Grafana Labs Refuses Ransom After Hackers Steal Entire Codebase
Grafana Labs, the company behind the widely-used open-source observability and monitoring platform, has disclosed a significant security breach. An unauthorized party obtained a token granting access to the company's GitHub environment and downloaded its entire codebase.
The company confirmed that no customer data or personal information was accessed during the incident and found no evidence of impact to customer systems or operations. Upon discovering the breach, Grafana launched a forensic analysis, identified the source of the leaked token, and invalidated the compromised credentials.
The attacker subsequently attempted to extort Grafana, demanding a payment to prevent publication of the stolen code. Grafana publicly refused to pay the ransom, citing FBI guidance that paying ransoms provides no guarantee of data recovery and encourages further criminal activity.
The cybercrime group CoinbaseCartel, an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems that emerged in September 2025, has claimed responsibility. The group focuses exclusively on data theft and extortion rather than traditional ransomware, and has amassed 170 victims across healthcare, technology, transportation, and manufacturing sectors.
The breach highlights the ongoing risk of token-based supply chain attacks against developer infrastructure and reinforces the importance of secrets management and continuous monitoring of code repository access.
The Grafana breach is a textbook example of the growing threat from data-theft extortion groups like CoinbaseCartel. Their focus on stealing source code rather than encrypting systems makes them harder to detect and highlights the need for robust secrets management across all developer tools.
Was customer data compromised in the Grafana breach?
No. Grafana confirmed that no customer data or personal information was accessed, and there is no evidence of impact to customer systems or operations.
Who is responsible for the Grafana attack?
The cybercrime group CoinbaseCartel has claimed responsibility. The group emerged in September 2025 and is linked to the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems.