Grafana has revealed that an unauthorized individual obtained a token granting access to the company’s GitHub environment and allowed them to download its source code. „Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations,“ the company stated in a series of posts on X. Grafana said it promptly initiated a forensic investigation after detecting the activity, identified the source of the breach, invalidated the compromised credentials, and implemented additional security measures to prevent future unauthorized access. The company also disclosed that the attacker attempted to blackmail and extort them, demanding payment to stop the stolen database from being published. Following the advice of the U.S. Federal Bureau of Investigation (FBI), Grafana chose not to pay the ransom. The agency has in the past cautioned against paying ransoms to attackers, noting that there is no assurance it will result in the recovery of stolen data. „It also motivates perpetrators to victimize more organizations and creates an incentive for others to enter this kind of criminal enterprise,“ the FBI explains on its website. Grafana did not disclose when the breach occurred or how long the threat actor had been inside its systems, stating only that it became aware of the attack „recently.“ The breach has not been linked to any known threat actor or group. However, according to reports from Hackmanac and Ransomware. Recent reports indicate that the cybercrime group known as CoinbaseCartel has claimed responsibility for the incident. According to information shared by Halcyon and Fortinet FortiGuard Labs, CoinbaseCartel is a data extortion operation that first appeared in September 2025. It is believed to be an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems. Unlike conventional ransomware operations, the group specializes exclusively in data theft and extortion; it has compromised around 170 victims spanning healthcare, technology, transportation, manufacturing, and business services. The company did not disclose which specific codebase the attacker exfiltrated, but Grafana provides multiple offerings, including Grafana Cloud — a fully managed, cloud-hosted observability platform for applications and infrastructure. The Hacker News contacted Grafana for comment and will update this story if they respond. This development follows shortly after U.S. edtech firm Instructure sparked controversy by choosing to settle with the ShinyHunters extortion gang, which had threatened to release terabytes of data from thousands of American schools and universities. Did you find this article interesting? Stay updated with our exclusive content by following us on Google News, Twitter, and LinkedIn.
The Hacker News