Grafana has disclosed that an “unauthorized party” obtained a token that granted them the ability to access the company’s GitHub environment and download its codebase.
“Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations,” Grafana
said
in a series of posts on X.
The company also said it immediately launched a forensic analysis upon discovering the activity and that it identified the source of the leak, adding the compromised credentials have since been invalidated, and extra security measures have been implemented to secure against unauthorized access.
Furthermore, Grafana revealed the attacker tried to blackmail and extort the company, demanding they make a payment to prevent the stolen database from being published.
Grafana said it has opted not to pay the ransom, citing the U.S. Federal Bureau of Investigation (FBI). The agency has previously warned against negotiating ransoms with perpetrators, as there is no guarantee that doing so will help affected companies get their data back.
“It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity,” the FBI
states
on its website.
Grafana did not reveal when the incident took place or since when the threat actor had access to its environment, only revealing that it learned of the attack “recently.” The breach has not been attributed to any known threat actor or group.
However, reports from
Hackmanac
and
Ransomware.live
indicate that a cybercrime group named CoinbaseCartel has claimed responsibility for the incident.
Per reports from
Halcyon
and
Fortinet FortiGuard Labs
, CoinbaseCartel is a data extortion crew that emerged in September 2025. It’s assessed to be an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems.
The group, which only focuses on data theft and extortion, unlike traditional ransomware groups, has amassed 170 victims across healthcare, technology, transportation, manufacturing, and business services.
The company also did not reveal what codebase the attacker downloaded, but Grafana offers various solutions like
Grafana Cloud
, a fully-managed, cloud-hosted observability platform for applications and infrastructure. The Hacker News has reached out to Grafana for comment, and we will update the story if we hear back.
The development comes days after American educational technology company Instructure
made the controversial decision
to settle with the ShinyHunters extortion group after the latter threatened to leak terabytes of data belonging to thousands of schools and universities across the U.S.
