stolen GitHub – Grafana Labs says attackers breached its GitHub environment with a stolen access token and downloaded its source code. A newer extortion group, CoinbaseCartel, claimed the incident and added Grafana to its data leak site, but Grafana says no customer data was
When Grafana Labs realized its GitHub environment had been breached, the company traced the incident back to a single, high-risk detail: a stolen access token used to gain entry.
Grafana disclosed that hackers downloaded its source code after the breach. The company said a relatively new extortion gang called CoinbaseCartel claimed the attack by adding Grafana to its data leak site (DLS), even though Grafana says no data has been leaked yet.
Grafana Labs is the company behind Grafana, the popular open-source platform for analytics, monitoring, and real-time data visualization.. Its paying customers skew toward large enterprises, cloud providers, telecos, banks, governments, e-commerce platforms, and infrastructure operators.. Grafana also said more than 7,000 organizations use the product, including 70% of the Fortune 50.
On the impact front, Grafana Labs said its investigation found no evidence that customer data or personal information was exposed.. It also said customer systems remained unaffected.. The forensic work pointed to how the credentials were compromised; Grafana then invalidated the compromised credentials and implemented additional security measures to prevent unauthorized access again.
The extortion attempt followed a familiar script: the attacker demanded payment in exchange for not publishing the stolen source code.. Grafana says it refused. citing public guidance from the Federal Bureau of Investigation (FBI) and its own operational experience that paying a ransom doesn’t guarantee data will be returned and instead incentivizes other threat actors.
“Based on our operational experience and the published stance of the FBI. which notes that paying a ransom doesn’t guarantee you or your organization will get any data back and only offers an incentive for others to get involved in this type of illegal activity. we’ve determined the appropriate path forward is not to pay the ransom. ” Grafana stated.. The company said it would release more details about the attack after completing its post-incident investigation.
CoinbaseCartel’s move to list Grafana comes as the group has been escalating its profile. The extortion operation launched last September and, this year, announced more than 100 victims on its data leak portal. The gang focuses on data theft and uses the DLS to pressure victims into paying a ransom.
CoinbaseCartel also told visitors on its site that it is “behind on many leaks. ” a claim that suggests additional breaches may not yet be public.. Researchers have described the group as made up of ShinyHunters and Lapsus$ affiliates. with access obtained through social engineering. phishing. and compromised credentials.
Threat intelligence specialist Joe Shenouda said CoinbaseCartel deploys an in-memory tool called “shinysp1d3r” to encrypt VMware ESXi targets and disable snapshots.. Last year. BleepingComputer analyzed a ShinySp1d3r Windows encryptor developed by the ShinyHunters extortion group. and at the time the threat actor said it was working on finishing encryptor versions for Linux and ESXi.
The sequence of events in Grafana’s account lines up with the extortion mechanics CoinbaseCartel is known for: stolen access through a compromised credential leads to source code download. Grafana faces an attempted ransom demand tied to non-publication. and the group’s decision to add Grafana to its DLS happens even while Grafana says no customer data or personal information was exposed and nothing has been leaked yet.
Grafana Grafana Labs GitHub breach stolen access token source code theft CoinbaseCartel extortion gang data leak site DLS ransom demand FBI guidance cybersecurity open-source security shinysp1d3r VMware ESXi