Hackers claim Red Hat GitHub breach, allegedly steal 570GB of internal data

A hacking group calling itself the Crimson Collective claimed to have infiltrated Red Hat’s private GitHub repositories, stealing nearly 570 gigabytes of compressed data across 28,000 internal projects. The attackers say the stolen files include hundreds of sensitive consulting documents known as Customer Engagement Reports, or CERs, that could expose client infrastructure to further attacks.

CERs are prepared by Red Hat consultants for enterprise clients and often contain detailed technical information, such as network architecture, configuration data, authentication tokens, and other credentials. If authentic, the exposure of these documents could present significant security risks to affected organizations.

Red Hat, a North Carolina–based open source software provider owned by IBM, confirmed that it recently suffered a security incident tied to its consulting business but did not verify the hackers’ claims about GitHub repositories or CERs. “The security and integrity of our systems and the data entrusted to us are our highest priority. At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain,” the company said in a statement to BleepingComputer.

The Crimson Collective told BleepingComputer the breach occurred about two weeks ago. They claim to have discovered authentication tokens, database URIs, and other sensitive information in Red Hat code and CERs, which they allege was used to access downstream customer environments.

As evidence, the group published what it said was a complete directory listing of the stolen GitHub repositories and more than five years of CERs, spanning 2020 through 2025. The listings name organizations across industries and government, including Bank of America, T-Mobile, AT&T, Fidelity, Kaiser Permanente, Mayo Clinic, Walmart, Costco, the U.S. Navy’s Naval Surface Warfare Center, the Federal Aviation Administration, and the U.S. House of Representatives.

The hackers also claimed they attempted to extort Red Hat, but their messages were routed through the company’s vulnerability disclosure process, eventually involving legal and security staff. They said no substantive response was provided.

The Crimson Collective previously drew attention for briefly defacing Nintendo’s topic page last week, redirecting visitors to its Telegram channel.

Red Hat has not commented further on the hackers’ claims. BleepingComputer said it has asked the company additional questions and will update its reporting if more information becomes available.