Hackers Claim Massive Red Hat Breach - 1

Image by Wayne Sutton, from Flickr

Hackers Claim Massive Red Hat Breach

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Red Hat, an open-source software company, has confirmed a security breach after the hacking group Crimson Collective announced it obtained 570GB of compressed data from the company’s private GitHub repositories.

In a rush? Here are the quick facts:

  • The Crimson Collective says it breached 28,000 internal projects.
  • Data allegedly includes 800 Customer Engagement Reports (CERs).
  • CERs contain sensitive infrastructure, tokens, and client system details.

The group announced they obtained 28,000 internal projects and hundreds of Customer Engagement Reports (CERs), which contain sensitive client information, including network maps, authentication tokens, and configuration details.

“Red Hat is aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps,” the company told BleepingComputer .

Stephanie Wonderlick, Red Hat’s VP of communications, echoed this to 404 Media , adding: “The security and integrity of our systems and the data entrusted to us are our highest priority. At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain.”

The Crimson Collective, however, claims to have accessed authentication tokens and database connection strings, using them to “gain access to some of their client’s infrastructure as well,” as reported by The Register .

The group also published file listings on Telegram and claimed to hold CERs covering 2020 through 2025, allegedly involving major institutions including the U.S. Navy’s Naval Surface Warfare Center, the Federal Aviation Administration, Bank of America, Walmart, AT&T, T-Mobile, and the U.S. House of Representatives.

The group published file directories on Telegram while announcing possession of CERs spanning from 2020 to 2025. The profiles supposedly involve organizations like the U.S. Navy’s Naval Surface Warfare Center, the Federal Aviation Administration, Bank of America and Walmart, AT&T, T-Mobile, and the U.S. House of Representatives.

The hackers say they tried to contact Red Hat with an extortion demand but received only a generic response instructing them to submit a vulnerability report. “We have given them too much time already to answer lol instead of just starting a discussion they kept ignoring the emails,” they wrote on Telegram, as noted by 404Media.

Red Hat has not validated any information about stolen data or customer information exposure, according to their official statements. The Register reports that the extent of the breach remains unknown because Red Hat has not publicly confirmed the hackers’ statements about stolen data or customer exposure.

Fake Signal and ToTok Apps Used to Spy on Android Users In UAE - 2

Image by Adem AY, from Unsplash

Fake Signal and ToTok Apps Used to Spy on Android Users In UAE

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

ESET researchers have uncovered two spyware campaigns that disguise themselves as secure messaging apps to target Android users in the United Arab Emirates (UAE).

In a rush? Here are the quick facts:

  • Fake Signal and ToTok apps spread spyware on Android devices in the UAE.
  • Malware distributed through phishing sites, not Google Play Store.
  • Stolen data includes SMS, contacts, photos, videos, and app backups.

ESET reports that the malicious apps impersonate Signal and ToTok, two platforms often chosen by people seeking private communications.

The investigation identified two previously unknown spyware families: Android/Spy.ProSpy, which pretends to be upgrades or plugins for Signal and ToTok, and Android/Spy.ToSpy, which exclusively impersonates ToTok.

Neither was available in official app stores. Instead, victims were tricked into downloading them from third-party websites posing as legitimate services.

One of the fake sites even mimicked the Samsung Galaxy Store to spread the ToSpy malware. Once installed, both spyware strains maintain persistence on the device and begin stealing sensitive data in the background. This includes contacts, SMS messages, documents, photos, videos, and even app backups.

ESET noted that ToSpy specifically looks for .ttkmbackup files, which are used to store ToTok chat histories and app data, suggesting a targeted effort to extract conversations. “Our investigation led to the discovery of two previously undocumented spyware families – Android/Spy.ProSpy, impersonating upgrades or plugins for the Signal and ToTok messaging apps; and Android/Spy.ToSpy, impersonating the ToTok app,” the researchers explained.

ProSpy has been active since at least 2024, spread through phishing websites offering fake apps like “Signal Encryption Plugin” and “ToTok Pro.” When launched, these apps often redirect users to the real Signal or ToTok platforms to appear legitimate, while continuing to steal information in the background.

According to ESET, the ToSpy campaign is still ongoing, with active servers receiving stolen data. As an App Defense Alliance partner, ESET shared its findings with Google. Users are protected against known variants by Google Play Protect, which is enabled by default on Android devices.