“Based on our operational experience and the published stance of the FBI ... we’ve determined the appropriate path forward is not to pay the ransom,” Grafana stated.
What Grafana Labs says happened: stolen GitHub token and code exfiltration
Grafana Labs disclosed that attackers breached its GitHub environment using a stolen access token and downloaded the company’s source code. The company’s forensic analysis identified the origin of the compromised credentials, after which Grafana invalidated the token and "implemented additional security measures" to prevent further unauthorized access. Grafana also said it will publish more details after completing its post-incident investigation.
Extent of impact: customers, data, and systems
According to Grafana, the investigation found no evidence that customer data or personal information was exposed and customer systems remained unaffected by the incident. Grafana noted its user base includes more than 7,000 organizations — among them large enterprises, cloud providers, telecos, banks, governments, e-commerce platforms, and infrastructure operators — and that the product is used by 70% of the Fortune 50. BleepingComputer contacted Grafana for additional details but had not received a response by publishing time.
Extortion attempt and the decision not to pay
The intruders attempted to extort Grafana, demanding payment in exchange for not publishing the stolen source code. The attackers are associated with a relatively new extortion gang that calls itself CoinbaseCartel; the group added Grafana to its data leak site, although at the time of Grafana’s disclosure no data had been publicly leaked. Grafana said it chose to follow public guidance from the Federal Bureau of Investigation and not to pay the ransom, stating that paying would not guarantee recovery and would "only offer an incentive for others to get involved in this type of illegal activity."
CoinbaseCartel: provenance, tactics, and tools named by researchers
CoinbaseCartel launched in September and has been active this year, listing more than 100 victims on its data leak portal. The group focuses on data theft and uses that portal to pressure victims into paying ransoms. Multiple researchers describe CoinbaseCartel as consisting of affiliates of ShinyHunters and Lapsus$ who gain access through social engineering, various forms of phishing, and compromised credentials. Threat intelligence specialist Joe Shenouda has claimed the gang deploys an in-memory tool called "shinysp1d3r" to encrypt VMware ESXi targets and disable snapshots. BleepingComputer previously analyzed a ShinySp1d3r Windows encryptor developed by the ShinyHunters group, which at the time said it was working on Linux and ESXi encryptor versions.
What this means for technologists, enterprise customers, and the FBI’s guidance
- Technologists and security teams: The incident highlights that a single stolen GitHub access token can allow adversaries to download source code repositories. Grafana’s immediate steps — invalidating the compromised credentials and adding security controls — illustrate response actions teams cite after discovering credential misuse.
- Enterprise customers and large users of Grafana: Grafana’s statement that customer data and systems were not affected will be central to customer risk assessments; customers will watch for the company’s promised post-incident details about how the token was obtained and what, if any, intellectual property or build artifacts were accessed.
- Policymakers and the FBI’s public stance: Grafana explicitly cited FBI guidance in its decision not to pay the ransom, framing that guidance as a factor in choosing a non-payment posture — a choice the company said was driven by operational experience and the published FBI position that paying does not guarantee data recovery and fuels further criminal activity.
The case leaves a narrow, practical set of near-term questions: what specific repository access the stolen token granted, which security controls were added, and what additional forensic detail Grafana will publish once its post-incident work is complete. For now, Grafana’s public account ties the breach to a stolen GitHub token, confirms that source code was downloaded, records a refused extortion demand, and places the incident within a wider wave of activity by the extortion group calling itself CoinbaseCartel.




