Hackers (The Crimson Collective) use leaked authentication tokens to access customer systems

Warning
News
Updated on 03.10.2025
Image
banner news default
Share
Facebook Twitter LinkedIn

Red Hat confirms a consulting breach that poses a high risk for Belgian organisations.

Assessment

The Centre for Cybersecurity Belgium (CCB) assesses this breach poses a high risk for Belgian organisations that used Red Hat Consulting services or shared sensitive information (e.g., credentials, tokens, network data) with Red Hat. There is also potential supply chain impact if your service providers or IT partners worked with Red Hat Consulting.

Red Hat has confirmed a security incident involving its consulting service. Private GitHub repositories containing Customer Engagement Reports (CERs) were accessed by attackers. These reports may include sensitive details such as:

  • Network information
  • Authentication tokens and keys
  • Configuration data

Attackers claim they already used stolen tokens to access customer systems. The full scope of the breach remains unclear.

Who Should Act

This alert is particularly relevant for:

  • Organisations that have used Red Hat Consulting services
  • Companies that shared credentials, tokens, or configuration data with Red Hat
  • Entities whose IT providers, developers, or hosting partners may have engaged Red Hat Consulting (possible supply chain risk)
  • Any entity with integrations involving Red Hat systems

Timeline

  • Mid-September 2025 – Breach reportedly took place (approx. two weeks before disclosure).
  • Late September 2025 – Hackers claimed access to Red Hat’s private GitHub repositories and tokens.
  • 1 October 2025 – Reports surfaced publicly about the alleged breach.
  • 2 October 2025 – Red Hat confirmed the incident and ongoing investigation.

Potential Impact

  • Unauthorised access to internal systems using stolen tokens or credentials
  • Lateral movement within compromised environments
  • Theft of sensitive company or customer data
  • Disruption of IT operations or exposure of configuration details
  • Supply chain impact if a third-party provider was exposed through Red Hat Consulting

Recommended Actions

  • Revoke & Rotate all tokens, keys, and credentials shared with Red Hat or used in integrations.
  • Engage Third-Parties – ask your IT providers or partners whether they used Red Hat Consulting and assess your potential exposure.
  • Contact Red Hat for guidance on your specific exposure.
  • Increase Monitoring of authentication events, API calls, and system access for anomalies.

If you observe related incidents or have additional information, please notify us immediately via our incident reporting form.

Stay alert for further updates as more details emerge.

References