"We immediately initiated forensic analysis and we believe we’ve identified the source of the credential leak," Grafana Labs wrote on X, describing a breach that allowed an unauthorized party to download the company's source code and then try to extort payment to prevent its release.
Unauthorized GitHub token access
Grafana Labs said an "unauthorized party" obtained a token that granted access to its GitHub environment, allowing the attacker to download the firm's source code. The company framed the incident in public posts on X (formerly Twitter), characterizing the access as tied to a compromised credential; it said the compromised token has since been invalidated.
What Grafana Labs says it found and did
Grafana Labs reported that its investigation has so far found no indication customer data or personal information was accessed, and no evidence of impact to customer systems or operations. The company said it immediately initiated forensic analysis, identified the suspected source of the credential leak, invalidated the compromised credentials and implemented additional security measures to further secure its environment against unauthorized access.
The extortion demand and Grafana's decision not to pay
After downloading the codebase, the threat actors demanded payment to prevent its release, Grafana said. Citing the published stance of the FBI — that "paying a ransom doesn't guarantee you or your organization will get any data back" and only "offers an incentive for others to get involved in this type of illegal activity" — Grafana Labs explained it had determined the appropriate path forward was to not pay the ransom.
Reports pointing to "CoinbaseCartel" as the suspected group
The company promised to share more about how the breach occurred as its investigation continues. Independent reports have suggested a relatively new extortion gang known as "CoinbaseCartel" was the culprit; Grafana's public posts did not name the group directly but noted external reporting tying the incident to that actor.
Comparitech's Brian Higgins on vendor access and supply chain risk
Security specialist Brian Higgins at Comparitech assessed Grafana's response as consistent with established incident-playbook protocols. "It looks like Grafana were well prepared for a breach and are following all of the playbook protocols you would expect," Higgins said. He added that "it’s too early to speculate on how much of a compromise these attackers have achieved but at least Grafana acknowledge that more information may need to be disclosed as their investigations progress."
Higgins highlighted a broader tactical concern: "The main takeaway for business peers is that vendor access and supply chain structures remain high value targets for attackers. They have been proven time after time to enable successful infil and exfil pathways and should be high on everybody’s list of priority network sectors for target-hardening."
How Grafana’s customers — Anthropic, NVIDIA, Salesforce and Microsoft — are positioned
Grafana Labs says it serves more than 7,000 customers worldwide, naming technology firms Anthropic, NVIDIA, Salesforce and Microsoft among them. Grafana's public statements and its pledge to share more investigative findings give those named customers and the broader user base a concrete point of contact for confirmation: Grafana reported no customer-data access or operational impact at this stage and has promised further disclosure as its forensic work continues.
The immediate, verifiable facts are narrow: a token was used to access a GitHub environment; source code was downloaded; an extortion demand followed; Grafana invalidated the credential, undertook forensic analysis and declined to pay the ransom. What remains to be seen — and what Grafana has said it will update the public on — is the final scope of compromise and whether the stolen codebase will be released by the attackers.




