” Red Hat said in a statement shared with SecurityWeek.
While Red Hat has not directly addressed claims that customer infrastructure was accessed, cybersecurity experts note that ransomware and extortion groups often exaggerate such assertions to increase pressure on victims.
The company has confirmed that an internal investigation is ongoing to assess the full extent of the breach and strengthen its systems against future threats.
