Grafana has confirmed a security incident in which an unauthorized actor gained access to its GitHub environment using a compromised authentication token, enabling the download of parts of its source code and triggering an attempted extortion scheme.
The observability software provider, operated by Grafana Labs, said the incident was quickly contained after suspicious activity was detected. According to the company, its investigation found no evidence that customer data, personal information, or production systems were impacted.
Unauthorized Access Through Stolen GitHub Token
Grafana reported that the attacker used a valid token to access its internal GitHub repository. This access allowed the threat actor to retrieve portions of the company’s codebase.
Following discovery of the breach, the company launched a forensic investigation, identified the source of the leaked credentials, and revoked all compromised access. Additional security controls have since been implemented to reduce the risk of similar incidents.
Extortion Attempt and Refusal to Pay Ransom
After obtaining the data, the attacker reportedly attempted to extort Grafana, demanding payment in exchange for not publicly releasing the stolen information.
The company declined to comply with the demand, referencing guidance from the Federal Bureau of Investigation, which discourages ransom payments due to the lack of guarantees and the risk of encouraging further criminal activity.
No Impact on Customers, Systems, or Operations
Grafana emphasized that the incident was limited to its internal development environment. The company stated that there is no evidence of intrusion into customer-facing systems, cloud services, or operational infrastructure, including offerings such as Grafana Cloud.
However, the company has not disclosed how long the unauthorized access remained active or the specific timeframe of the breach.
Possible Threat Actor and Ongoing Investigation
While Grafana has not officially attributed the attack to any known group, cybersecurity monitoring reports suggest that a cybercriminal group calling itself CoinbaseCartel may be responsible.
Security researchers describe CoinbaseCartel as a data-extortion-focused operation that emerged in 2025 and is believed to be linked to tactics associated with well-known cybercrime ecosystems such as ShinyHunters, Scattered Spider, and LAPSUS$-style operations. The group is reportedly responsible for a growing number of global victims across multiple industries.
Rising Trend of Data-Only Extortion Attacks
Unlike traditional ransomware groups that encrypt systems, modern extortion-focused actors increasingly rely on stealing sensitive data and threatening public leaks to pressure organizations into paying.
The Grafana incident follows a recent pattern of high-profile extortion cases, including reports involving education technology firms and other software providers that faced similar pressure campaigns.
Investigation Ongoing
Grafana says its investigation remains active as it continues working with cybersecurity partners to assess the full scope of the incident. The company has not confirmed exactly which repositories were accessed or how long the attacker maintained access before detection.
Conclusion
While Grafana has reassured customers that no user data was compromised, the breach highlights the growing risks associated with token-based authentication and developer environment security. The incident also reflects the increasing sophistication of data extortion groups targeting software supply chains and code repositories.
