Grafana Confirms Source Code Theft in Cyberattack Linked to Coinbase Cartel
Grafana, the open-source analytics and visualization platform, confirmed a security breach after attackers accessed its GitHub environment using a compromised token. The incident, detected in early 2026, resulted in the theft of source code, though the company stated that no customer or personal data was exposed, and operations remained unaffected.
The attack has been attributed to Coinbase Cartel, a cybercrime group with ties to ShinyHunters, Scattered Spider, and Lapsus$. The threat actors demanded a ransom to prevent the leaked code from being published, but Grafana refused to comply. Coinbase Cartel has been active since 2025, orchestrating a series of high-profile data theft campaigns targeting organizations across multiple sectors.
While the breach did not disrupt Grafana’s services, the incident underscores the persistent threat posed by financially motivated cybercriminal groups leveraging stolen credentials to infiltrate development environments.
Source: https://oodaloop.com/briefs/cyber/grafana-confirms-breach-after-hackers-claim-they-stole-data/
Grafana Labs cybersecurity rating report: https://www.rankiteo.com/company/grafana-labs
"id": "GRA1779201402",
"linkid": "grafana-labs",
"type": "Breach",
"date": "1/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'None',
'industry': 'Technology (Analytics & Visualization)',
'name': 'Grafana',
'type': 'Company'}],
'attack_vector': 'Compromised Token',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'No',
'sensitivity_of_data': 'Low (no customer or personal data)',
'type_of_data_compromised': 'Source code'},
'date_detected': '2026-01-01',
'description': 'Grafana confirmed a security breach after attackers accessed '
'its GitHub environment using a compromised token. The '
'incident resulted in the theft of source code, though no '
'customer or personal data was exposed, and operations '
'remained unaffected. The attack was attributed to Coinbase '
'Cartel, a cybercrime group with ties to ShinyHunters, '
'Scattered Spider, and Lapsus$. The threat actors demanded a '
'ransom to prevent the leaked code from being published, but '
'Grafana refused to comply.',
'impact': {'data_compromised': 'Source code',
'operational_impact': 'None',
'systems_affected': 'GitHub environment'},
'initial_access_broker': {'entry_point': 'Compromised GitHub token'},
'motivation': 'Financial Gain',
'post_incident_analysis': {'root_causes': 'Stolen credentials'},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes',
'ransom_paid': 'No'},
'references': [{'source': 'Grafana Incident Disclosure'}],
'threat_actor': ['Coinbase Cartel',
'ShinyHunters',
'Scattered Spider',
'Lapsus$'],
'title': 'Grafana Source Code Theft in Cyberattack Linked to Coinbase Cartel',
'type': 'Source Code Theft',
'vulnerability_exploited': 'Stolen GitHub credentials'}