The stolen data contains around 800 Customer Engagement Reports (CERs), which contain sensitive data about a customer’s platform and network. A CER is a consulting document made for clients that includes infrastructure data, configuration details, authentication tokens, and other data that could be exploited to attack customer networks.
Red Hat confirmed that it was hit by a security breach impacting its consulting business, but it has not confirmed any of the threat actor’s claims about the stolen GitLab repositories and customer CERs.
According to Bleeping Computer’s conversation with the hacker, the breach happened two weeks ago. Threat actors allegedly accessed the full database URIs, authentication tokens, and private data in Red Hat CERs and code. They claim that the data was used to get access to the downstream customer infrastructure.
The hacking gang also released a full directory containing the list of the allegedly extracted GitLab repositories and a list of CERs between 2020 and 2025 on Telegram.
The directory list of CERs contains various sectors and famous organizations like AT&T, Fidelity, Kaiser, Bank of America, Mayo Clinic, T-Mobile, Costco, Federal Aviation Administration, the US Navy’s Naval Surface Warfare Center, the House of Representatives, etc.
The hackers claim they contacted Red Hat with an extortion ransom, but did not get any reply except a message asking the hackers to provide a vulnerability report to Red Hat’s security team.
"We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our ongoing investigation found that an unauthorized third party had accessed and copied some data from this instance," said Red Hat.