Attackers claim 1M+ customer records stolen from top US internet provider

The Brightspeed data breach involves personal customer data, including full names, home addresses, and limited payment card details, according to claims by the cybercriminals behind the alleged attack.

The Crimson Collective announced the Brightspeed data breach via its Telegram channel. According to the attackers, they managed to syphon over a million records, which include extensive information on Brightspeed’s users.

The attackers’ post suggests that they got their hands on customer records, address qualification responses, user-level account details, customer payment histories, payment method data, and appointment records.

The company's representative said Brightspeed is aware of the attacker claims and an investigation is ongoing.

“We take the security of our networks and protection of our customers’ and employees’ information seriously and are rigorous in securing our networks and monitoring threats. We are currently investigating reports of a cybersecurity event. As we learn more, we will keep our customers, employees and authorities informed,” the company's representative explained.

Brightspeed operates in over 20 states, serving over a million customers. The company’s reported revenue exceeded $1 billion last year, while staff size hovers around 4,000.

Meanwhile, the Cybernews research team investigated the data sample attackers attached to the Telegram post. According to our team, the sample includes 50 lines of customer details, a far cry from the one million-plus records that Crimson Collective claims to have stolen.

However, information in the sample mostly corresponds with attackers' claims in the Brightspeed data breach post. The leaked sample included information such as:

• Full names
• Phone numbers
• Addresses
• Billing account numbers
• Session IDs
• Other personal details

The silver lining is that the data sample did not include any financial information. However, attackers claimed they accessed customer payment histories, which include dates, amounts, invoice numbers, and, most worryingly, masked payment cards with the last four digits visible.

“If attackers’ claims were verified, the data breach would pose numerous security risks, from impersonation and social engineering to fraud and physical security risks. The scope of claims covers all the bases,” our team explained.

Who are the Crimson Collective?

Little is known about the attackers, who call themselves Crimson Collective on Telegram. The group was first spotted in the autumn of 2025, gaining notoriety after the October attack against Red Hat, a leading software company behind the enterprise Linux distribution.

Attackers boasted of gaining access to over 28,000 Red Hat repositories, containing 570.2GB in total. The extracted data allegedly includes around 800 Customer Engagement Reports (CERs), exposing sensitive customer information, such as their network configurations.

The fallout from the attacks impacted the Japanese automaker Nissan Motor Corporation, as over 21,000 of the company’s customers had their data stolen following the Crimson Collective breach.

Previously, the gang also targeted Colombian telecommunications operator Claro, Loteria de Medellin, a state-operated lottery in Colombia, and claimed to have breached Nintendo, the gaming giant.

After Red Hat attacks, Rapid7 researchers surmised that Crimson Collective appears to be mostly focused on the collection and exfiltration of databases, project repositories, and other valuable data, putting at risk companies’ products and customers’ information.

Meanwhile, the Dark Reading believes Crimson Collective has joined the ranks of Scattered LAPSUS$ Hunters, a conglomerate consisting of three cybercrime gangs: Scattered Spider, LAPSUS$, and ShinyHunters.

Updated on January 7th [07:30 a.m. GMT] with a statement from Brightspeed.

---

Unlock more exclusive Cybernews content on YouTube.