Grafana Discloses Unauthorized Access to Codebase
Grafana recently announced that an unauthorized party managed to obtain a token that allowed access to the company’s GitHub environment, enabling them to download the codebase.
The investigation conducted by Grafana confirmed that no customer data or personal information was compromised in the incident. There was no impact on customer systems or operations as a result of the breach.
Upon discovering the unauthorized activity, Grafana immediately initiated a forensic analysis to identify the source of the breach. The compromised credentials were promptly invalidated, and additional security measures were implemented to prevent further unauthorized access.
It was revealed that the attacker attempted to extort the company by demanding payment to prevent the publication of the stolen database.
Refusing to pay the ransom, Grafana cited the advice of the U.S. Federal Bureau of Investigation (FBI), which warns against negotiating with perpetrators as it may not guarantee the safe return of data and could potentially encourage further criminal activities.
The timeline of the incident and the duration of the threat actor’s access to Grafana’s environment were not disclosed, with the company only stating that the attack was discovered recently. The breach has not been linked to any specific threat actor or group.
However, reports from cybersecurity sources such as Hackmanac and Ransomware.live suggest that a group known as CoinbaseCartel has claimed responsibility for the breach.
According to information provided by Halcyon and Fortinet FortiGuard Labs, CoinbaseCartel is a data extortion group that emerged in September 2025. The group focuses on data theft and extortion, targeting various industries including healthcare, technology, transportation, manufacturing, and business services.
Grafana did not disclose the specific codebase that was downloaded by the attacker. The company offers solutions like Grafana Cloud, a fully-managed observability platform for applications and infrastructure.
In a related development, educational technology company Instructure recently settled with the ShinyHunters extortion group after a threat to leak data belonging to thousands of schools and universities in the U.S.
The incident serves as a reminder of the growing threat of data breaches and the importance of robust cybersecurity measures to protect sensitive information.
