Token Leak at Grafana Sparks Code Theft and Ransom Demand

Grafana recently revealed that someone gained access to a special GitHub token, letting them pull the company’s code. The breach did not touch any user data or affect customers’ systems, according to the company’s statements. When Grafana discovered the unauthorized activity, it immediately started a forensic investigation. They traced the leak’s source, revoked the compromised token, and tightened security controls to stop future intrusions. The attacker didn’t just steal the code; they also tried to extort money from Grafana. They demanded a payment in exchange for keeping the stolen code private. Grafana chose not to comply, following FBI advice that paying ransoms can encourage more attacks and offers no guarantee of data recovery.The incident’s exact timing remains unclear, as Grafana only said it became aware of the attack “recently. ” No official threat group was named by Grafana, but independent reports linked the breach to a cybercrime crew called CoinbaseCartel. This group surfaced in late 2025 and is thought to be linked to several other ransomware factions. CoinbaseCartel focuses on data theft and extortion rather than encrypting files, and it has already targeted over 170 victims in various sectors. Grafana did not specify which part of its codebase was downloaded, though the company provides services like Grafana Cloud for monitoring and observability. The story follows a similar case where an education technology firm settled with another extortion group after threats to leak large amounts of school data.