Codebase Under Extortion: How a Compromised GitHub Token Exposed Grafana’s Private Repositories

Grafana recently disclosed a security breach where an unauthorized party accessed their GitHub environment by obtaining a token, allowing them to download the company's codebase. Despite this breach, Grafana assured that no customer data or personal information was compromised, and there was no impact on customer systems or operations. The company communicated these findings through a series of posts on X, a social media platform. Upon discovering the unauthorized access, Grafana promptly initiated a forensic analysis to investigate the breach. They successfully identified the source of the leak and took immediate action by invalidating the compromised credentials. To prevent future unauthorized access, Grafana implemented additional security measures, reinforcing their commitment to safeguarding their systems and data. The attacker attempted to extort Grafana by demanding a ransom to prevent the publication of the stolen database. However, Grafana decided against paying the ransom, aligning with the U.S. Federal Bureau of Investigation's (FBI) guidance. The FBI advises against negotiating with perpetrators, as paying ransoms does not guarantee data recovery and may encourage further criminal activity. Grafana did not disclose specific details about the timing of the breach or how long the threat actor had access to their environment. The company only mentioned that they became aware of the attack recently. Additionally, Grafana has not attributed the breach to any known threat actor or group, leaving the identity of the perpetrators uncertain. Reports from Hackmanac and Ransomware.live suggest that a cybercrime group named CoinbaseCartel has claimed responsibility for the incident. According to Halcyon and Fortinet FortiGuard Labs, CoinbaseCartel is a data extortion crew that emerged in September 2025 and is believed to be associated with the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems. The group specializes in data theft and extortion, having targeted 170 victims across various industries. Grafana did not specify which part of their codebase was accessed by the attacker. The company offers several solutions, including Grafana Cloud, a cloud-hosted observability platform for applications and infrastructure. The Hacker News has reached out to Grafana for further comments, indicating that updates may follow as more information becomes available. This incident follows a similar situation involving Instructure, an American educational technology company, which recently chose to settle with the ShinyHunters extortion group. The group had threatened to leak vast amounts of data from numerous schools and universities across the U.S., highlighting the ongoing challenges organizations face in dealing with cyber extortion threats.