Enterprise Linux giant Red Hat has confirmed a major security incident after hackers infiltrated a GitLab instance used by its consulting division, potentially exposing sensitive infrastructure details of hundreds of corporate and government clients.
The Crimson Collective hacking group claims to have exfiltrated 570GB of compressed data spanning 28,000 internal repositories, including approximately 800 Customer Engagement Reports (CERs)—detailed consulting documents that often contain network architectures, authentication tokens, database connection strings, and system credentials.
The breach, which allegedly occurred two weeks ago, affects a who's-who of major organizations. Exposed CERs reportedly include documentation for Bank of America, AT&T, T-Mobile, Walmart, Mayo Clinic, the U.S. Navy's Naval Surface Warfare Center, and the Federal Aviation Administration, among others.
"Red Hat is aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps," the company told BleepingComputer, emphasizing that core products and the software supply chain remain unaffected.
The hackers claim they discovered authentication tokens and database URIs within Red Hat's code and consulting documents, which they allegedly used to access downstream customer infrastructure. The group says it attempted to extort Red Hat but received only templated vulnerability disclosure responses.
What makes this breach particularly dangerous: CERs aren't generic documents—they're blueprints of client environments that can accelerate attacks by revealing firewall rules, cloud configurations, and access pathways.
Immediate actions for affected organizations:
- Rotate all API keys, tokens, and credentials shared with Red Hat consultants
- Audit access logs for unauthorized activity
- Review configuration changes against known baselines
- Implement secrets management solutions (like HashiCorp Vault) to prevent credential exposure in documentation
Red Hat has not disclosed the breach vector, timeline, or which customers have been directly notified. The company previously managed supply chain risks effectively, including the 2024 XZ Utils incident, but this consulting-side compromise highlights vulnerabilities in professional services operations that often receive less security scrutiny than core product development.