CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 17, 2026

Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt

The Hacker News Archived May 17, 2026 ✓ Full text saved

Grafana has disclosed that an "unauthorized party" obtained a token that granted them the ability to access the company's GitHub environment and download its codebase. "Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations," Grafana said in a series of

Full text archived locally
✦ AI Summary · Claude Sonnet


    Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt Ravie LakshmananMay 17, 2026Data Breach / Cybercrime Grafana has disclosed that an "unauthorized party" obtained a token that granted them the ability to access the company's GitHub environment and download its codebase. "Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations," Grafana said in a series of posts on X. The company also said it immediately launched a forensic analysis upon discovering the activity and that it identified the source of the leak, adding the compromised credentials have since been invalidated, and extra security measures have been implemented to secure against unauthorized access. Furthermore, Grafana revealed the attacker tried to blackmail and extort the company, demanding they make a payment to prevent the stolen database from being published. Grafana said it has opted not to pay the ransom, citing the U.S. Federal Bureau of Investigation (FBI). The agency has previously warned against negotiating ransoms with perpetrators, as there is no guarantee that doing so will help affected companies get their data back. "It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity," the FBI states on its website. Grafana did not reveal when the incident took place or since when the threat actor had access to its environment, only revealing that it learned of the attack "recently." The breach has not been attributed to any known threat actor or group.  However, reports from Hackmanac and Ransomware.live indicate that a cybercrime group named CoinbaseCartel has claimed responsibility for the incident.  Per reports from Halcyon and Fortinet FortiGuard Labs , CoinbaseCartel is a data extortion crew that emerged in September 2025. It's assessed to be an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems.  The group, which only focuses on data theft and extortion, unlike traditional ransomware groups, has amassed 170 victims across healthcare, technology, transportation, manufacturing, and business services.  The company also did not reveal what codebase the attacker downloaded, but Grafana offers various solutions like Grafana Cloud , a fully-managed, cloud-hosted observability platform for applications and infrastructure. The Hacker News has reached out to Grafana for comment, and we will update the story if we hear back. The development comes days after American educational technology company Instructure made the controversial decision to settle with the ShinyHunters extortion group after the latter threatened to leak terabytes of data belonging to thousands of schools and universities across the U.S. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CoinbaseCartel, cybersecurity, Data Extortion, FBI, GitHub, Grafana, LAPSUS$, ransomware, Scattered Spider, ShinyHunters ⚡ Top Stories This Week ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials 2026: The Year of AI-Assisted Attacks Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Trellix Confirms Source Code Breach With Unauthorized Repository Access Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise Day Zero Readiness: The Operational Gaps That Break Incident Response The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions Load More ▼ ⭐ Featured Resources [Demo] Discover How to Control Autonomous Identity Risks Effectively [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    May 17, 2026
    Archived
    May 17, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗