Grafana has disclosed that an unauthorized party has gained access to its GitHub environment after obtaining a compromised token, allowing the attacker to download the company’s codebase.
The company said its investigation found no evidence that customer data, personal information, or customer systems were affected by the incident. Grafana added that it immediately launched a forensic investigation after discovering the unauthorized activity.
According to the company, the compromised credentials have since been revoked and additional security measures were implemented to prevent further unauthorized access. Grafana also revealed that the attacker attempted to extort the company by demanding payment in exchange for withholding publication of the stolen data.
The company said it refused to pay the ransom demand, citing guidance from the Federal Bureau of Investigation advising organizations against negotiating with cybercriminals. The FBI has repeatedly warned that ransom payments do not guarantee stolen data will be recovered or deleted.
Grafana did not disclose when the breach occurred or how long the threat actor may have had access to its systems, admitting only that it learned of the compromise “recently.” The company has also not officially attributed the attack to a known cybercrime group.
According to reports, a data extortion group known as CoinbaseCartel has taken responsibility for the breach. The group emerged in September 2025 and is believed to have ties to cybercriminal ecosystems associated with ShinyHunters, Scattered Spider, and LAPSUS$.
CoinbaseCartel primarily focuses on data theft and extortion. Researchers estimate the group has targeted at least 170 organizations across industries including healthcare, technology, transportation, manufacturing, and business services.