Grafana said an unauthorized party obtained a token that let it access the company’s GitHub environment and download a codebase, while the company said no customer data or personal information was accessed and no customer systems were affected.
KEY FACTS
- Access A token enabled entry into Grafana’s GitHub environment.
- Impact The company said no customer data, personal information or operations were affected.
- Response The credentials were invalidated and extra security measures were added.
- Extortion The attacker tried to blackmail the company with a ransom demand.
- Attribution The breach has not been officially tied to any known group.
Grafana said it began a forensic analysis immediately after discovering the activity and identified the source of the leak. The company did not say when the incident occurred or how long the intruder had access.
The company also said it chose not to pay the ransom, citing FBI guidance against negotiating with extortionists. The disclosure did not identify what codebase was taken or whether any other internal systems were reached.
Reports from Hackmanac and Ransomware.live said a group calling itself CoinbaseCartel claimed responsibility. Separate research from Halcyon and Fortinet FortiGuard Labs describes the group as a data extortion crew that emerged in September 2025 and has targeted multiple sectors.
WHY IT MATTERS
The case highlights how a stolen token can expose source code and trigger extortion even when customer data is not taken. It also shows why companies are tightening access controls and why some refuse ransom demands despite pressure to pay.