Red Hat confirms Consulting GitLab breach amid “Crimson Collective” 570GB claims
Internal consulting instance isolated; claims focus on 28,000+ repositories and Customer Engagement Reports (CERs)
Red Hat confirmed unauthorized access to a GitLab system used by its Consulting team after an extortion outfit calling itself “Crimson Collective” claimed it copied roughly 570GB from more than 28,000 internal repositories, a cache that allegedly includes Customer Engagement Reports with architecture details and access tokens. The company states product infrastructure remains unaffected while notifications and remediation continue.
What Red Hat confirmed
Red Hat said an unauthorized party accessed a GitLab instance used for internal collaboration on consulting engagements and copied data from that environment. The company isolated the instance, cut access, and began notifying authorities and potentially affected customers while the investigation proceeds, with no indication of impact to broader product or software infrastructure. See Red Hat’s security update on the Red Hat blog.
What the attackers claim
A group using the label “Crimson Collective” publicized claims that it exfiltrated about 570GB of compressed data spanning more than 28,000 repositories tied to the consulting environment, describing contents such as consulting artifacts and project materials. A consolidated report at SecurityWeek summarizes the figures and alleged file types referenced in the claim set.
Why CERs matter
Customer Engagement Reports can include network diagrams, configuration files, authentication tokens, and database connection strings. If valid, such details can shorten intrusion timelines by mapping systems and credentials from documentation to operational access. Belgium’s national cybersecurity center said leaked authentication tokens were already being used against named organizations and flagged elevated risk; see the CCB Belgium notice.
Timeline at a glance
| Date (2025) | Event |
|---|---|
| Oct 1 | Public claims of data theft tied to Red Hat’s consulting GitLab environment appear on the group’s Telegram; a concise round-up is captured by SOCRadar. |
| Oct 2–3 | Red Hat confirms access and copying from the consulting GitLab instance and outlines containment steps on the Red Hat blog. |
| Oct 2 | Belgium’s national cybersecurity center warns that leaked tokens are being used to access customer systems; see CCB Belgium. |
Early scope indicators
The currently stated figures center on the attacker’s claim set and what Red Hat has confirmed about the affected environment. The group asserts a take of ~570GB from more than 28,000 repositories, with consulting artifacts such as CERs cited as part of the trove. Red Hat’s update confirms data copying from the Consulting GitLab instance without validating specific counts or document inventories. For scope summary and claim details, see SecurityWeek and the Red Hat blog.
Named organizations and verification status
Trade coverage lists recognizable organizations appearing in samples or repository references while noting that verification is ongoing and that the extent of customer impact will be clarified as investigations conclude. Public guidance from a national authority highlights active attempts to use leaked tokens and frames near-term risk for entities named in consulting materials; see CCB Belgium. Additional: ITPro.
Quantifying the risk surface
Crimson Collective framed the repository count at more than 28,000 and the data size at roughly 570GB compressed. Independent write-ups repeat these figures and describe CERs as a focal risk because they can embed credentials and infrastructure details that reduce attacker effort. While Red Hat’s statement narrows the affected scope to a consulting GitLab instance, the presence of any live tokens within consulting artifacts elevates downstream exposure for entities that appear in those materials. See the overview at SecurityWeek and the advisory from CCB Belgium.
Signals from government and industry
A public notice from Belgium’s national cybersecurity center states that attackers have used leaked authentication tokens to access customer systems and characterizes the risk as high for impacted organizations. Industry coverage consolidates Red Hat’s confirmation with the attacker’s claims and outlines the remediation the company has initiated. See CCB Belgium and corroborating context at The Register.
Context in current intrusion patterns
Targeting of developer and collaboration platforms has increased as intruders look for artifacts that compress reconnaissance time. Earlier incidents documented how access to virtualization and admin tooling can accelerate operational impact once secrets and orchestration paths are in scope. For related context on this site, see the coverage of BERT ransomware and the analysis of TA415 activity using VS Code tunnels.
What remains under review
Red Hat’s public updates focus on the Consulting GitLab environment, containment, and coordination with customers. Media tallies of repository counts and document inventories reflect the attacker’s claims and third-party analysis rather than company-validated numbers. Early chatter sometimes conflated GitHub with GitLab; subsequent coverage clarifies that the affected system is a consulting-scoped GitLab instance. See the Red Hat blog and a concise recap at The Register.
Key numbers referenced so far
- 570GB: approximate compressed data volume claimed by the attacker; see SecurityWeek.
- More than 28,000: repositories the group says are tied to the consulting GitLab environment; see The Register.
- High risk noted: a national advisory cites active token misuse; see CCB Belgium.
Indicators summarized
- The affected system is a consulting-scoped GitLab instance, not core product infrastructure, per the Red Hat blog.
- The attacker’s claim set centers on repository count and data size, with CERs highlighted in reporting; see SecurityWeek.
- A government notice reports active token misuse impacting organizations named in consulting materials; see CCB Belgium.
