Grafana Labs Source Code Stolen in GitHub Breach by CoinbaseCartel Extortion Gang
Grafana Labs, the company behind the widely used open-source analytics and monitoring platform Grafana, confirmed that hackers breached its GitHub environment and downloaded its source code. The attack was carried out using a stolen access token, with no evidence that customer data or personal information was exposed. The company also stated that customer systems remained unaffected.
The breach was claimed by CoinbaseCartel, a relatively new extortion gang that added Grafana to its data leak site (DLS) as leverage for ransom demands. However, no stolen data has been published yet. Grafana, which serves over 7,000 organizations including 70% of Fortune 50 companies refused to pay the ransom, citing FBI guidance that discourages payments to prevent further criminal activity.
Grafana’s forensic investigation traced the breach to compromised credentials, which were subsequently invalidated. The company has implemented additional security measures and plans to release further details after completing its post-incident review.
CoinbaseCartel, active since September 2023, has listed over 100 victims on its extortion portal this year. The gang, believed to include affiliates of ShinyHunters and Lapsus$, gains access through phishing, social engineering, and stolen credentials. Researchers also link the group to the deployment of "shinysp1d3r", an in-memory tool used to encrypt VMware ESXi systems and disable snapshots.
The incident highlights the growing threat of extortion-focused cybercrime groups targeting high-profile tech companies.
Grafana Labs cybersecurity rating report: https://www.rankiteo.com/company/grafana-labs
"id": "GRA1779114321",
"linkid": "grafana-labs",
"type": "Breach",
"date": "9/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'None (customer data and systems '
'unaffected)',
'industry': 'Technology, Analytics & Monitoring',
'name': 'Grafana Labs',
'size': '7,000+ organizations (including 70% of '
'Fortune 50 companies)',
'type': 'Company'}],
'attack_vector': 'Stolen access token',
'customer_advisories': 'Customer data and systems unaffected',
'data_breach': {'data_exfiltration': 'Yes (downloaded by threat actor)',
'personally_identifiable_information': 'No',
'type_of_data_compromised': 'Source code'},
'description': 'Grafana Labs confirmed that hackers breached its GitHub '
'environment and downloaded its source code using a stolen '
'access token. The attack was claimed by CoinbaseCartel, an '
'extortion gang, but no customer data or personal information '
'was exposed, and customer systems remained unaffected. '
'Grafana refused to pay the ransom and implemented additional '
'security measures.',
'impact': {'data_compromised': 'Source code',
'systems_affected': 'GitHub environment'},
'initial_access_broker': {'entry_point': 'Stolen access token (compromised '
'credentials)'},
'investigation_status': 'Ongoing (post-incident review in progress)',
'motivation': 'Extortion, Financial gain',
'post_incident_analysis': {'corrective_actions': 'Invalidated credentials, '
'additional security '
'measures',
'root_causes': 'Compromised credentials'},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes (extortion demand)',
'ransom_paid': 'No'},
'references': [{'source': 'Grafana Labs Statement'}],
'response': {'containment_measures': 'Invalidated compromised credentials',
'remediation_measures': 'Implemented additional security '
'measures'},
'threat_actor': 'CoinbaseCartel',
'title': 'Grafana Labs Source Code Stolen in GitHub Breach by CoinbaseCartel '
'Extortion Gang',
'type': 'Extortion, Source Code Theft',
'vulnerability_exploited': 'Compromised credentials'}