markdown

Grafana Breach: Code Theft & Extortion

Grafana recently revealed that an attacker gained access to a special GitHub token, enabling them to pull the company’s code.

• No user data or customer systems were impacted – per Grafana's statements.
• Upon discovery, the company launched a forensic investigation:
• Traced the source of the leak.
• Revoked the compromised token.
• Tightened security controls to prevent future intrusions.

Extortion Attempt

The attacker not only stole code but also demanded a ransom to keep it confidential.
Grafana refused, following FBI guidance that paying ransoms can encourage further attacks and offers no guarantee of data recovery.

Timing & Attribution

• The exact timing remains unclear; Grafana only noted awareness of the attack “recently.”
• No official threat group was named, but independent reports link the breach to CoinbaseCartel, a cybercrime crew that surfaced in late 2025.
• CoinbaseCartel is associated with several ransomware factions and focuses on data theft and extortion rather than file encryption, having targeted over 170 victims across various sectors.

Scope of the Breach

Grafana did not disclose which part of its codebase was downloaded. The company offers services such as Grafana Cloud for monitoring and observability.

This incident mirrors a similar case where an education technology firm settled with another extortion group after threats to leak large amounts of school data.