Summarize and analyze this article with:

Date of Incident:
April 2024

Overview:

The Red Hat data breach, reported in October 2025, occurred in April 2024 and involved unauthorized access to around 570GB of compressed data from 28,000 internal development repositories. The breach affected the software sector, compromising sensitive Customer Engagement Reports (CERs) that contained critical information about networks and infrastructure of various high-profile clients, such as Walmart and HSBC. The ShinyHunters threat group employed tactics like using stolen credentials and automating repository cloning for exfiltration. The breach led to attempted extortion through ransom demands and the online release of some stolen data. Indicators of compromise included suspicious domains, IP addresses, and login anomalies.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Approximately 570GB of compressed data stolen from 28,000 internal development repositories including about 800 Customer Engagement Reports (CERs) containing sensitive information about customers’ networks, infrastructure, and platforms. Threat actors attempted extortion with a ransom demand and released samples of stolen data regarding prominent customers like Walmart, HSBC, Bank of Canada, Atos Group, American Express, Department of Defence, and Société Française du Radiotéléphone.

Details:

The Red Hat data breach involved unauthorized access to approximately 570GB of compressed data from 28,000 internal development repositories. MITRE ATT&CK techniques mapped include T1078 (Valid Accounts) for initial access likely through stolen or weak credentials; T1213 (Data from Information Repositories) and T1537 (Transfer Data to Cloud Account) for the exfiltration of extensive source code and Customer Engagement Reports (CERs). The threat actor group ShinyHunters utilized leaked internal Git repositories, which contained sensitive files relating to the networks and infrastructure of customers such as Walmart and HSBC. Indicators of compromise (IOCs) include domains and IP addresses used during data exfiltration phases, hashes of stolen code samples published online, and suspicious login events in system logs showing anomalous access patterns. A proof-of-concept demonstrates threat actors automating repository cloning through exposed Git server endpoints and packing stolen data for ransom demands, leveraging exfiltration via cloud channels. Error traces indicated multiple failed login attempts followed by successful entries consistent with credential stuffing or phishing attacks.

Remediation:

Red Hat advised immediate password resets and multifactor authentication (MFA) enforcement for all internal accounts. The vendor released patches to address vulnerabilities in their internal Git server configurations that enabled unauthorized repository access. Temporary mitigations include restricting repository access rights, enhancing anomaly detection on internal network activity, and isolating critical infrastructure systems. Known workarounds involve auditing internal repository permissions regularly and monitoring extortion attempt communications.

Takeaway for CISO:

This breach highlights the critical risk posed by internal development infrastructure exposure to advanced persistent threats exploiting valid credentials. CISOs must prioritize zero trust models with stringent access controls on internal source code repositories and implement continuous monitoring for anomalous repository access. Incident response plans must integrate extortion scenarios involving stolen intellectual property to mitigate impact and reputational damage.