Cybersecurity is once again at the center of attention after an attack targeting one of the software industry’s giants. Red Hat, the U.S. company globally known for its open-source solutions, confirmed a security breach in its private GitHub repositories. The cybercriminal group Crimson Collective claims to have stolen a staggering 570GB of sensitive information, including more than 28,000 internal projects and around 800 Customer Engagement Reports (CERs).
These CERs are particularly sensitive, as they often contain critical customer network information: configurations, infrastructure details, access tokens, and other data that could, in the wrong hands, open the door to targeted attacks on major organizations.
At TecnetOne, we’ll explain what happened, why this incident matters, and what you can do to protect your company against similar scenarios.
What Happened at Red Hat?
On September 24, 2025, Crimson Collective posted proof of the attack on a Telegram channel: a full directory tree, CER lists, and screenshots allegedly confirming the breach. The attackers also claimed to have accessed infrastructure belonging to some Red Hat customers, stating that they had “already warned” the company but were ignored.
In their message, the cybercriminals not only boasted about the theft but also revealed names of major companies and organizations mentioned in the compromised repositories. These included Citi, Verizon, Siemens, Bosch, JPMorgan Chase, HSBC, Telstra, Telefónica, and even the U.S. Senate.
The scale of the list makes it clear this is not just any attack, but one with potentially global implications.
Data Compromised
According to the group’s public claims, the stolen data includes:
- Private repositories (28,000 projects): with sensitive source code.
- CER reports (about 800): containing network, configuration, and access details.
- CI/CD credentials and secrets: usable to access development environments.
- VPN profiles and infrastructure diagrams: extremely valuable for orchestrating further attacks.
While Red Hat confirmed the breach, it avoided attributing it directly to the group and stressed that its other products and services were not affected. It also stated that its supply chain remains secure.
Also of interest: Hackers Steal Microsoft Accounts Using Legitimate ADFS Redirects
Red Hat’s Official Response
In a statement to BleepingComputer, the company said:
“Red Hat is aware of reports regarding a security incident related to our consulting business and has initiated the necessary remediation steps. The security and integrity of our systems and the data entrusted to us are our highest priority.”
They emphasized that there’s no evidence other services or products were compromised but acknowledged they are working with authorities to clarify the incident.
The Risk to Customers
The most alarming aspect is the theft of Customer Engagement Reports, which attackers could use as a blueprint to infiltrate Red Hat clients’ networks.
Imagine being a large financial institution or a global logistics company. If someone gains access to details of your infrastructure, network configurations, or internal tokens, that malicious actor is no longer starting from scratch — they know where to look, which ports to scan, and how to move inside your system.
So, while Red Hat may downplay the scope of the leak in its services, the potential damage falls mainly on its customers.
Who is Crimson Collective?
Crimson Collective isn’t one of the most well-known groups, but this attack has placed it firmly in the spotlight. Its modus operandi combines:
- Large-scale data exfiltration.
- Publicly exposing evidence to gain notoriety.
- Subtle extortion: publishing part of the data and contacting the victim directly.
On its Telegram channel, the group even implied it had issued prior warnings that Red Hat allegedly ignored. These messages are meant to justify the attack and project an image of “responsibility,” though in reality, they stole sensitive data.
Lessons for Your Company
The Red Hat case is a stark reminder of what’s at stake in cybersecurity. At TecnetOne, we want you to draw practical lessons:
Don’t blindly trust third parties
Attacks through vendors or partners have become one of the most common vectors. If you work with third parties managing part of your infrastructure or data, ensure they meet robust security standards.
Minimize access to sensitive data
The Red Hat reports show how a single internal document can contain everything an attacker needs. Apply the principle of least privilege: only those who truly need certain data should have access.
Monitor constantly
Early detection can mean the difference between a controlled incident and a catastrophe. Monitor access, traffic patterns, and unusual behavior to stay ahead of attackers.
Strengthen authentication
The leaked tokens and credentials in this case highlight the importance of mechanisms like MFA (multi-factor authentication) and frequent key rotation.
Have an incident response plan
Red Hat acted quickly, but its case proves any company can be targeted. A clear, tested, and well-communicated plan is essential to respond without improvisation.
Similar titles: Sophos AI at Black Hat USA ’25: Anomaly Detection
The Pressure of Extortion
Another important detail: the attackers tried to contact Red Hat directly. This increasingly common practice aims to force a company to negotiate or pay a ransom under threat of exposing more data.
At TecnetOne we always recommend:
- Don’t respond directly to attackers.
- Immediately activate your legal and cybersecurity teams.
- Contact the relevant authorities.
Conclusion: A Wake-Up Call
The Red Hat attack shows that even software giants are not immune. With 570GB of stolen data — including private projects and details of high-profile client networks — this is one of the most serious breaches of the year.
For you and your organization, this is a reminder that cybersecurity is a strategic investment, not an expense. It’s about protecting your systems, your customers’ trust, your reputation, and your business continuity.
At TecnetOne, we believe the best defense is preparation. Now more than ever, reducing your attack surface, safeguarding credentials, and auditing your vendors must be at the heart of your digital strategy.
