Hackers Breach Red Hat, Steal Data from Major Clients Including Walmart and American Express

A hacker group calling itself the Crimson Collective claims to have stolen hundreds of gigabytes of sensitive data from Red Hat, the leading enterprise open-source software provider, in a major cyberattack that could expose information belonging to major corporations and government clients.

The group, in a post on the dark web, said it had accessed more than 28,000 Red Hat GitLab repositories and exfiltrated 570 gigabytes of data, including access tokens, network audit reports, and internal communications. “It’s a 570 GB ticking time bomb of your failures,” the hackers wrote, threatening to release the data publicly if Red Hat does not pay a ransom.

Red Hat Confirms Unauthorized Access

Red Hat confirmed the breach on October 2, admitting that attackers had gained unauthorized access to one of its self-hosted GitLab servers used for internal consulting work.

“The compromised system housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, internal communications about consulting services, and limited forms of business contact information,” the company said in a blog post.

Red Hat emphasized that the incident was limited to its internal GitLab instance and did not affect GitLab’s own infrastructure or customer-facing products. A GitLab spokesperson separately confirmed that its systems remain secure.

Major Corporations Affected

According to cybersecurity researchers, the stolen data includes network assessment reports and customer engagement records from several high-profile clients, including Walmart, American Express, and HSBC. In total, the hackers reportedly accessed nearly 3.5 million files.

Security analysts warn that the exposed data could give attackers valuable insights into the internal infrastructure of major corporations, potentially enabling further breaches or supply chain attacks.

A Dangerous New Alliance

Crimson Collective described itself to Dark Reading as “an extortion ransomware group that works for profit only.” The group is believed to have ties to the infamous Lapsus$ gang, known for high-profile attacks on companies including Microsoft, NVIDIA, and Uber.

Researchers said Crimson Collective recently hinted at a collaboration with Lapsus$, saying they were “teaming up for future stuff to come.”

The hackers have reportedly given Red Hat until October 10 to negotiate payment. However, the group claims that Red Hat has ignored all ransom demands. On Monday, Crimson Collective escalated the threat by publishing an archive allegedly containing a portion of the stolen data.

Industry on Alert

Cybersecurity experts say the incident highlights the growing risks associated with self-hosted code repositories, which have become prime targets for attackers seeking to infiltrate corporate networks through developer infrastructure.

“This breach is a wake-up call,” said one security researcher. “Even highly trusted enterprise vendors can become gateways for data exposure affecting thousands of downstream clients.”

Red Hat said it has taken the affected systems offline, launched a full investigation, and notified impacted customers. The company has not commented on ransom negotiations.

If confirmed, the Red Hat attack could be one of the most significant data breaches involving enterprise development environments this year — one that exposes the vulnerabilities in even the most sophisticated parts of the global software supply chain.

Photo Credit: DepositPhotos.com