Cyber Incident Victim: Brightspeed
Date:
Jan 2026
Location:
United States of America
Summary
Brightspeed is investigating claims by the hacking group Crimson Collective that it obtained personal information on over one million customers and disrupted their connectivity. The provider said it has not confirmed the allegations and is reviewing the reports, while law firms examine the incident for possible class‑action litigation. The collective previously claimed responsibility for a breach of Red Hat’s private GitLab repositories that stole hundreds of gigabytes of data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early January 2026 the hacking group Crimson Collective posted to Telegram that it had obtained personally identifiable information belonging to over one million Brightspeed customers, a claim first made on January 4 and followed by a data sample shared on January 5. On January 6 the group added a message stating that it had disconnected many of Brightspeed’s home internet users and suggested the company should check for complaints. Brightspeed, a Charlotte‑based provider of high‑speed fiber internet, digital voice and business services operating in twenty US states, said it was investigating reports of a cybersecurity event and emphasized that it takes network security and customer information protection seriously, pledging to keep customers, employees and authorities informed as it learned more. The company’s statement to the Observer noted its rigorous network monitoring and threat response practices. Law firms have begun looking into the incident with a view toward a possible class‑action suit, while Brightspeed has not confirmed the group’s claim of disconnecting customers. The Crimson Collective also claimed responsibility for a September 2025 attack on Red Hat’s private GitLab repositories, asserting the theft of roughly 570 GB of data across 28 000 internal projects, including about 800 Customer Engagement Reports, one of which related to Nissan Fukuoka Sales.
The group alleged that the stolen data included account master records with names, email and service/billing addresses, phone numbers, account status, network type, consent flags, billing system, service instance, network assignment and site IDs, as well as address latitude and longitude coordinates, service type and marketing profile codes. It further asserted possession of payment history details such as payment IDs, dates, amounts, invoice numbers, card types and the last four digits of card numbers, along with payment method information including default payment method IDs, gateways, masked credit card numbers, expiry dates, BINs, cardholder names and addresses, and status flags, plus appointment or order records for billing accounts. Brightspeed has not verified these claims and it remains unclear how the breach occurred. Although some customers have voiced concerns on social media, it is uncertain whether those issues are linked to the group’s actions. The company said it is looking into the reports and will continue to monitor the situation.
Brightspeed’s response includes an ongoing investigation, internal network security reviews, and communication with stakeholders about developments. The firm reiterated its commitment to securing its networks and protecting customer and employee information. As the inquiry proceeds, Brightspeed intends to provide updates to affected parties and relevant authorities. The involvement of law firms suggests that legal proceedings may follow pending the outcome of the investigation. No further details about the breach’s origin or the exact number of impacted customers have been confirmed by the company at this time.