Red Hat Confirms Security Incident After Hackers Claim Massive Data Breach

Hackers allege theft of 570GB from Red Hat’s consulting repositories, raising concerns over customer exposure.

Red Hat, the open-source software giant owned by IBM, has confirmed a security incident after hackers claimed to have stolen massive amounts of data from its consulting division’s private GitLab repositories. The group behind the attack, calling itself the “Crimson Collective,” alleges that it exfiltrated 570GB of compressed data from over 28,000 internal projects, including sensitive customer documents.

The hackers say they obtained around 800 Customer Engagement Reports (CERs) — detailed consulting documents that may contain network diagrams, architecture plans, credentials, and configuration data from Red Hat’s enterprise clients. Such reports, if authentic, could potentially act as blueprints for attackers to target Red Hat’s customers directly.

Evidence of the breach was shared on Telegram, where the group published file trees, project lists, and snippets from the stolen repositories. They also claimed to have discovered authentication tokens, database URIs, and sensitive secrets embedded within code, which they allegedly used to access downstream customer infrastructure.

Red Hat acknowledged the security incident, confirming that its consulting arm’s GitLab instance was compromised. The company said it has already initiated remediation measures but emphasized that it has found no evidence of a wider compromise affecting Red Hat products, services, or its software supply chain.

In a statement, Red Hat noted:

“We take security incidents very seriously and are actively investigating. At this stage, we cannot verify the attackers’ specific claims, but we are engaging with customers as needed and implementing precautionary steps.”

The Belgian Centre for Cybersecurity has issued an advisory urging organizations that have worked with Red Hat Consulting to rotate credentials, revoke exposed tokens, and review shared configurations. Security experts warn that the leaked CERs could give malicious actors a direct roadmap into client environments.

Industry observers are also raising concerns about Red Hat’s incident response. The attackers allege that their initial disclosures were dismissed or mishandled through routine vulnerability ticketing processes, which may have delayed mitigation.

Adding to the urgency, Red Hat also disclosed a separate critical vulnerability (CVE-2025-10725) in its OpenShift AI platform. With a CVSS score of 9.9, the flaw could allow low-privileged users to escalate to full administrator rights. The company has published mitigation guidance and is working on patches.

The dual challenges — a consulting breach and a critical product vulnerability — highlight the ongoing cybersecurity pressures facing major enterprise vendors. While Red Hat insists its core offerings remain secure, customers are being urged to adopt a cautious approach, particularly those with consulting engagements between 2020 and 2025.

For now, the true scale of the breach remains uncertain. If Crimson Collective’s claims are verified, it could become one of the most serious security incidents to hit the open-source ecosystem in recent years.