Crimson Collective, an rising extortion group, claims to have breached U.S. fiber broadband supplier Brightspeed, stealing information on over 1 million residential prospects and disconnecting many from house web service.
The group posted screenshots on Telegram detailing the alleged compromise and urging Brightspeed workers to “learn their mails quick.”
On January 4, 2026, Crimson Collective introduced possession of in depth buyer datasets from Brightspeed, a significant ISP serving rural and suburban areas throughout 20 states.
The put up listed compromised data, together with buyer grasp recordsdata with full PII corresponding to names, emails, telephone numbers, billing/service addresses, account standing, and community particulars like fiber/copper/4G varieties, bandwidth limits, and geolocation coordinates.
Extra information encompasses cost histories (IDs, quantities, masked card numbers with final 4 digits, expiry dates, BINs, holder information), appointment data with technician dispatch particulars, advertising profiles, and suspension causes.
The actors launched information samples on January 5 as threatened, and claimed a “refined assault” enabling person disconnections from ISP service, which was later clarified as house web, not cellular.
They’re providing the total dataset for 3 Bitcoin (about $276,370), with plans to leak it on-line inside every week if unsold.
Brightspeed’s Response
Brightspeed confirmed it’s “investigating stories of a cybersecurity occasion” and takes community safety critically, promising updates to prospects, employees, and authorities.
Spokesperson Gene Rodriguez Miller emphasised rigorous risk monitoring however declined to supply specifics on the claims. No proof of service outages has been extensively reported, although the group alleges proactive disruptions.
Crimson Collective gained notoriety in 2025 for breaching Purple Hat’s GitLab repositories, exfiltrating 570GB of information that later impacted 21,000 Nissan prospects’ PII.
They collaborated with Scattered Lapsus$ Hunters (ShinyHunters-linked) for extortion and have focused AWS environments through credential abuse. The group has not disclosed intrusion strategies for Brightspeed however hinted at ignored pre-disclosure emails.
Affected prospects face dangers of phishing, identification theft, and focused assaults from uncovered PII and partial cost information, although full playing cards or passwords weren’t claimed stolen.
Cybersecurity specialists urge monitoring accounts and enabling MFA, because the incident highlights vulnerabilities in telecom infrastructure. Federal probes could comply with, given Brightspeed’s important position. As of January 7, no full breach affirmation exists, however samples seem genuine per the researcher’s cross-checks.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
