Red Hat GitLab Data Breach and Extortion by Crimson Collective and ShinyHunters
Red Hat, a leading enterprise software provider, confirmed a significant cyberattack resulting in unauthorized access to one of its GitLab instances. The breach was initially claimed by a hacking group known as Crimson Collective, who stated they had exfiltrated approximately 570GB of compressed data from Red Hat's internal development repositories. Among the stolen data were around 800 Customer Engagement Reports (CERs), which contain sensitive infrastructure and authentication details for numerous organizations across various sectors. Red Hat clarified that the compromised GitLab instance was used exclusively for Red Hat Consulting engagements, but the exposure of CERs poses a substantial risk to affected customers. Following the breach, Crimson Collective attempted to extort Red Hat, demanding a ransom to prevent the public disclosure of the stolen data. When Red Hat did not respond to these demands, Crimson Collective escalated their efforts by partnering with the ShinyHunters extortion group. ShinyHunters subsequently listed Red Hat on their newly launched data leak site, threatening to release the stolen data publicly if their ransom demands were not met by October 10th. The extortion campaign was further publicized through posts on Telegram, where the threat actors boasted about their alliance and intentions to target corporations. The incident highlights the growing trend of collaboration among cybercriminal groups to maximize pressure on victims and increase the likelihood of ransom payments. The breach also underscores the risks associated with third-party and internal development platforms, as attackers increasingly target these environments for valuable data. Red Hat's confirmation of the breach and the nature of the compromised data has raised concerns among its customers, particularly those whose sensitive information may now be at risk of exposure. The attack is part of a broader pattern of ransomware and extortion operations targeting high-profile technology companies. Security researchers have noted that the professionalization and convergence of cybercrime groups, as seen in this incident, are making such attacks more sophisticated and damaging. The Red Hat breach serves as a warning to organizations to strengthen their security posture around development environments and to prepare for the possibility of multi-stage extortion campaigns. The incident also demonstrates the importance of timely communication and transparency with affected stakeholders in the aftermath of a breach. As the deadline for the public release of the stolen data approaches, Red Hat and its customers face heightened risks of data exposure, reputational damage, and potential regulatory scrutiny. The evolving tactics of groups like Crimson Collective and ShinyHunters signal a challenging threat landscape for enterprises worldwide.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Red Hat extortion deadline set for public data leak
The extortion campaign against Red Hat set a public deadline of October 10 for payment before further stolen data would be leaked. The reporting also noted that Red Hat had not issued a substantive public response at the time.
ShinyHunters lists SP Global on its new leak site
In a related extortion development, ShinyHunters also listed SP Global as a victim on its new data leak site using similar tactics and a public deadline. No substantive public response from SP Global was reported at the time.
ShinyHunters joins Red Hat extortion campaign and publishes samples
ShinyHunters began publicly collaborating with Crimson Collective and Scattered Lapsus$ Hunters to extort Red Hat over the stolen data. The group released sample Customer Engagement Reports tied to organizations including Walmart, HSBC, Bank of Canada, and the U.S. Department of Defense, and threatened a leak unless payment was made.
Crimson Collective breaches Red Hat GitLab and steals customer reports
A data breach attributed to Crimson Collective impacted Red Hat's GitLab instance used for consulting engagements. The attackers claimed to steal about 570GB of data, including roughly 800 Customer Engagement Reports containing sensitive client information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Red Hat GitLab Breach by Crimson Collective Exposes Sensitive Data and Credentials
Red Hat confirmed a significant security incident after hackers from a group calling themselves "Crimson Collective" breached the company's GitLab instance. The attackers reportedly exfiltrated nearly 570GB of data, including approximately 800 Customer Engagement Reports spanning from 2020 to 2025. These reports are believed to contain sensitive information such as infrastructure details, authentication tokens, database URIs, and other credentials that could potentially allow unauthorized access to customer networks. In addition to the reports, the attackers claim to have stolen 28,000 private repositories, which included credentials, CI/CD secrets, pipeline configurations, VPN profiles, and infrastructure blueprints. The breach has raised concerns about the exposure of confidential customer and internal Red Hat data, as well as the potential for downstream attacks leveraging the stolen information. Analysis of the leaked data suggests that the attackers obtained a wide array of sensitive materials that could be used for further exploitation or sold on underground forums. The incident highlights the risks associated with source code management platforms and the importance of securing CI/CD pipelines and repository access. Red Hat has acknowledged the breach and is conducting an internal investigation to assess the full scope and impact. The company is working with affected customers to mitigate risks and has likely initiated incident response protocols, including credential rotation and infrastructure reviews. Security experts warn that the exposure of such a large volume of sensitive data could have long-term repercussions for both Red Hat and its customers, especially if the information is weaponized by other threat actors. The breach underscores the need for robust access controls, regular security audits, and rapid response capabilities in managing source code and customer data. Industry observers are closely monitoring the situation for signs of further exploitation or public release of the stolen data. The incident serves as a stark reminder of the evolving threat landscape and the persistent targeting of technology vendors by sophisticated cybercriminal groups. Organizations are advised to review their own security postures, especially regarding third-party software providers and supply chain dependencies, in light of this breach.
Mar 21, 2026
ShinyHunters Alleged Breach and Honeypot Operation at Resecurity
The hacking group **ShinyHunters** claimed to have breached the internal systems of *Resecurity*, a US-based cybersecurity firm, releasing screenshots purportedly showing access to sensitive dashboards, user management panels, API keys, employee data, and internal communications. ShinyHunters alleged they exfiltrated internal chats, client lists, threat intelligence data, and employee information, framing the attack as retaliation for Resecurity's alleged attempts to infiltrate threat actor groups by posing as buyers on dark web markets. The group also credited Devman Ransomware for assistance in the attack and published evidence to support their claims. However, *Resecurity* responded by stating that the data accessed by ShinyHunters was part of a sophisticated honeypot operation designed to monitor and log threat actor activity. According to Resecurity, the honeypot included simulated data and a planted honeytrap account, and there was no impact on actual customers or internal operations. Resecurity confirmed that all data referenced by ShinyHunters originated from the honeypot, and they had already logged the attackers' IP addresses. The incident highlights the ongoing cat-and-mouse dynamics between cybersecurity firms and threat actors, as well as the use of deception technologies in cyber defense.
Mar 21, 2026
Nissan Customer Data Exposed via Red Hat GitLab Breach
Nissan Motor Co. confirmed that personal data of approximately 21,000 customers was compromised following unauthorized access to a Red Hat-managed server. The breach, detected in September, affected customers who purchased vehicles or received services at the former Nissan Fukuoka Motor Co. (now Nissan Fukuoka Sales Co.), exposing names, addresses, phone numbers, partial or full email addresses, and other sales-related customer information. No credit card or financial data was reported stolen, and Nissan has stated there is no evidence the leaked information has been misused, though customers are advised to remain vigilant for potential phishing or fraud attempts. The incident originated from a breach of a dedicated GitLab instance managed by Red Hat Consulting, with the intrusion detected by Red Hat on September 26 and Nissan notified on October 3. The Crimson Collective threat actor initially claimed responsibility for the theft of hundreds of gigabytes of data from 28,000 private GitLab repositories, with ShinyHunters later hosting samples of the stolen data on their extortion platform. Nissan has apologized for the incident and pledged to strengthen monitoring of subcontractors and enhance information security measures in response to the breach.
Mar 21, 2026