Grafana Labs Data Breach: Hackers Steal Codebase, Demand Ransom

Grafana Labs confirmed a data breach this weekend after attackers used a stolen access token to download the company's entire codebase from its GitHub environment. The company, which serves more than 25 million users and counts 70% of Fortune 50 companies among its customers, refused a ransom demand to keep the code private.

What Happened

The breach began when an attacker obtained a privileged access token that granted entry to the Grafana Labs GitHub environment. Once inside, they downloaded the full codebase, including proprietary portions of the software, before the company detected anything.

Grafana only discovered the intrusion when one of its canary tokens fired an alert. Canary tokens are decoy credentials embedded throughout a network specifically to catch unauthorized access; when someone touches one, it immediately notifies the security team. By the time the alert triggered, the download was already complete.

The company confirmed that no customer data or personal information was accessed during the incident, and found no evidence that customer systems or operations were affected. The breach was limited to source code.

After gaining access, the attackers contacted Grafana Labs with an extortion demand: pay up, or the stolen codebase goes public.

Grafana Refused to Pay

Grafana Labs declined the demand, citing longstanding FBI guidance that paying ransoms does not guarantee data will be withheld and only encourages further attacks against other victims. The company disclosed the incident publicly on the same day the ransom demand arrived.

Compromised credentials have been invalidated, the vulnerable workflow has been removed, and all automated workflows across public repositories have been disabled while the investigation continues. A forensic review is underway, and the company has said it will share further details once complete.

At the time of writing, the stolen code had not been published.

Who Is Behind It

The extortion group CoinbaseCartel claimed responsibility for the attack, listing Grafana on its dark web leak site. The group emerged in September 2025 as a data theft offshoot of the broader criminal collective linked to ShinyHunters, Scattered Spider, and Lapsus$.

Unlike traditional ransomware gangs, CoinbaseCartel focuses on stealing data and extorting companies rather than encrypting systems. This approach allows victims to remain operational while still facing serious risks tied to stolen files, credentials, and intellectual property. Paying the ransom purchases silence, not the deletion of stolen data, and with no guarantee the silence will hold.

The group has claimed more than 100 victims and has previously targeted high-profile companies including Instructure, Vimeo, WynnResorts, Vercel, and Medtronic. Researchers have linked the group's attacks to a consistent pattern: stolen credentials, social engineering, and abuse of developer environments, with no malware dropped and no files encrypted.

A Wider Attack Pattern

The Grafana Labs data breach is part of a broader campaign against software development infrastructure. Attackers have increasingly targeted the automated systems developers use to build and ship software, because a single misconfigured workflow can expose privileged access tokens that unlock far more than a single repository.

A campaign tracked between March and April 2026 used AI-generated pull requests to submit more than 500 malicious contributions across hundreds of repositories, targeting the same type of misconfiguration and extracting secrets from at least 50 of them before detection. Security scanner Trivy suffered a related compromise in early 2026 through the same class of vulnerability.

The pattern across these incidents is consistent. Attackers are not looking for exotic, unknown vulnerabilities. They are looking for misconfigurations in commonly used tools, places where a small oversight in a developer workflow creates a door into sensitive infrastructure.

What It Means

For Grafana Labs specifically, the immediate risk is competitive exposure. While customer data was not taken, source code, including proprietary elements, represents years of engineering investment. Whether that code is eventually published or used privately by the attackers remains to beseen.

More broadly, the incident points to where attacks on technology companies are heading. Credentials and access tokens have become the primary entry point for a growing class of threat actors. Analysis of CoinbaseCartel's victims found that the majority traced back to employee credentials previously captured by infostealer malware, in some cases years before the breach occurred. Aged, unrotated credentials are routinely indexed long before anyone notices they have been stolen.

Grafana's decision to go public quickly and refuse payment stands in contrast to other recent responses. Instructure, whose Canvas platform was breached by the ShinyHunters group in May, reportedly paid a ransom of around $10 million, only to see attackers return and deface login pages at hundreds of schools days later. The FBI's position on ransom payment, which Grafana cited directly, reflects a clear pattern: payment does not end an attack, it funds the next one.