Red Hat Confirms Security Incident After Hackers Breach Gitlab Instance
Posted3 months agoActive3 months ago
bleepingcomputer.comTechstoryHigh profile
heatednegative
Debate
70/100
SecurityData BreachOpen Source
Key topics
Security
Data Breach
Open Source
Red Hat confirms a security incident after hackers breach their GitLab instance, sparking concerns about data security and handling of extortion demands.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
2h
Peak period
30
0-6h
Avg / period
7.4
Comment distribution52 data points
Loading chart...
Based on 52 loaded comments
Key moments
- 01Story posted
Oct 2, 2025 at 8:28 AM EDT
3 months ago
Step 01 - 02First comment
Oct 2, 2025 at 10:03 AM EDT
2h after posting
Step 02 - 03Peak activity
30 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 4, 2025 at 12:22 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45448772Type: storyLast synced: 11/20/2025, 6:51:52 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
And, never forget: what a company preaches and advertises is not the same with what the company is actually doing.
Also, here is some more information about this breach: https://x.com/intcyberdigest/status/1973422846396473765
90% of the time, they are checking boxes. But if they are fishing, you have to be careful because they generally are bad at understanding anything, but good at manipulating the audit rules to frame things in such a way so they can “catch a big fish”.
Your boss is bad apple and so are you if you adopt their ways.
Yes, it is highly adversarial and the best compromise I've seen is to have an internal audit team that is separate organizationally from IT, but has to withstand peer review if they claim anything is a real problem.
A person who is used to interviewing people will be able to tell right away.
Is it really OK? Not necessarily, but on the other hand you don't want to spend the rest of your life answering even more questions from other people the auditors might bring in to help them understand your helpful explanations.
I learned this the hard way, assuming auditors are logical and understand technology.
In theory, being ISO27001 means that you're environment follows best practices and has a somewhat sane security posture.
To the business people, a new customer demands that you have ISO27001 certification before they'll sign the $$$$ contract. The salesperson does not care HOW you get the certificate, just that you have it, they need this contract signed!
The department wasn't designed with security in mind, so implementing everything required by ISO will take many months. But sales needs $$$$ now! The CEO, CFO, and CTO are aligned: money now!
So, there's high pressure to pass the audit quickly. You implement what you can, you weasle your way around the things that will take too long. Those things are "out of scope" or "testing databases". You implement MFA while the auditor is auditing, but you know it breaks developers' workflows and there isn't a quick fix, so you turn MFA back off once the audit is complete....
TA-DA! We're ISO27001 certified! But we're no more secure than we were before.
Depending on how dysfunctional the org is, there's no super dev anywhere who can fix it. You just shut up, do bad things knowing theyre bad, or get fired.
I had a sales guy sell a a company a replacement for their terminal server, with OneDrive lol
I almost died laughing when he explained to me the project.
I said.. you want to run cad files off OneDrive in place of a terminal/storage server?
"Yes"
Let's just say we ended up just moving their server to the cloud and VPN access onsite and for external developers.
Nah, it just means you have defined, documented processes and document that you stick to them. They actual processes can be shit and maybe you also have something on the side the auditors don't get shown, but ultimately the certification is a total joke. Source: Worked at a place that got certified despite being a security joke.
Yes and no. Even if it is a joke there is one thing it qualifies: You at least spent time looking at the process. This already is a gain over complete wild west.
do you mean you rather be lied to than not be lied to?
"Aligned" :)) The IT terminology FTW! Very very realistic description. Of not delivering value to customers.
Was this a case in this RH breach ? Maybe. But just putting multiple "repos" and other client stuff in same place is modern IT insanity.
At least they could put that Navy stuff somewhere else. Resonable idea, right?
> After publishing our story, Red Hat confirmed that the security incident was a breach of its GitLab instance used solely for Red Hat Consulting on consulting engagements, and not GitHub.
> While Red Hat did not respond to any further questions about the breach, the hackers told BleepingComputer that the intrusion occurred approximately two weeks ago.
Just hilarious
"According to them, the created ticket was repeatedly assigned to additional people, including Red Hat's legal and security staff members."
Summarized: Given enough eyeballs, all extortion demands are fallow.
Thanks, hadn't encountered this word before.
“Since RedHat doesn't want to answer to us,” the hackers wrote in a channel on Telegram viewed by 404 Media, suggesting they have attempted to contact Red Hat. [...]
“We have given them too much time already to answer lol instead of just starting a discussion they kept ignoring the emails,” the message added. In another message, the group said it had “gained access to some of their clients' infrastructure as well, already warned them but yeah they preferred ignoring us.”
https://www.404media.co/red-hat-investigating-breach-impacti...
First rule of having someone reply: spell their name correctly.
What you must do immediately is notify the affected customers, bring down or lock the affected services, and contact the authorities.
If an attacker make an extortion threat, but then still follows through on the release/damage after being paid, then people are not incentivized to engage with you, and will go into attack mode right away, making it riskier for you.
HOWEVER, if the attacker make the extortion threat, takes payment, and then honors the agreement, and ends the transaction, then parties are more inclined to just pay to make the problem go away. They know that the upfront price is the full cost of the problem.
I've seen that there are 'ethical attackers' out there that move on after an attack, but you never know what kind you're dealing with :-/ "Never negotiate...."
Reputation isn't all that useful for extortion.
Running all your crimes as the "Wet Bandits" makes it much easier for law enforcement if they do catch up with you.
I sincerely hope that the game doesn’t become prophetic in the manner Idiocracy has.
(title fixed now)
Title needs updating
8 more comments available on Hacker News