Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt

Summary

Grafana disclosed that an unauthorized party obtained a GitHub token granting access to its codebase, which was downloaded. The attacker attempted extortion, but Grafana refused to pay ransom following FBI guidance. Although not officially attributed, CoinbaseCartel, a data extortion group emerging in September 2025 and linked to ShinyHunters and Scattered Spider, has claimed responsibility.

Full text

Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt Ravie LakshmananMay 17, 2026Data Breach / Cybercrime Grafana has disclosed that an "unauthorized party" obtained a token that granted them the ability to access the company's GitHub environment and download its codebase. "Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations," Grafana said in a series of posts on X. The company also said it immediately launched a forensic analysis upon discovering the activity and that it identified the source of the leak, adding the compromised credentials have since been invalidated, and extra security measures have been implemented to secure against unauthorized access. Furthermore, Grafana revealed the attacker tried to blackmail and extort the company, demanding they make a payment to prevent the stolen database from being published. Grafana said it has opted not to pay the ransom, citing guidance issued by the U.S. Federal Bureau of Investigation (FBI). The agency has previously warned against negotiating ransoms with perpetrators, as there is no guarantee that doing so will help affected companies get their data back. "It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity," the FBI states on its website. Grafana did not reveal when the incident took place or since when the threat actor had access to its environment, only revealing that it learned of the attack "recently." The breach has not been attributed to any known threat actor or group. However, reports from Hackmanac and Ransomware.live indicate that a cybercrime group named CoinbaseCartel has claimed responsibility for the incident. Per details shared by Halcyon and Fortinet FortiGuard Labs, CoinbaseCartel is a data extortion crew that emerged in September 2025. It's assessed to be an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems. The group, which only focuses on data theft and extortion unlike traditional ransomware groups, has amassed 170 victims across healthcare, technology, transportation, manufacturing, and business services. The company also did not reveal what codebase the attacker downloaded, but Grafana offers various solutions like Grafana Cloud, a fully-managed, cloud-hosted observability platform for applications and infrastructure. The Hacker News has reached out to Grafana for comment, and we will update the story if we hear back. The development comes days after American educational technology company Instructure made the controversial decision to settle with the ShinyHunters extortion group after the latter threatened to leak terabytes of data belonging to thousands of schools and universities across the U.S. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  CoinbaseCartel, cybersecurity, Data Extortion, FBI, GitHub, Grafana, LAPSUS$, ransomware, Scattered Spider, ShinyHunters ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage

Entities