Grafana Labs Says Hackers Stole Source Code After Abusing Stolen GitHub Token

Grafana Labs, the maker of the open-source observability platform Grafana, said hackers breached its systems and stole source code after abusing a stolen token credential that allowed access to the company’s GitHub environment.

“Grafana Labs disclosed that hackers have downloaded its source code after breaching its GitHub environment using a stolen access token”

BleepingComputer

TechCrunch reported that Grafana Labs said it refused to pay the hackers who threatened to release the company’s codebase, and that the token did not allow access to customer records or financial data.

BleepingComputer

BleepingComputer said the attackers attempted to extort Grafana Labs by demanding payment in exchange for not publishing the stolen source code, while Grafana said it chose to follow public guidance from the Federal Bureau of Investigation (FBI) and not pay the ransom.

In its own statement, Grafana said, “Based on our operational experience and the published stance of the FBI, which notes that paying a ransom doesn’t guarantee you or your organization will get any data back and only offers an incentive for others to get involved in this type of illegal activity, we’ve determined the appropriate path forward is not to pay the ransom,” as the company worked to invalidate the compromised credentials and implement additional security measures.

BleepingComputer said Grafana disclosed that hackers downloaded its source code after breaching its GitHub environment using a stolen access token, and it reported that the extortion gang CoinbaseCartel claimed the attack by adding Grafana to their data leak site (DLS).

SecurityWeek reported that Grafana confirmed the intrusion was possible due to a compromised token that granted access to the Grafana Labs GitHub environment, and that Grafana admitted the hackers managed to download its codebase.

CyberSecurityNews

Hackread said Grafana’s investigation found no evidence of customer data exposure or impact to customer systems, and it described the company as having invalidated the compromised credentials and added new safeguards around the affected environment.

In a separate account, SecurityWeek quoted the hackers’ threat on the leak website: “We can cause you more damage than you would ever imagine,” as the Coinbase Cartel website listed 105 victims.

Grafana Labs said it found no evidence that customer data or personal information was exposed and that customer systems remained unaffected, while it promised to release more details after completing its post-incident investigation.

“Grafana Labs says an attacker gained access to part of itsGitHubenvironment after obtaining a compromised token, allowing the threat actor to download the company’s codebase”

Hackread

The Tech Buzz said the company “confirmed Monday that cybercriminals breached its systems and made off with source code,” and it framed the incident as a twist on extortion where attackers threatened to dump stolen code rather than encrypt files.

SecurityWeek reported that Grafana reset compromised credentials and said a forensic analysis was being conducted, while it also noted that the incident had not impacted customer systems or operations.

Looking ahead, The Tech Buzz said the outcome would shape how open-source companies handle extortion, because if hackers publish the stolen code “security researchers will scrutinize it for vulnerabilities while competitors analyze it for competitive insights.”