TL;DR: Crimson Collective, an extortion gang, claims to have breached Brightspeed, a major fiber broadband provider serving over 1 million customers across 20 states. They're claiming to have stolen names, emails, phone numbers, addresses, payment history, and some payment card data. The hackers also claim they can remotely disconnect customers from service. Brightspeed is "investigating." The attackers are demanding 3 Bitcoin (~$276,000) or they'll dump everything online.
The Breach
On January 4, 2026, the Crimson Collective posted on their Telegram channel claiming they had "in our hands over 1m+ residential user PII's" from Brightspeed [1].
According to the attackers, the stolen data includes:
- Customer names, emails, and phone numbers
- Billing and service addresses
- Account status and network type
- Payment history
- Some payment card information
- Appointment and order records
Brightspeed serves more than 1 million business and home users across 20 states. If the breach claims are accurate, essentially their entire customer base is affected [2].
The "We Can Cut Your Internet" Claim
Here's the alarming part: Crimson Collective claims their access went deeper than just data theft [3].
A spokesperson for the group told The Register it was a "sophisticated attack" that also gave them the ability to "disconnect every user from service."
If true, this means the attackers didn't just steal customer data; they gained access to Brightspeed's operational systems. They could theoretically disrupt internet service for a million households and businesses.
Brightspeed hasn't confirmed or denied this capability.
Who Is Crimson Collective?
Crimson Collective is a relatively new extortion gang with an aggressive track record [4]:
- October 2024: Breached Red Hat's GitLab instances, stealing ~570GB across 28,000 internal repositories
- December 2024: Data from their Red Hat breach affected ~21,000 Nissan customers in Japan
- Ongoing: Targeting AWS cloud environments for data theft and extortion
They've partnered with Scattered Spider/Lapsus$ Hunters on some operations. These aren't amateurs.
The Ransom
Crimson Collective is demanding 3 Bitcoin, approximately $276,370 at current prices [1].
Their message to Brightspeed was blunt: pay up, or the data goes public.
"If no one is interested in buying the dataset, we plan to dump all of the information online in a week," they announced.
The attackers posted a sample on January 6 to prove they have the data. The clock is ticking.
Brightspeed's Response
Brightspeed's public statement is the standard corporate boilerplate [2]:
"We are currently investigating reports of a cybersecurity event. As we learn more, we will keep our customers, employees and authorities informed. We take the security of our networks and protection of our customers' and employees' information seriously and are rigorous in securing our networks and monitoring threats."
Translation: We're figuring out how bad this is.
The company hasn't confirmed what data was stolen, how the breach happened, or whether the attackers actually have operational access to their systems.
What Brightspeed Customers Should Do
Assume Your Data Is Compromised
If you're a Brightspeed customer, treat this as a confirmed breach until proven otherwise. Your name, address, email, phone, and possibly payment info are in criminal hands.
Monitor Your Accounts
Check bank and credit card statements for unauthorized charges. Set up transaction alerts if you haven't already.
Watch for Phishing
Attackers with your personal info will send convincing phishing emails. Be suspicious of any email claiming to be from Brightspeed, your bank, or other services.
Change Passwords
Update your Brightspeed account password immediately. If you reused that password elsewhere (you shouldn't have), change those too.
Consider a Credit Freeze
With names, addresses, and potentially SSNs exposed, identity theft is a real risk. A credit freeze is free and prevents new accounts being opened in your name.
Document Everything
If you experience fraud, document it. You may need this for disputes, insurance claims, or potential class action lawsuits.
The Bigger Picture
This is the third major telecom-adjacent breach in recent months. Salt Typhoon compromised major carriers. TalkTalk got hit through a third-party supplier. Now Brightspeed.
Your internet provider knows everything about you:
- Where you live
- How to contact you
- How you pay
- Every website you visit (unless you use a VPN)
When ISPs get breached, the damage goes deep. This isn't like a retail breach where they got your email and maybe a password. ISPs hold the keys to your digital life.
References
- BleepingComputer - US broadband provider Brightspeed investigates breach claims (January 2026)
- SecurityWeek - Brightspeed Investigating Cyberattack (January 2026)
- The Register - Brightspeed investigates breach as crims post data for sale (January 2026)
- Malwarebytes - One million customers on alert as extortion group claims massive Brightspeed data haul (January 2026)
- Cybernews - Brightspeed attackers claim 1M+ stolen customer records (January 2026)