Grafana revealed that an “unauthorized party” obtained a token that gave them permission to access the company’s GitHub environment and download its codebase.
“Our investigation has determined that no customer data or personal information was accessed in this incident, and we found no evidence of any impact on customer systems or operations,” Grafana said in a series of posts on X.
The company also said that upon discovering this activity, it immediately began a forensic analysis and determined the source of the leak, adding that the compromised credentials have since been disabled and additional security measures have been put in place to prevent unauthorized access.
Additionally, Grafana revealed that the attackers attempted to blackmail and extort the company, demanding payment to prevent the publication of the stolen database.
Grafana, citing the US Federal Bureau of Investigation (FBI), said it chose not to pay the ransom. The agency has previously warned against negotiating ransoms with perpetrators, as there is no guarantee that it will help victim companies recover their data.
“It also encourages perpetrators to target more victims and provides an incentive for others to engage in this type of illegal activity,” the FBI says on its website.
Grafana did not say when the incident occurred or when the threat actor gained access to its environment, only that it learned of the attack “recently.” This breach was not caused by any known attacker or group.
However, a cybercrime group named CoinbaseCartel claimed responsibility for the incident, according to reports from Hackmanac and Ransomware.live.
According to a report by Halcyon and Fortinet FortiGuard Labs, CoinbaseCartel is a data extortion group that emerged in September 2025. It is considered an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems.
The group differs from traditional ransomware groups by focusing solely on data theft and extortion, and has amassed 170 victims across healthcare, technology, transportation, manufacturing, and business services.
The company did not say what codebase the attackers downloaded, but Grafana offers a variety of solutions, including Grafana Cloud, a fully managed, cloud-hosted observability platform for applications and infrastructure. Hacker News has reached out to Grafana for comment and will update the article if we hear back.
The development comes days after American education technology company Instructure made a controversial decision to settle with the extortion group ShinyHunters after the group threatened to leak terabytes of data belonging to thousands of schools and universities across the country.
Source link
