Grafana confirms GitHub token breach cybercrime group claims the attack
May 18, 2026 
Grafana confirmed a GitHub token breach that exposed source code, but said no customer data or systems were affected.
Grafana Labs confirmed a security incident after the extortion group Coinbase Cartel listed it on a leak site and claimed data theft on May 15. The breach was triggered by a compromised token that gave attackers access to the company’s GitHub environment.
Grafana Labs is a software company best known for building open-source tools used to monitor and visualize data from IT systems, applications, and infrastructure. Its main product, Grafana, lets organizations create dashboards to track performance metrics, logs, and alerts in real time. It is widely used in cloud computing, DevOps, and cybersecurity environments to help teams understand system health and troubleshoot issues quickly.
The group Coinbase Cartel later added Grafana to its victim portal. Grafana said attackers accessed parts of its source code, but found no evidence of customer data theft, personal data exposure, or impact on customer systems or operations.
The company revoked and reset the compromised credentials. The company has also launched a forensic investigation to determine how the token was exposed, what repositories were accessed, and whether any additional systems may have been affected. Grafana promised to release more details once the investigation is complete.
Grafana Labs said it will not pay the ransom demanded by attackers to prevent publication of the stolen source code. At the time of writing, the group Coinbase Cartel had not published Grafana’s data, but reportedly issued threats warning of potential consequences if its demands were ignored.
Coinbase Cartel has been active since at least September 2025 and has claimed more than 100 victims. Unlike traditional ransomware gangs, the group focuses on stealing data and extorting companies instead of encrypting systems. This approach allows victims to remain operational while still facing serious risks tied to stolen files, credentials, and intellectual property.
Researchers have linked Coinbase Cartel to the broader ecosystem around ShinyHunters, Scattered Spider, and Lapsus$, groups known for attacks based on stolen credentials, social engineering, cloud abuse, and compromise of developer environments.
A compromised or exposed GitHub token can give attackers direct access to sensitive source code repositories, making platforms like GitHub critical targets in modern attacks. In the case of Grafana Labs, the company said no customer systems were impacted, but stolen source code can still be risky because private repositories may contain internal logic, secrets, build processes, or unreleased features that attackers can analyze for vulnerabilities or use in phishing and supply chain attacks.
The incident underscores the importance of strong token security. Access tokens should be short-lived, tightly scoped, regularly rotated, monitored, and quickly revoked if suspicious activity is detected, while repository access should be protected with phishing-resistant MFA and strict least-privilege controls.
The incident highlights how source code platforms have become prime targets for extortion groups because they sit at the heart of software development.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, security breach)
