Grafana has confirmed that an unauthorized party gained access to its GitHub environment after obtaining a compromised token, allowing the attacker to download parts of its codebase.
In a public statement shared on X, the company said its investigation found no evidence that customer data or personal information was accessed and that no evidence that customer systems or operations were affected.
The breach was discovered after unusual activity triggered a forensic investigation. Grafana said it has since identified the likely source of the credential leak and revoked the compromised access token. Following the discovery, Grafana moved quickly to contain the incident. The company confirmed that the stolen credentials had been invalidated and that additional security controls had been deployed to prevent similar access in the future.
Grafana also emphasized that its customer-facing systems remained unaffected throughout the incident and that no operational disruption was observed. A full post-incident review is still ongoing, with the company promising to release more details once the investigation concludes.
Extortion attempt and ransom decision
After gaining access and downloading the codebase, the attacker reportedly attempted to extort Grafana, demanding payment in exchange for not leaking the stolen data.
Grafana declined to pay the ransom. In its statement, the company referenced guidance from the FBI, noting that paying extortion demands does not guarantee data recovery and may encourage further attacks. The company said its decision aligns with established security practices and law enforcement recommendations.
Threat actor and attribution
While Grafana has not officially attributed the attack to any group, cybersecurity reporting indicates that a relatively new extortion group known as CoinbaseCartel has claimed responsibility.
Security researchers say CoinbaseCartel is a data-theft-focused operation that emerged in September 2025 and has been linked to a broader ecosystem of threat actors associated with ShinyHunters, Scattered Spider, and LAPSUS$.
The group reportedly relies on stolen credentials, phishing, and social engineering rather than traditional ransomware encryption tactics. It has also claimed dozens of victims across industries, including technology, healthcare, and infrastructure. At the time of reporting, no stolen data from Grafana had been publicly leaked.
The incident adds to a growing wave of credential-based attacks targeting software supply chains and developer environments. Grafana’s disclosure comes amid increasing activity from data extortion groups that rely on theft and blackmail rather than system disruption.
Grafana, the company behind the widely used open-source observability platform, says it will continue to strengthen its defenses while the investigation proceeds.
Also read: Foxconn confirmed a ransomware attack that exposed more than 11 million files, adding to recent pressure on manufacturers and technology suppliers.
