Red Hat breach escalates as criminals collaborate on 'multi-terabyte' extortion plot Red Hat's breach nightmare just got worse, as the Crimson Collective crew that claims to have ransacked its GitLab repos has joined forces with the ShinyHunters-linked "Scattered Lapsus$ Hunters" gang to turn the screw with a full-blown extortion campaign. hot air balloon decrease ressure Stargate is nowhere near big enough …
"...including some 28,000 internal repositories and hundreds of Customer Engagement Reports (CERs) that contain detailed infrastructure diagrams, configuration files, and, in places, secrets such as access tokens.
Because it's *always* smart to place secret access token backups on your cloud storage.
Proving that no matter how large you are, your security protocols are often still smol.
Let's be fair, this wasn't some simple cloud dump.
"The incident refers to Red Hat's self-managed instance of GitLab Community Edition... Customers who deploy free, self-managed instances on their own infrastructure are responsible for securing their instances, including applying security patches, configuring access controls, and maintenance."
So it's merely a case of some small time operator[1] using Community Edition for unimportant work[2] not getting their security right[3]. Nothing to see here.[4]
[1] Red Hat is not a small time operator.
[2] This was not unimportant work.
[3] This should have been a pretty highly secured target.
[4] This was a major failure. How long were they holding customers' active keys and config info after tickets were closed? Friggin morons.
Nice of Emily James @GitLab to explain matters so eloquently.
>” How long were they holding customers' active keys and config info after tickets were closed?”
In today’s security climate, where we are supposed to renew/change security certificates every year, we should perhaps also be asking how many of those keys are still valid a year or more after the ticket was raised and usable from any IP address.
Who said it was cloud?
"The incident refers to Red Hat's self-managed instance of GitLab Community Edition... Customers who deploy free, self-managed instances on their own infrastructure"
Ie not in the cloud. It not like Redhat even wrote gitlab.
If you put up an apache with insecure CGI I can't see that Apache org would be paying you ransoms.
Tbh the extortionists are likely to get nothing from this one. Certainly not from ibm who it seems lost nothing.
Some consults look red in the face.
Gitlab/redhat customers who put shit on the Internet probably didn't care too much about the markdown text documents specified. No?
If they did, the bad guys wouldn't be trying to make a media drama out of it. They would be trying to extort the data owners.
GDPR has nothing to do with this. Redhat are neither data owner nor broker. They provided 3rd party os software to someone who used it insecurely.
Having had RedHat, and the odd commentor here, describe people using CentOS, then Alma and others as "freeloaders", I was very interested to see this quote:
"The incident refers to Red Hat's self-managed instance of GitLab Community Edition... Customers who deploy free, self-managed instances on their own infrastructure[...]"
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
