269/69 Tuesday, May 19, 2026
Grafana Labs disclosed a security incident after attackers gained access to the company’s GitHub environment using a leaked access token, allowing them to download portions of the company’s source code. Grafana stated that its preliminary investigation found no evidence that customer data, personal information, or customer systems were affected. The company also confirmed that its production systems and business operations were not impacted by the incident.
According to Grafana, the company immediately launched a forensic investigation after detecting the breach and was able to identify the source of the compromised credentials. The affected token has since been revoked, and additional security measures have been implemented to prevent unauthorized access in the future. Grafana further revealed that the attackers attempted to extort the company by threatening to release allegedly stolen databases and internal information unless a ransom was paid. However, the company refused to comply, citing guidance from the Federal Bureau of Investigation (FBI), which warns that paying ransom demands does not guarantee data recovery and may encourage further criminal activity.
Although Grafana has not disclosed which portions of the source code were accessed or how long the attackers maintained access, reports from Hackmanac and Ransomware.live indicate that a cybercriminal group known as CoinbaseCartel claimed responsibility for the attack. The group is believed to have ties to networks associated with ShinyHunters, Scattered Spider, and LAPSUS$, and is primarily focused on data theft and extortion operations. The incident occurred shortly after Instructure reportedly agreed to pay a ransom to ShinyHunters to prevent the publication of data belonging to numerous schools and universities in the United States, highlighting the growing trend of data extortion attacks across multiple industries.
Source https://thehackernews.com/2026/05/grafana-github-token-breach-led-to.html