Grafana has reported a security incident where an unauthorized party accessed its GitHub environment using a compromised token, leading to the download of its codebase. The company confirmed that no customer data or personal information was accessed, and there is no evidence of impact on customer systems or operations, according to The Hacker News.
Upon discovering the breach, Grafana initiated a forensic analysis, identified the source of the leak, invalidated the compromised credentials, and implemented additional security measures to prevent further unauthorized access.
The attacker attempted to extort Grafana by demanding payment to prevent the publication of the stolen codebase. Citing guidance from the U.S. Federal Bureau of Investigation (FBI), which advises against paying ransoms due to the lack of guarantees and the potential to encourage further criminal activity, Grafana chose not to comply with the demand.
While the exact timing of the incident remains undisclosed, reports from Hackmanac and Ransomware.live suggest that a cybercrime group named CoinbaseCartel has claimed responsibility. This group, emerging in September 2025, is believed to be associated with the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems, focusing on data theft and extortion across various sectors.
Grafana has not specified which parts of its codebase were accessed. The company offers solutions like Grafana Cloud, a fully-managed, cloud-hosted observability platform for applications and infrastructure.
This incident underscores the critical importance of securing access tokens and implementing robust security measures to protect code repositories. Organizations should regularly audit their security protocols and educate employees on best practices to mitigate the risk of similar breaches.
Source: The Hacker News
