Correction: After publishing, Pink Hat confirmed that it was a breach of considered one of its GitLab situations, and never GitHub. Title and story up to date.
An extortion group calling itself the Crimson Collective claims to have stolen almost 570GB of compressed information throughout 28,000 inner growth respositories, with the corporate confirming it was a breach of considered one of its GitLab situations.
This information allegedly contains roughly 800 Buyer Engagement Experiences (CERs), which might comprise delicate details about a buyer’s community and platforms.
A CER is a consulting doc ready for shoppers that always accommodates infrastructure particulars, configuration information, authentication tokens, and different info that could possibly be abused to breach buyer networks.
Pink Hat confirmed that it suffered a security incident associated to its consulting enterprise, however wouldn’t confirm any of the attacker’s claims relating to the stolen GitLab repositories and buyer CERs.
“Pink Hat is conscious of reviews relating to a security incident associated to our consulting enterprise and now we have initiated vital remediation steps,” Pink Hat advised BleepingComputer.
“The security and integrity of our methods and the info entrusted to us are our highest precedence. Right now, now we have no motive to imagine the security subject impacts any of our different Pink Hat providers or merchandise and are extremely assured within the integrity of our software program provide chain.”
After publishing our story, Pink Hat confirmed that the security incident was a breach of its GitLab occasion used solely for Pink Hat Consulting on consulting engagements, and never GitHub.
Whereas Pink Hat didn’t reply to any additional questions in regards to the breach, the hackers advised BleepingComputer that the intrusion occurred roughly two weeks in the past.
They allegedly discovered authentication tokens, full database URIs, and different personal info in Pink Hat code and CERs, which they claimed to make use of to achieve entry to downstream buyer infrastructure.
The hacking group additionally printed an entire listing itemizing of the allegedly stolen GitLab repositories and a listing of CERs from 2020 via 2025 on Telegram.
The listing itemizing of CERs embrace a variety of sectors and well-known organizations corresponding to Financial institution of America, T-Cell, AT&T, Constancy, Kaiser, Mayo Clinic, Walmart, Costco, the U.S. Navy’s Naval Floor Warfare Heart, Federal Aviation Administration, the Home of Representatives, and lots of others.
If in case you have any info relating to this incident or another undisclosed assaults, you may contact us confidentially by way of Sign at 646-961-3731 or at ideas@bleepingcomputer.com.
The hackers said that they tried to contact Pink Hat with an extortion demand however obtained no response apart from a templated reply instructing them to submit a vulnerability report back to their security crew.
In accordance with them, the created ticket was repeatedly assigned to extra folks, together with Pink Hat’s authorized and security workers members.
BleepingComputer despatched Pink Hat extra questions, and we are going to replace this story if we obtain extra info.
The identical group additionally claimed accountability for briefly defacing Nintendo’s subject web page final week to incorporate contact info and hyperlinks to their Telegram channel
Replace 10/2/25: Story up to date with correction from Pink Hat that it was a GitLab occasion that was breached and never a GitHub account.
Be part of the Breach and Attack Simulation Summit and expertise the way forward for security validation. Hear from prime consultants and see how AI-powered BAS is remodeling breach and assault simulation.
Do not miss the occasion that may form the way forward for your security technique
