What Happened?
On October 1, 2025, the cybercrime group "Crimson Collective" publicly disclosed a significant breach of Red Hat's consulting GitLab instance. The attackers claimed to have exfiltrated 570GB of compressed data from over 28,000 repositories, including sensitive Customer Engagement Reports (CERs) affecting approximately 800 organizations worldwide.
Red Hat confirmed the security incident, clarifying that it specifically involved "a GitLab instance used solely for Red Hat Consulting on consulting engagements, not GitHub" as initially reported by some sources.
💡 Disclaimer: This analysis is based on publicly available information from multiple cybersecurity sources and Red Hat's official statements. GitGuardian has not independently verified the attackers' claims or accessed any compromised data.
Timeline of Events
- September 24, 2025: Crimson Collective Telegram channel created
- September 24, 2025: Group claims Nintendo website defacement
- September 25, 2025: Claims breach of Claro Colombia telecommunications
- October 1, 2025: Public disclosure of Red Hat breach on Telegram
- October 2, 2025: Red Hat confirms security incident and begins remediation
- October 2, 2025: Belgium's Centre for Cybersecurity issues advisory warning
What Was Exposed?
According to the threat actors and cybersecurity researchers analyzing the disclosed information, the stolen data includes:
Customer Engagement Reports (CERs)
- Infrastructure configurations and network topologies
- Security assessments and vulnerability details
- Authentication tokens and API keys
- Database connection strings and credentials
- CI/CD pipeline configurations
- VPN settings and network access details

Affected Organizations
The leaked file structures reportedly reference major organizations across multiple sectors:
Financial Services: Bank of America, Citi, JPMorgan Chase, HSBC, Santander, BBVA Technology: IBM, Cisco, Adobe, Siemens, Bosch Telecommunications: Verizon, Telefonica, T-Mobile, AT&T Government: U.S. Navy, NSA, Department of Energy, NIST, U.S. Senate Healthcare: Mayo Clinic, Kaiser Permanente Other: Boeing, 3M, Walmart, Fidelity
The Attack Pattern
This incident follows a concerning pattern we've observed in consulting firm breaches:
- Initial Access: While the exact attack vector remains unknown, the attackers gained access to Red Hat's internal GitLab instance
- Data Harvesting: Systematic extraction of consulting repositories containing client infrastructure details
- Credential Mining: Discovery of hardcoded secrets within Customer Engagement Reports
- Lateral Movement: Claims of pivoting to customer infrastructure using harvested credentials
- Extortion Attempt: Initial contact with Red Hat followed by public disclosure when ignored
The Secrets Sprawl Problem
Based on GitGuardian's analysis of similar consulting firm breaches, these repositories likely contained thousands of embedded secrets. Our research consistently shows:
- Internal repositories contain 8-10x more secrets than public GitHub repositories
- Consulting engagements frequently embed customer credentials in proof-of-concept code
- Infrastructure-as-code configurations commonly contain cloud access keys
- Long-lived, overprivileged credentials are standard practice in enterprise environments
- Lack of pro-active detection systems, like honeytokens
The Crimson Collective specifically mentioned finding "authentication keys, full database URIs, and other private information" that enabled access to downstream customer infrastructure.
Industry Response and Impact
Belgium's Cybersecurity Warning
The Centre for Cybersecurity Belgium issued a high-risk advisory, specifically warning:
"There is high risk to Belgian organizations that use Red Hat Consulting services. There is also potential supply chain impact if your service providers or IT partners worked with Red Hat Consulting."
Red Hat's Response
Red Hat's official statement emphasized:
"The security and integrity of our systems and the data entrusted to us are our highest priority. At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain."
Critical Actions for Red Hat Customers
If your organization has engaged Red Hat Consulting services, take immediate action:
Immediate Credential Rotation
- All authentication tokens shared with or used in Red Hat engagements
- Database credentials and connection strings from consulting projects
- API keys and service account credentials
- SSL/TLS and SSH keys used in Red Hat configurations
- Cloud access keys (AWS, Azure, GCP) from infrastructure-as-code projects
Security Audit Requirements
- Review all access logs for suspicious activity since September 2025
- Scan internal repositories for hardcoded secrets from Red Hat engagements
- Audit network configurations and VPN access mentioned in consulting reports
- Verify integrity of systems referenced in Customer Engagement Reports
Enhanced Monitoring
- Deploy honeytokens in systems mentioned in Red Hat consulting documents
- Implement continuous secrets scanning across all code repositories
- Monitor for unusual API usage patterns on rotated credentials
- Review third-party access permissions and service integrations
Lessons for the Industry
The Consulting Firm Vulnerability
This breach highlights a critical blind spot in enterprise security: consulting firms as credential aggregation points. When external consultants work across multiple customer environments, their repositories become high-value targets containing secrets from dozens of organizations. Enterprises should avoid giving access to production environment during PoC when possible.
Supply Chain Cascade Effects
A single compromised consulting firm can trigger a cascade of breaches across its entire customer base. This incident demonstrates why supply chain security governance must extend beyond software dependencies to include service providers with infrastructure access.
Strengthening Your Defenses
For Organizations Using Consulting Services
- Implement strict credential hygiene policies for external engagements
- Use short-lived, least-privilege credentials for consulting projects
- Deploy continuous secrets monitoring across all repositories
- Implement comprehensive NHI governance for service accounts and API keys
- Require consultants to use your secrets management solutions rather than hardcoding credentials
- Establish clear incident response procedures with consulting partners
For Consulting Firms
- Segregate customer environments with dedicated instances
- Implement automated secrets scanning on all repositories
- Use customer-provided secrets management systems when possible
- Establish robust incident response teams beyond bug bounty platforms
- Encrypt sensitive customer data at rest in all storage systems
The Broader Implications
This incident represents more than just another data breach—it's a wake-up call about the interconnected nature of modern cybersecurity risks. As organizations increasingly rely on consulting partners for digital transformation projects, the attack surface expands exponentially.
The Crimson Collective's ability to potentially pivot from Red Hat's repositories to customer infrastructure demonstrates the cascading impact of secrets sprawl. One compromised consulting firm can become the gateway to hundreds of customer environments.
As we continue monitoring this evolving situation, one thing remains clear: the age of secrets sprawl demands immediate, comprehensive action. The question isn't whether your credentials have been exposed—it's whether you have the visibility and controls in place to detect and respond when they are.
