Hacking

Grafana GitHub Token Breach Leads to Extortion Attempt

Published  ·  10 min read

Grafana has disclosed that an unauthorized party obtained a token granting access to the company's GitHub environment, and the attacker used this access to download Grafana's codebase before attempting to blackmail and extort the company.

The Grafana GitHub token breach extortion incident was disclosed by Grafana in a series of posts on X, and the company said it immediately launched a forensic analysis upon discovering the activity.

Grafana confirmed that no customer data or personal information was accessed during the incident, and the company has found no evidence of impact to customer systems or operations.

What Happened

The Grafana GitHub token breach extortion involved a stolen token that granted access to Grafana's GitHub environment, and the attacker used that access to download the company's codebase.

Grafana did not reveal when the incident took place or how long the threat actor had access to its environment, the company only revealed that it learned of the attack recently.

The compromised credentials have since been invalidated, and Grafana has implemented extra security measures to secure against unauthorized access.

The Grafana GitHub token breach extortion incident did not affect customer data or customer systems according to Grafana's investigation, and the company identified the source of the leak.

The Extortion Attempt

After downloading Grafana's codebase, the attacker tried to blackmail and extort the company, and they demanded that Grafana make a payment to prevent the stolen database from being published.

The Grafana GitHub token breach extortion demand was a classic data extortion scheme, the attacker threatens to release stolen data unless the victim pays a ransom, and the victim must decide whether to pay or refuse.

Grafana said it has opted not to pay the ransom, and the company cited the U.S. Federal Bureau of Investigation (FBI) which has previously warned against negotiating ransoms with perpetrators.

The FBI states on its website that paying ransoms does not guarantee that affected companies will get their data back, and it also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.

Who Is Behind the Attack

Grafana did not attribute the Grafana GitHub token breach extortion to any known threat actor or group, but reports from Hackmanac and Ransomware.live indicate that a cybercrime group named CoinbaseCartel has claimed responsibility for the incident.

According to Halcyon and Fortinet's FortiGuard Labs, the CoinbaseCartel data extortion gang was identified for the first time in September 2025. They have evaluated the CoinbaseCartel as a subgroup of the ShinyHunters, Scattered Spider and LAPSUS$ gangs, which are all identified as similar in nature.

The Grafana GitHub token breach extortion fits CoinbaseCartel's known modus operandi, the group focuses only on data theft and extortion unlike traditional ransomware groups that also encrypt systems.

CoinbaseCartel has amassed 170 victims across healthcare, technology, transportation, manufacturing, and business services, and Grafana appears to be their latest claimed victim.

What Was Stolen

Grafana confirmed that the attacker downloaded the company's codebase, but the company did not specify which codebase or repositories were accessed.

Grafana offers various solutions including Grafana Cloud which is a fully-managed cloud-hosted observability platform for applications and infrastructure, and the company also offers open-source Grafana which is freely available.

The Grafana GitHub token breach extortion incident may have involved the open-source codebase which is already publicly available, or it may have involved proprietary code related to Grafana Cloud, Grafana did not specify.

The company emphasized that no customer data or personal information was accessed, and this is the most critical distinction for Grafana's customers.

The No Ransom Decision

Grafana's decision to refuse the ransom demand is consistent with FBI guidance and industry best practices, and the company cited the FBI directly in its public statements.

Following the compromise of GitHub tokens, Grafana has chosen to take a hard stance on not negotiating with hackers by refusing to pay any ransom. This action may also reduce the likelihood of extortion from hackers. However, with any refusal to pay ransom there is a level of risk associated, such as: The hacker still releases the data they have stolen from Grafana, causing Grafana to be negatively impacted.

Grafana accepted the risk of published data since none of their customers' information was accessed by the hacker(s) and the value of the source code to competing companies or to the public at large is likely minimal.

The CoinbaseCartel Group

CoinbaseCartel is a relatively new extortion group, and they emerged in September 2025 according to security researchers.

The group is part of or in association with the ShinyHunters, Scattered Spider, and LAPSUS$ cybercriminal groups. These three have perpetrated large data breaches and extortion schemes.

ShinyHunters is best known for data breaches against dozens of organizations by hacking and selling their database files. Scattered Spider uses social engineering and SIM swapping to facilitate their attacks. LAPSUS$ became known for high-profile breaches against Microsoft, Okta, and NVIDIA.

CoinbaseCartel appears to have inherited some or all of the tactics used by ShinyHunters, Scattered Spider, and LAPSUS$. They also extorted multiple organizations by exploiting the Grafana GitHub token breach to steal data without encrypting it.

CoinbaseCartel has claimed 170 victims in the past, with Grafana recently becoming one of them within the healthcare, technology, transportation, manufacturing, and business services industries.

The Instructure Connection

On the heels of Instructure's decision to settle with the ShinyHunters extortion group, comes the extortion attempt by ShinyHunters that threatened to release billions (TB) of compromised records from thousands of educational institutions across the United States if Instructure did not comply with their demands for a ransom payment. Luckily for Instructure, they made a choice to settle with ShinyHunners. Unfortunately for Grafana, they were unable to secure a similar resolution.

Although the outcomes from these two separate incident may lead other organizations to stop paying such demands, the existence of Instructure's actions demonstrates there will still be some who recognize value in complying with extortion threats.

What Led to the Compromise

There was no technical detail shared by Grafana as to how the token was compromised, however, there are different ways for token theft to take place.

The GitHub token belonging to an employee could have been posted publicly, phishing could have been used to capture the token or the GitHub token could have been taken from a compromised development machine.

The incident where Grafana's GitHub tokens were compromised shows the risks associated with long-lived access tokens, and as a result companies should ensure that they are rotating their tokens regularly and using short-lived credentials whenever possible.

Grafana determined what the source of the leak was and voided the credentials that had been compromised; however, they did not disclose the root cause of the vulnerability.

What You Should Do as a Grafana User

Grafana has verified that customer data has not been accessed through the GitHub access token breach and therefore no action needs to be taken by customers with respect to this breach.

Customers may continue to utilize Grafana services as they normally would. Grafana has also taken additional security precautions to ensure that something similar does not happen again in the future.

The Grafana GitHub token breach extortion incident affected Grafana's internal GitHub environment, not customer instances of Grafana Cloud or open-source Grafana.

Preventing Token Breaches

The Grafana GitHub token breach extortion incident offers lessons for all organizations.
1. Utilize tokens that are only available for a short amount of time. Long-term tokens pose a risk since they can remain "alive" or functional for long periods, and the token used by the attacker in the Grafana GitHub token breach could have been expired sooner than it was.

2. Regularly rotate credentials. Even without any indication of compromise, rotating credentials at regular intervals limits the potential time frame for a hacker to use your credentials to exploit your system.

3. Monitor unusual access activity. The attacker in the Grafana GitHub token abuse case downloaded the entire codebase. If there had been monitoring in place for large amounts of data being downloaded or for "unusual" repository access, then someone would have been able to stop the attack earlier.

4. Limit permissions for your tokens. The permission level for a token should be the minimum required for the intended use of that token. In the instance of the token used for the Grafana GitHub token exploitation attack, it provided access to download the entire codebase.

5. Utilize GitHub's security features. GitHub has the capability to scan for secrets in your code repository, to maintain an audit log for all activity, and to set branch protection rules that help to prevent and deter against any tokens being compromised.

Final Thoughts

The Grafana compromise of GitHub tokens for the sake of extortion serves as evidence that regardless of how well designed and implemented a security program is, companies who operate securely face the risk of having their authentication credentials compromised.  It's clear that the motivation behind the attack was not to disrupt Grafana's services, but rather to initiate some type of threat to extort Grafana for financial gain.

In refusing to pay the ransom demand to the actors, Grafana has cited the FBI's position not to negotiate with individuals who extort others, and the possibility that the actor's threat to release stolen data may be empty, given the limited value of its code repository.

This incident did not result in any effect to any customer data, and any customer of Grafana should feel safe and continue using their Grafana platform; however, this incident should cause all organizations to review their own practices for securing their tokens.

The CoinbaseCartel has claimed approximately 170 victims to date, and Grafana is one of those victims, however Grafana's refusal to pay should serve as an example to other organizations that not only is it unwise to pay ransom but also that it may not be profitable for others.  Therefore, we anticipate others will follow the example of Grafana.

FAQ Section

What occurred in the extortion incident that involved the Grafana GitHub token breach? 

An unauthorized party gained access to a Github token for access to the Grafana Github environment; the attacker downloaded the Grafana codebase and attempted to blackmail or extort the company by demanding payment not to publish the stolen data.

Did anyone access customer data during the Grafana GitHub Token breach? 

Grafana confirmed that no customer data or personally identifiable information (PII) was accessed and no evidence of affecting customer system(s) or operation(s) was found, only the GRAFANA codebase was downloaded.

Did Grafana pay the ransom demand? 

No, Grafana chose not to pay the ransom, citing FBI guidance warning that payment does not guarantee the return of the data, therefore encourages more attacks.

Who is behind the Grafana GitHub token breach extortion attack?

Grafana did not attribute the attack, but reports indicate that a cybercrime group named CoinbaseCartel has claimed responsibility, the group is an offshoot of ShinyHunters, Scattered Spider, and LAPSUS$.

Should Grafana customers take any action after this breach?

No, Grafana confirmed that customer data was not accessed, customers can continue using Grafana products normally, and the company has invalidated the compromised token and added extra security measures.

Source: The Hacker News
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067