The hacking group Crimson Collective claims to have access to Brightspeed’s infrastructure and is disconnecting users from the company’s home internet services.
The group made its latest claims in a post on Telegram yesterday. “Hey BrightSpeed, we disconnected alot of your users home internet.. they might be complaining you should check,” the Telegram post says.
Asked by The Cyber Express how the group was able to do this, a Crimson Collective spokesperson replied, “we were able to do this with the access we had on their infrastructure,” suggesting that the extent of the claimed breach may go beyond customer data access.
The Cyber Express reached out to Brightspeed to see if the company could confirm or deny Crimson Collective’s claims and will update this article with any response. So far the company has said only that it is “investigating reports of a cybersecurity event,” so any claims by the hacker group remain unconfirmed.
Crimson Collective’s Brightspeed Claims and Customer Risk
In a January 4 Telegram post, Crimson Collective claimed that the group had breached Brightspeed and obtained the personal data of more than a million residential customers of the U.S. fiber broadband provider.
A day later, the threat group released a data sample to back up those claims. The group is also trying to sell the data, suggesting that any negotiations that may have taken place with Brightspeed had failed to progress.
Crimson Collective claims to possess a wide range of data on Brightspeed customers, including names, email addresses, phone numbers, billing and service addresses, account status, network type, service instances, network assignments, IP addresses, latitude and longitude coordinates, payment history, payment card types and masked card numbers (last 4 digits), expiry dates, bank identification numbers (BINs), appointment and order records, and more.
The data doesn’t include password or full credit card numbers that could put users at imminent risk of breach or theft, but the hacker group told The Cyber Express that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people’s infrastructure.”
Noelle Murata, Senior Security Engineer at Xcape, agreed that the data holds potential value for cybercriminals. “The stolen data reportedly includes payment card details and account histories that create opportunities for identity theft and sophisticated social engineering scams and are particularly dangerous when targeting a demographic that may be less digitally savvy,” Murata said in a statement shared with The Cyber Express.
Crimson Collective: An Emerging Threat
Crimson Collective first emerged last year with a Red Hat GitLab breach that exposed client Customer Engagement Reports (CERs) and other potentially sensitive data about client infrastructure.
Murata said the Brightspeed attack “aligns with the Crimson Collective’s pattern of exploiting cloud misconfigurations and leaked AWS credentials to bypass security measures.”
The timing of the attack, coming just after the New Year holiday, is a possible example of “holiday hunting,” where cybercriminals exploit reduced IT staffing over holidays, Murata said.
“Service providers in rural and suburban areas often operate with limited security resources but face the same threats as larger urban carriers,” Murata said. “Transparency, prompt customer notification, and immediate containment will be crucial in the coming days.”
