Grafana Discloses GitHub Breach After Extortion Attempt by CoinbaseCartel
Grafana recently revealed that an unauthorized party gained access to its GitHub environment using a compromised token, allowing the attacker to download the company’s codebase. The incident, discovered "recently," did not expose customer data or disrupt operations, according to Grafana’s statement on X. The company swiftly invalidated the compromised credentials, conducted a forensic investigation, and implemented additional security measures to prevent further unauthorized access.
The attacker attempted to extort Grafana, demanding payment to prevent the stolen data from being published. Grafana refused, citing FBI guidance against ransom payments, which warns that such transactions fail to guarantee data recovery and embolden cybercriminals. The breach has not been linked to a specific threat actor, though reports from Hackmanac and Ransomware.live attribute the attack to CoinbaseCartel, a data extortion group that emerged in September 2025.
CoinbaseCartel, assessed as an offshoot of ShinyHunters, Scattered Spider, and LAPSUS$, specializes in data theft and extortion rather than traditional ransomware. The group has targeted 170 victims across sectors including healthcare, technology, and manufacturing. While Grafana has not disclosed which codebase was accessed, its portfolio includes solutions like Grafana Cloud, a managed observability platform.
The incident follows a recent controversial decision by Instructure, an edtech firm, to pay ShinyHunters after the group threatened to leak terabytes of data from U.S. schools and universities. Grafana has not provided further details on the timeline of the breach or the attacker’s access duration.
Source: https://thehackernews.com/2026/05/grafana-github-token-breach-led-to.html
Grafana TPRM report: https://www.rankiteo.com/company/grafana-labs
"id": "gra1779006227",
"linkid": "grafana-labs",
"type": "Breach",
"date": "5/2026",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'No customer data exposed',
'industry': 'Technology (Observability Platforms)',
'name': 'Grafana',
'type': 'Company'}],
'attack_vector': 'Compromised GitHub token',
'data_breach': {'data_exfiltration': 'Codebase downloaded',
'personally_identifiable_information': 'None',
'type_of_data_compromised': 'Source code'},
'date_detected': 'recently',
'description': 'Grafana disclosed that an unauthorized party gained access to '
'its GitHub environment using a compromised token, allowing '
'the attacker to download the company’s codebase. The attacker '
'attempted to extort Grafana, demanding payment to prevent the '
'stolen data from being published. Grafana refused to pay the '
'ransom and implemented additional security measures.',
'impact': {'data_compromised': 'Company codebase',
'operational_impact': 'No disruption to operations',
'systems_affected': 'GitHub environment'},
'initial_access_broker': {'entry_point': 'Compromised GitHub token'},
'investigation_status': 'Forensic investigation conducted',
'motivation': 'Extortion',
'post_incident_analysis': {'corrective_actions': 'Additional security '
'measures implemented',
'root_causes': 'Compromised credentials'},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
'references': [{'source': 'Grafana Statement on X'},
{'source': 'Hackmanac'},
{'source': 'Ransomware.live'}],
'response': {'communication_strategy': 'Public statement on X',
'containment_measures': 'Invalidated compromised credentials',
'law_enforcement_notified': 'FBI guidance cited',
'remediation_measures': 'Implemented additional security '
'measures'},
'threat_actor': 'CoinbaseCartel',
'title': 'Grafana GitHub Breach After Extortion Attempt by CoinbaseCartel',
'type': 'Data Breach and Extortion'}