Fiber ISP Brightspeed is investigating claims by the Crimson Collective extortion group that it stole data on more than one million residential customers. The group posted data samples to Telegram on January 4, 2026, and claims it has been inside Brightspeed’s production systems since late December 2025. A class-action lawsuit was filed on January 7, 2026.
Incident overview
| Attribute | Details |
|---|
| Victim | Brightspeed |
| Threat actor | Crimson Collective |
| Claimed victims | 1+ million customers |
| Initial access | Late December 2025 (claimed) |
| Public disclosure | January 4, 2026 |
| Asking price | 3 Bitcoin (~$285,000) |
| Class-action filed | January 7, 2026 |
| Verification status | Under investigation |
What Crimson Collective claims to have
| Data category | Specific elements |
|---|
| Customer PII | Names, emails, phone numbers |
| Address data | Billing and service addresses |
| Account information | Status, network type, site IDs |
| Payment data | History, methods, last 4 digits of cards |
| Service records | Order records, appointments |
| Session data | User IDs, session identifiers |
| Network details | Service instance, network assignment |
| Consent flags | Marketing and communication preferences |
Timeline
| Date | Event |
|---|
| Late December 2025 | Crimson Collective claims initial access |
| January 4, 2026 | Group posts to Telegram claiming breach |
| January 5, 2026 | First data samples published |
| January 6, 2026 | Group claims service disruption capability |
| January 7, 2026 | Class-action lawsuit filed |
| Mid-January 2026 | Data listed for sale at 3 BTC |
| Ongoing | Brightspeed investigation continues |
Service disruption claims
On January 6, Crimson Collective posted: “Hey Brightspeed, we disconnected a lot of your users’ home internet … they might be complaining you should check.”
| Claim | Status |
|---|
| Customer disconnections | Unverified—no public reports of outages |
| Production system access | Under investigation |
| Data exfiltration | Samples published, authenticity unconfirmed |
| Ongoing access | Claimed but not verified |
This allegation appears only in the group’s own messaging and has not been corroborated by any public reporting or customer complaints.
Brightspeed’s response
“We are currently investigating reports of a cybersecurity event. As we learn more, we will keep our customers, employees and authorities informed. We take the security of our networks and protection of our customers’ and employees’ information seriously and are rigorous in securing our networks and monitoring threats.”
— Brightspeed spokesperson
Current status (mid-January 2026)
| Item | Status |
|---|
| Data exfiltration confirmed | No |
| Production system compromise | Under investigation |
| Customer notifications | Not issued |
| Credit monitoring offered | Not announced |
| Law enforcement notification | Presumed (not confirmed) |
| Regulatory disclosure | Not confirmed |
Class-action lawsuit
| Attribute | Details |
|---|
| Filing date | January 7, 2026 |
| Allegations | Failures in safeguarding customer data |
| Jurisdiction | US federal court |
| Status | Early stage |
| Regulatory confirmation | None yet |
No U.S. regulator or law enforcement agency has publicly confirmed an investigation or enforcement action tied to the Brightspeed claims.
Who is Crimson Collective?
Crimson Collective is an extortion-focused group that emerged publicly in September 2025.
Group profile
| Attribute | Details |
|---|
| First observed | September 2025 |
| Model | Data-theft extortion (no ransomware) |
| Targets | Cloud-hosted enterprise environments |
| Leverage | Public data leak threats |
| Partnerships | Scattered Lapsus$ Hunters collective |
| Leak infrastructure | Uses ShinyHunters leak site |
| Communication | Telegram |
Known operations
| Date | Target | Impact |
|---|
| October 2025 | Red Hat GitLab | 570 GB data, ~28,000 repositories |
| December 2025 | Nissan (via Red Hat) | 21,000 customers affected |
| January 2026 | Brightspeed | 1M+ customer records (claimed) |
Red Hat incident details
| Attribute | Details |
|---|
| Target system | GitLab instance |
| Data volume | ~570 GB |
| Repositories affected | ~28,000 |
| Primary impact | Red Hat consulting division |
| Date | October 2025 |
| Downstream impact | Nissan disclosed 21,000 affected customers |
The Nissan disclosure in late December 2025 confirmed that the Red Hat breach had cascading effects on Red Hat’s customers.
Tactics, techniques, and procedures
| Characteristic | Description |
|---|
| Initial access | Cloud environment compromise |
| Persistence | Extended access before detection |
| Data theft | Large-scale exfiltration |
| Extortion model | Publish samples, demand payment |
| No ransomware | Pure extortion, no encryption |
| Partnership leverage | Uses established leak sites |
The group follows an increasingly common approach: steal data, post samples to prove access, and demand payment to prevent full publication. This model has grown as ransomware defenses improve and organizations maintain better backup capabilities.
Brightspeed background
| Attribute | Details |
|---|
| Formation | 2022 (acquired Lumen consumer assets) |
| Service area | 20 states (Southeast and Central US) |
| Services | Residential fiber and DSL |
| Customer base | Millions (largely rural and suburban) |
| Parent transaction | Lumen Technologies divestiture |
| Infrastructure | Former CenturyLink consumer network |
Brightspeed acquired Lumen Technologies’ consumer fiber assets in 2022 and operates across 20 states, primarily serving rural and suburban markets in the southeastern and central United States.
| Region | Coverage |
|---|
| Southeast US | Primary market |
| Central US | Secondary market |
| Rural areas | Significant presence |
| Suburban areas | Growing fiber deployments |
Extortion economics
| Element | Details |
|---|
| Asking price | 3 Bitcoin (~$285,000 at current rates) |
| Deadline | Not publicly specified |
| Negotiation | Presumed via Telegram |
| Publication threat | Full data release |
| Typical outcome | Variable—some pay, some don’t |
Impact assessment
For affected customers
| Risk | Concern level | Mitigation |
|---|
| Identity theft | High (if SSNs included) | Credit monitoring, fraud alerts |
| Financial fraud | Moderate (limited card data) | Monitor statements |
| Phishing attacks | High (detailed contact info) | Verify all communications |
| Account takeover | Moderate (service account data) | Change passwords |
| SIM swapping | Moderate (phone numbers exposed) | Carrier PIN protection |
For Brightspeed
| Impact | Assessment |
|---|
| Regulatory exposure | State breach notification laws in 20+ states |
| Reputation damage | Trust erosion in competitive market |
| Operational disruption | Claimed but unverified |
| Financial costs | Investigation, notification, monitoring, legal |
| Litigation exposure | Class-action already filed |
| Customer churn risk | Dependent on breach confirmation |
Recommendations for Brightspeed customers
| Action | Rationale |
|---|
| Monitor financial accounts | Watch for unauthorized charges |
| Place fraud alerts | Contact credit bureaus (Equifax, Experian, TransUnion) |
| Enable account alerts | Set up notifications on all financial accounts |
| Document current state | Screenshot account balances and recent transactions |
| Change Brightspeed password | Precautionary measure |
| Enable 2FA where available | Additional account protection |
Ongoing vigilance
| Risk | Protection |
|---|
| Phishing attempts | Be skeptical of calls/emails claiming to be Brightspeed |
| Social engineering | Verify any requests for account information |
| Service changes | Log in directly to verify any account modifications |
| Official communications | Watch for legitimate breach notifications |
| Carrier security | Enable PIN/passcode with mobile carrier |
Credit protection options
| Option | Benefit |
|---|
| Fraud alert | Free, lasts 1 year, requires verification |
| Credit freeze | Stronger protection, blocks new credit |
| Credit monitoring | Ongoing alerts for changes |
| Identity theft protection | Comprehensive monitoring |
Investigation context
As of mid-January 2026, Brightspeed had not confirmed:
| Question | Status |
|---|
| Data exfiltration occurrence | Unconfirmed |
| Scope of compromised systems | Under investigation |
| Service disruption claims | Unverified |
| Timeline for notifications | Not announced |
| Affected customer count | Unknown |
The company’s investigation is ongoing. Customers should monitor for official communications regarding the incident and any credit monitoring offers that may be extended.
Broader implications
The Brightspeed incident reflects the ongoing challenge telecommunications providers face from data extortion groups. ISPs hold particularly sensitive customer data:
| Data type | Sensitivity |
|---|
| Home addresses | Physical security concern |
| Service locations | Privacy exposure |
| Payment information | Financial risk |
| Account details | Social engineering enabler |
| Usage patterns | Behavioral intelligence |
| Factor | Attacker interest |
|---|
| Large customer bases | High victim count |
| Sensitive data | Multiple data types |
| Essential service | Pressure to resolve quickly |
| Regulatory exposure | Compliance concerns add leverage |
| Competition | Reputation matters |
Crimson Collective’s partnership with other criminal groups and use of established leak infrastructure demonstrates the increasingly collaborative nature of the cybercrime ecosystem. The group’s focus on cloud-hosted environments and data theft over ransomware deployment represents an evolution in threat actor tactics as defensive capabilities improve against encryption-based attacks.
