Red Hat confirms hackers have breached GitLab instances and stolen data

A group of hackers calling itself the Crimson Collective says that it has compromised GitLab instances belonging to Red Hat and stolen hundreds of gigabytes of data.

Red Hat has confirmed that it has suffered a data breach, but is yet to provide much in the way of details. The hacking group says that it managed to access 28,000 internal development repositories, and has stolen almost 570GB of compressed data.

While Red Hat has not confirmed the nature of the data involved in the security incident, it is thought to include hundreds of CERs (Customer Engagement Reports). These files could contain highly sensitive data relating to Red Hat customers including authentication tokens and details of infrastructure.

In a statement provided to Bleeping Computer, Red Hat said: “Red Hat is aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps.”

The company continues:

The security and integrity of our systems and the data entrusted to us are our highest priority. At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain."

The Crimson Collective has been posting on its Telegram channel making various claims about the attack, including the suggestion that the breach took place two weeks ago.

Red Hat says that the security incident relates to the consulting branch of its business -- Red Hat Consulting. The company has also posted an alert on its website:

Security update: Incident related to Red Hat Consulting GitLab instance

Updated Yesterday at 7:52 PM - 

We are writing to provide an update regarding a security incident related to a specific GitLab environment used by our Red Hat Consulting team. Red Hat takes the security and integrity of our systems and the data entrusted to us extremely seriously, and we are addressing this issue with the highest priority.

What happened

We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance.

We have now implemented additional hardening measures designed to help prevent further access and contain the issue.

Scope and impact on customers

We understand you may have questions about whether this incident affects you. Based on our investigation to date, we can share:

• Impact on Red Hat products and supply chain: At this time, we have no reason to believe this security issue impacts any of our other Red Hat services or products, including our software supply chain or downloading Red Hat software from official channels.
• Consulting customers: If you are a Red Hat Consulting customer, our analysis is ongoing. The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, and internal communications about consulting services. This GitLab instance typically does not house sensitive personal data. While our analysis remains ongoing, we have not identified sensitive personal data within the impacted data at this time. We will notify you directly if we believe you have been impacted.
• Other customers: If you are not a Red Hat Consulting customer, there is currently no evidence that you have been affected by this incident.

For clarity, this incident is unrelated to a Red Hat OpenShift AI vulnerability (CVE-2025-10725) that was announced yesterday.

Our next steps

We are engaging directly with any customers who may be impacted.

Thank you for your continued trust in Red Hat. We appreciate your patience as we continue our investigation.

Update

GitLab has since provided the following statement:

"There has been no breach of GitLab’s managed systems or infrastructure. GitLab remains secure and unaffected.

The incident refers to Red Hat’s self-managed instance of GitLab Community Edition, our free open-core offering. Customers who deploy free, self-managed instances on their own infrastructure are responsible for securing their instances, including applying security patches, configuring access controls, and maintenance.

GitLab encourages all self-managed customers to update to the latest version of GitLab and follow all security recommendations and best practices to secure their instances. Users can find security resources and guidance in our Handbook: https://about.gitlab.com/security/hardening/"

Image credit: mrsiraphol / depositphotos.com