CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Crimson Collective targets multiple organizations including Red Hat and Brightspeed for data theft and extortion

First reported
Last updated
3 unique sources, 8 articles

Summary

Hide ▲

The Crimson Collective has been targeting various organizations, including Red Hat and Brightspeed, for data theft and extortion. The group claims to have breached Red Hat's private GitLab repositories, stealing nearly 570GB of data across 28,000 internal projects, including 800 Customer Engagement Reports (CERs) containing sensitive information about customer networks and platforms. The breach occurred approximately two weeks prior to the announcement. The hackers claim to have accessed downstream customer infrastructure using authentication tokens and other private information found in the stolen data. The affected organizations span various sectors, including finance, healthcare, government, and telecommunications. Red Hat has initiated remediation steps and stated that the security issue does not impact its other services or products. The hackers published a complete directory listing of the allegedly stolen GitLab repositories and a list of CERs from 2020 through 2025 on Telegram. The Centre for Cybersecurity Belgium (CCB) has issued an advisory stating there is a high risk to Belgian organizations that use Red Hat Consulting services. The CCB also warns of potential supply chain impact if service providers or IT partners worked with Red Hat Consulting. The CCB advises organizations to rotate all tokens, keys, and credentials shared with Red Hat or used in any Red Hat integrations, and to contact third-party IT providers to assess potential exposure. The ShinyHunters gang has now joined the extortion attempts against Red Hat, partnering with the Crimson Collective. ShinyHunters has released samples of stolen CERs on their data leak site and has set an October 10th deadline for Red Hat to negotiate a ransom demand to prevent the public leak of stolen data. The breach is part of a series of supply chain threats involving compromised code repositories. In May 2024, threat actors exploited a critical vulnerability (CVE-2023-7028) to take over GitLab accounts. GitLab disclosed and patched two similar vulnerabilities (CVE-2024-5655 and CVE-2024-6385) that jeopardized customers' CI/CD pipelines. Nissan Motor Co. Ltd. has confirmed that information of approximately 21,000 customers has been compromised due to the Red Hat breach. The leaked data includes full names, physical addresses, phone numbers, email addresses, and customer data used in sales operations. Financial information such as credit card details was not exposed in the breach. Nissan noted that the compromised Red Hat environment does not store any other data beyond what was confirmed as impacted. Nissan has no evidence that the leaked information has been misused. This is the second cybersecurity incident for Nissan Japan this year, following a Qilin ransomware attack in late August that hit its design subsidiary Creative Box Inc. (CBI). The Crimson Collective has also claimed responsibility for a breach at Brightspeed, an ISP operating across 20 US states. The group claims to have obtained PII on over one million customers and disrupted their connectivity. The PII includes account master records, address coordinates, payment history, payment methods, and appointment/order records. The group posted samples of the data on Telegram and claimed to have disconnected users' home internet. Jacob Krell from Suzu Labs commented on the broader implications of such breaches, noting their societal and national security impact.

Timeline

  1. 07.01.2026 12:30 1 articles · 23h ago

    Crimson Collective breaches Brightspeed, disrupts connectivity

    Crimson Collective claims to have breached Brightspeed, obtaining PII on over one million customers and disrupting their connectivity. The PII includes account master records, address coordinates, payment history, payment methods, and appointment/order records. The group posted samples of the data on Telegram and claimed to have disconnected users' home internet. Jacob Krell from Suzu Labs commented on the broader implications of such breaches, noting their societal and national security impact.

    Show sources
    Open in new tab
  2. 08.10.2025 20:33 1 articles · 3mo ago

    Crimson Collective targets AWS cloud environments for data theft

    The Crimson Collective has been targeting AWS cloud environments to steal data and extort companies. The attackers use the open-source tool TruffleHog to discover exposed AWS credentials and create new IAM users and login profiles via API calls. They attach the 'AdministratorAccess' policy onto newly created users, granting full AWS control. The attackers enumerate users, instances, buckets, locations, database clusters, and applications to plan data collection and exfiltration. They modify the RDS master passwords to gain database access, create snapshots, and export them to S3 for exfiltration. The attackers observed snapshots of EBS volumes, followed by the launching of new EC2 instances. The attackers send extortion notes via AWS Simple Email Service (SES) within the breached cloud environment and to external email accounts. The attackers utilized multiple IP addresses in their data theft operations and reused some IP addresses across incidents. The Crimson Collective partnered with Scattered Lapsus$ Hunters to increase the extortion pressure on Red Hat. In January 2025, Halcyon reported ransomware attacks targeting AWS environments by a threat actor named 'Codefinger'.

    Show sources
    Open in new tab
  3. 07.10.2025 00:08 1 articles · 3mo ago

    ShinyHunters joins extortion efforts with Crimson Collective

    The ShinyHunters gang has partnered with the Crimson Collective to extort Red Hat, releasing samples of stolen Customer Engagement Reports (CERs) on their data leak site. ShinyHunters has set an October 10th deadline for Red Hat to negotiate a ransom demand to prevent the public leak of stolen data. ShinyHunters operates as an extortion-as-a-service (EaaS), collaborating with other threat actors to extort companies. The breach is part of a series of supply chain threats involving compromised code repositories. The Centre for Cybersecurity Belgium (CCB) has issued an advisory warning of potential supply chain impact and advising organizations to rotate all tokens, keys, and credentials shared with Red Hat or used in any Red Hat integrations.

    Show sources
    Open in new tab
  4. 02.10.2025 09:15 7 articles · 3mo ago

    Red Hat confirms security incident affecting consulting business

    Nissan Motor Co. Ltd. has confirmed that information of approximately 21,000 customers has been compromised due to the Red Hat breach. The leaked data includes full names, physical addresses, phone numbers, email addresses, and customer data used in sales operations. Financial information such as credit card details was not exposed in the breach. Nissan noted that the compromised Red Hat environment does not store any other data beyond what was confirmed as impacted. Nissan has no evidence that the leaked information has been misused. This is the second cybersecurity incident for Nissan Japan this year, following a Qilin ransomware attack in late August that hit its design subsidiary Creative Box Inc. (CBI). Nissan received a notification from Red Hat on October 3 and immediately informed domestic regulator, the Personal Information Protection Commission. Nissan is in the process of contacting individual customers who have been affected by the breach.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Ubisoft Rainbow Six Siege Breach Grants Players Billions in In-Game Currency

Ubisoft's Rainbow Six Siege (R6) suffered a breach allowing hackers to manipulate in-game systems, granting players billions of R6 Credits and unlocking all cosmetic items. The attackers also abused ban and moderation systems. Ubisoft confirmed the incident, shut down the game, and is rolling back transactions. Unverified claims suggest a larger breach involving MongoDB vulnerabilities and potential source code theft.

Open in new tab

Sha1-Hulud Supply Chain Attack Results in $8.5 Million Trust Wallet Chrome Extension Hack

On December 24, 2025, users of the Trust Wallet Chrome extension reported significant cryptocurrency losses after a compromised update (version 2.68.0) was released. The update contained malicious code that exfiltrated sensitive wallet data to an external server. Trust Wallet confirmed the security incident and released a patched version (2.69). Losses are estimated to exceed $8.5 million, with ongoing investigations into the incident. The malicious code iterated through all wallets stored in the extension and triggered a mnemonic phrase request for each wallet. The encrypted mnemonic was decrypted using the password or passkey entered during wallet unlock and sent to the attacker's server. The stolen funds include about $3 million in Bitcoin, $431 in Solana, and more than $3 million in Ethereum. The incident has claimed hundreds of victims, and Trust Wallet is actively finalizing the process to refund the impacted users. The stolen funds have been moved through centralized exchanges and cross-chain bridges for laundering and swapping. The backdoor incident originated from malicious source code modification within the internal Trust Wallet extension codebase. The attacker directly tampered with the application's own code and leveraged the legitimate PostHog analytics library as the data-exfiltration channel. There is a possibility that the incident is the work of a nation-state actor, and Changpeng Zhao hinted that the exploit was most likely carried out by an insider. Trust Wallet confirmed that approximately 2,596 wallets were drained in the attack and received around 5,000 claims, indicating a significant number of false or duplicate submissions. Trust Wallet has launched a dedicated claim form for affected users and warned about ongoing phishing campaigns.

Open in new tab

Cyberattack on French Interior Ministry Email Servers

The French Interior Ministry confirmed a cyberattack on its email servers, detected between December 11 and 12, 2025. The breach allowed unauthorized access to document files, though data exfiltration remains unconfirmed. The ministry has tightened security protocols and launched an investigation to determine the origin and scope of the attack. Possible motives include foreign interference, activism, or cybercrime. On December 17, 2025, a 22-year-old suspect was arrested in connection with the attack. The suspect is accused of unauthorized access to an automated personal data processing system as part of an organized group. Investigations are being conducted by OFAC, France's Office for Combating Cybercrime. A BreachForums admin claimed responsibility for the attack, alleging it was in revenge for the arrests of forum moderators and admins. The forum post claims that data on 16,444,373 people from France's police records was stolen. In April 2025, France attributed a widespread hacking campaign to APT28, a group linked to Russia's GRU, targeting various French entities.

Open in new tab

Mixpanel Data Breach Exposes OpenAI API User Information

OpenAI has disclosed that a data breach at Mixpanel, a third-party analytics provider, exposed limited customer identifiable information and analytics data of some OpenAI API users. The breach occurred between November 9 and 25, 2025, and resulted from a smishing (SMS phishing) campaign detected on November 8, 2025. Affected data includes names, email addresses, approximate locations, operating systems, browsers, referring websites, and organization or user IDs associated with API accounts. OpenAI has removed Mixpanel from its services and is conducting additional security reviews across its vendor ecosystem. The company is notifying potentially affected users and advising them to be vigilant against phishing and social engineering attacks. OpenAI emphasized that no chat content, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised. CoinTracker, a cryptocurrency portfolio tracker and tax platform, has also been impacted, with exposed data including device metadata and limited transaction count.

Open in new tab

ShinyHunters Breach Affects Checkout.com Legacy Cloud Storage

Checkout.com, a global payment processing firm, disclosed a data breach involving a legacy cloud storage system compromised by the ShinyHunters threat group. The breach affected less than 25% of its current merchant base and included data from 2020 and earlier. The company refused to pay the ransom and instead plans to donate the amount to cybersecurity research at Carnegie Mellon University and the University of Oxford Cyber Security Center. The compromised data includes internal operational documents and onboarding materials. ShinyHunters is known for exploiting vulnerabilities and using social engineering tactics to extort large organizations.

Open in new tab