To the point: Grafana confirmed a security incident in which attackers abused a GitHub token and stole source code. Cybercriminals demanded extortion payments, which Grafana rejected on FBI advice. The group CoinbaseCartel is believed to be responsible.
Grafana has fallen victim to a security incident: an unknown party gained access to a GitHub token and was thus able to download the company’s source code. The cybercriminals subsequently attempted to extort Grafana into making a payment. According to Grafana, no customer data was compromised.
Infrastructure and monitoring company Grafana announced that attackers used a stolen GitHub token to gain access to the corporate environment and obtain access to source code. In messages on the platform X, Grafana assured: “Our investigation found that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations.”
After discovering suspicious activity, Grafana immediately conducted a forensic investigation, identified the breach source, revoked compromised credentials, and implemented additional security measures to prevent future attacks.
The attackers subsequently demanded payment from Grafana to prevent publication of the stolen data. Grafana followed FBI advice and refused to pay. The U.S. agency regularly warns against ransom payments, as these neither guarantee data recovery nor curtail criminal activity.
The timing of the breach remains unclear; Grafana only stated that it recently learned of the attack. According to media reports, cybercriminal group CoinbaseCartel has claimed responsibility. This data breach group is an offshoot of ShinyHunters, Scattered Spider, and LAPSUS$, and has already compromised approximately 170 victims in sectors such as healthcare, technology, and manufacturing.