On Sunday, Grafana, known for its open source visualization and analytics offerings, confirmed it had experienced a data breach. This announcement came shortly after a cybercrime group publicized the breach on their leak website.
Compromised Token Leads to Codebase Theft
The breach was traced back to a compromised token, which allowed unauthorized access to Grafana Labs’ GitHub environment. The attackers successfully downloaded the company’s entire codebase. However, Grafana assured stakeholders that no personal or customer data was compromised, and there was no disruption to customer systems or operations.
Despite the attackers’ demand for a ransom to prevent the release of the source code, Grafana opted against paying. The company has since reset the compromised credentials and is conducting a detailed forensic analysis. Further updates are expected once the investigation concludes.
Cybercrime Group’s Threats and Techniques
The cybercrime group, known as Coinbase Cartel, listed Grafana on its website on May 15. Although no data had been leaked at the time of reporting, the group issued a threat, claiming they could cause substantial damage. Active since September 2025, this group differs from typical ransomware actors by demanding ransoms following data theft without encrypting files.
Their website currently features 105 victims. Notably, Coinbase Cartel is believed to have connections with other notorious groups like ShinyHunters, Scattered Spider, and Lapsus$, who have collaborated since mid-2025, with some evidence suggesting ties as far back as 2024.
Wider Implications of the Data Theft Campaign
This alliance has orchestrated an extensive data theft campaign, using the ShinyHunters moniker to attribute and announce breaches of prominent companies. Among the targeted organizations are Instructure, Vimeo, Wynn Resorts, Vercel, and Medtronic.
The Grafana incident underscores the ongoing threats posed by sophisticated cybercriminal groups and highlights the necessity for rigorous cybersecurity measures and vigilance in protecting sensitive digital environments.
As Grafana continues its investigation, the incident serves as a stark reminder of the importance of securing access credentials and maintaining robust security protocols to mitigate potential breaches.
