The Breach
Grafana, the widely used open-source visualization and analytics platform, confirmed on Sunday that it had suffered a data breach two days after the cybercrime group Coinbase Cartel listed the company on its leak website. The intrusion, which occurred due to a compromised token granting access to the Grafana Labs GitHub environment, allowed the attackers to download the company’s codebase. However, Grafana officials stated that no personal or customer information was stolen and that the incident did not impact customer systems or operations.
The breach came to light on May 15, when Coinbase Cartel added Grafana to its extortion portal. In a statement, Grafana said the attackers demanded a ransom to prevent the source code from being leaked, but the company decided not to pay. “We have reset the compromised credentials and are conducting a forensic analysis. We will share additional details when the investigation is completed,” the company added.
Background on Grafana
Grafana is a leading open-source platform for metric monitoring and observability, used by thousands of organizations worldwide to visualize data from various sources, including Prometheus, InfluxDB, and Graphite. Its development is managed by Grafana Labs, a company founded in 2014 by Torkel Ödegaard and headquartered in New York. Grafana’s widespread adoption in IT operations, DevOps, and enterprise environments makes it a high-value target for attackers. The platform processes sensitive operational data, but its source code repositories are separate from customer data, which likely limited the impact of this breach.
Despite the seriousness of the incident, Grafana emphasized that its production systems and customer-facing services remain secure. The compromised token was linked to a service account used for internal development workflows, not for customer access. The company also noted that its codebase is already publicly available under the AGPL license, although the accessed repository may have included proprietary modifications or unannounced features.
Coinbase Cartel and the ShinyHunters Connection
Coinbase Cartel is a relatively new cybercrime gang that has been active since September 2025. Unlike traditional ransomware groups, it does not deploy file-encrypting malware. Instead, it focuses on stealing sensitive data and then demanding a ransom payment in exchange for not leaking the information. The group’s leak website currently lists 105 victims, indicating a high-volume operation. Cybersecurity researchers have linked Coinbase Cartel to other notorious hacker groups, including ShinyHunters, Scattered Spider, and Lapsus$. These groups have been collaborating since at least mid-2025, with some evidence pointing to a possible partnership dating back to 2024.
ShinyHunters, in particular, gained notoriety in 2024 for large-scale data breaches against companies such as Instructure, Vimeo, Wynn Resorts, Vercel, and Medtronic. The alliance between these groups appears to be driven by a shared focus on extortion rather than encryption. In the case of Grafana, the hackers left a message on the breach listing: “We can cause you more damage than you would ever imagine.” Despite the threat, no data from Grafana has been publicly leaked as of the latest updates.
Attack Vector and Response
The breach was traced to a stolen token that provided access to Grafana’s GitHub environment. Token-based authentication is common in software development pipelines because it allows automated processes to interact with code repositories without requiring manual password entry. However, if a token is exposed—through a misconfiguration, phishing, or a compromised third-party service—it can grant unauthorized access. In this case, the attackers used the token to clone the entire codebase, which included internal projects and documentation.
Grafana’s response was swift: the compromised token was revoked, and all related credentials were rotated. An external forensic team has been engaged to analyze the incident and identify any potential lateral movement within the network. The company also notified relevant data protection authorities, as required by regulations such as GDPR. Notably, Grafana did not disclose whether the token was obtained through a prior vulnerability in its supply chain or through a direct compromise, but it promised to publish a full post-mortem once the investigation concludes.
The incident echoes a growing trend in cybercrime, where attackers target development infrastructure to steal source code as leverage for ransom. In 2025, similar attacks have been launched against other tech companies, including Trellix and TanStack, where source code repositories were breached. The difference, however, is that Grafana’s codebase is largely open-source, so the actual impact may be limited to proprietary extensions or unreleased features.
Industry Implications
The Grafana breach highlights the risks associated with managing development tokens and the importance of robust access controls. Security experts recommend implementing short-lived tokens, using multi-factor authentication for all service accounts, and monitoring GitHub access logs for unusual activity. Additionally, companies should have a clear incident response plan for credential compromise, including immediate revocation and communication protocols.
For Grafana users, the breach serves as a reminder to audit their own use of the platform. While Grafana’s core code is open-source, users who run self-managed instances should ensure that they are using the latest version, as any vulnerabilities discovered in the leaked code could be weaponized. Grafana’s cloud customers, however, are protected by the company’s security measures and were not affected by the incident.
In the broader cybersecurity landscape, the emergence of groups like Coinbase Cartel—which combine data theft with extortion—represents a shift away from ransomware toward more targeted and less noisy attacks. These groups often operate in a hybrid model, selling stolen data on darknet markets or using it to pressure victims into paying ransoms. The increasing collaboration between formerly distinct threat actors further complicates defensive efforts, as they can share tools, tactics, and victim lists.
As of now, Grafana has not revealed the exact ransom amount demanded by Coinbase Cartel, nor has it disclosed whether any of the stolen data has been used maliciously. The company’s decision to refuse payment aligns with best practices recommended by law enforcement and cybersecurity agencies, which warn that paying ransoms encourages further attacks and does not guarantee that stolen data will be deleted.
The investigation into the Grafana breach is ongoing, and the company has promised to provide a detailed technical report once it is complete. In the meantime, security researchers are monitoring Coinbase Cartel’s leak site for any evidence of data publication. The incident serves as a cautionary tale for organizations of all sizes: even a single compromised token can lead to a significant data breach, underscoring the need for constant vigilance and comprehensive security hygiene.
Source: SecurityWeek News