Skip to content

Cyberattack on Grafana: Attackers Copy Codebase and Threaten Leak

(Image: heise online / dmk). Grafana Labs has experienced an IT security incident. During the attack, threat actors were able to copy internal data. Now they are demanding ransom.. Grafana Labs has become the victim of a cyberattack. The attackers gained access to Grafana’s codebase. This includes all source code and configuration files belonging to a project. Apparently, more than the open-source application already publicly discloses on GitHub. The developers, however, do not intend to comply with the demanded ransom payment.. Grafana is an application for analyzing, monitoring, and visualizing real-time data from various sources in IT environments. The tool is used worldwide by large enterprises, including those in the Fortune 50 rankings.. The attackers are threatening to publish the stolen data. However, according to Grafana’s own statements, they will not pay any ransom.. The Attack. Grafana Labs reported the incident on X [1]. According to their statement, the attackers from CoinbaseCartel were able to gain access to the tool’s GitHub environment using stolen credentials and accessed data there. Grafana Labs is not disclosing how the attackers obtained the GitHub token. They state that they know the source internally and have since revoked the credentials. Additionally, they have implemented further security measures.. The developers assure that, based on current knowledge, no customer data or personal data of employees has been affected by the incident. Grafana Labs states that it will not pay any ransom. In doing so, they follow the official recommendation of the FBI. After all, paying does not guarantee that criminals will “return” the data. Furthermore, it sets an example for other companies that are victims of such cyberattacks if one does not pay the ransom and thus does not put money in the criminals’ pockets.. Once the investigation of the IT systems is completed, Grafana developers intend to publish further details about the incident. When that will be is currently unclear.. Update. Wording adjusted regarding what the attackers had access to.. (des [3]). URL of this article:. https://www.heise.de/-11298389. Links in this article:. https://x.com/grafana/status/2055827123236171827. https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp. mailto:des@heise.de. Copyright © 2026 Heise Medien

heise security News

Share on: