Brightspeed Investigates Data Breach After Crimson Collective Claims Theft of 1M+ Customer Records
Brightspeed, a major U.S. fiber broadband provider serving rural and suburban communities across 20 states, is probing claims of a security breach after the extortion group Crimson Collective alleged it stole sensitive data from over 1 million customers. The company confirmed it is investigating the incident, stating it takes network security and customer data protection seriously while pledging to update stakeholders as details emerge.
In a Sunday Telegram post, the threat actors claimed the stolen data includes personally identifiable information (PII), such as names, emails, phone numbers, addresses, payment histories, partial payment card details, and order records tied to user accounts. The group warned Brightspeed employees to check their emails, adding that a sample of the data would be released Monday night if no response was received.
Crimson Collective has a history of high-profile attacks, including a October breach of Red Hat’s GitLab instance, where it exfiltrated 570GB of data from 28,000 internal development repositories, impacting the company’s consulting division. The group later partnered with Scattered Lapsus$ Hunters, leveraging the ShinyHunters data leak site to pressure Red Hat into negotiations. The fallout from that breach extended to Nissan, which confirmed in December that 21,000 Japanese customers’ personal data was compromised as a result.
Beyond Red Hat, Crimson Collective has targeted AWS cloud environments, exploiting exposed credentials and creating rogue IAM (Identity and Access Management) accounts to escalate privileges and exfiltrate data. The group’s tactics highlight a growing trend of cloud-focused extortion campaigns against enterprise infrastructure. Brightspeed’s investigation remains ongoing.
Brightspeed cybersecurity rating report: https://www.rankiteo.com/company/brightspeed
"id": "BRI1767647147",
"linkid": "brightspeed",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Over 1 million',
'industry': 'Telecommunications',
'location': 'United States',
'name': 'Brightspeed',
'size': 'Large (serves 20 states)',
'type': 'Telecommunications, ISP'}],
'attack_vector': 'Unknown (potentially exposed AWS credentials or rogue IAM '
'accounts)',
'customer_advisories': 'Public statement issued to customers and employees',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': 'Over 1 million',
'personally_identifiable_information': 'Yes (names, emails, '
'phone numbers, '
'addresses)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Address information',
'User account information',
'Payment history',
'Payment card information',
'Appointment/order records']},
'description': 'Brightspeed, a U.S. telecommunications and ISP, is '
'investigating claims by the Crimson Collective extortion gang '
'of a security breach and data theft involving over 1 million '
"customers' sensitive information.",
'impact': {'brand_reputation_impact': 'Potential reputational damage',
'data_compromised': 'Over 1 million customer records',
'identity_theft_risk': 'High (PII exposed)',
'payment_information_risk': 'High (payment card information '
'exposed)'},
'investigation_status': 'Ongoing',
'motivation': 'Extortion, Data Theft',
'ransomware': {'data_exfiltration': 'Yes'},
'references': [{'source': 'BleepingComputer'},
{'source': 'Crimson Collective Telegram Channel'}],
'response': {'communication_strategy': 'Public statement to customers, '
'employees, and authorities',
'incident_response_plan_activated': 'Yes (under investigation)'},
'threat_actor': 'Crimson Collective',
'title': 'Brightspeed Security Breach and Data Theft by Crimson Collective',
'type': 'Data Breach, Extortion'}