**Grafana** recently disclosed that an "unauthorized party" gained access to its **GitHub** environment using a compromised token, allowing them to download the company's codebase. The incident is under investigation, with **Grafana** emphasizing that customer data and personal information were not accessed. ### Incident Response and Containment Upon discovering the unauthorized activity, **Grafana** initiated a forensic analysis. The company says it has identified and invalidated the compromised credentials and implemented additional security measures to prevent future unauthorized access. ### Extortion Attempt and FBI Guidance Following the data theft, the attacker attempted to blackmail **Grafana**, demanding a ransom payment in exchange for preventing the publication of the stolen database. Citing guidance from the **U.S. Federal Bureau of Investigation (FBI)**, **Grafana** opted not to pay the ransom. The **FBI** has consistently advised against paying ransoms, stating that it does not guarantee data recovery and encourages further attacks. "It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity," the **FBI** states on its website. ### CoinbaseCartel Claims Responsibility While **Grafana** did not initially attribute the breach to any specific group, reports from **Ransomware.live** indicate that the cybercrime group **CoinbaseCartel** has claimed responsibility for the incident. According to details shared by **Halcyon** and **Fortinet FortiGuard Labs**, **CoinbaseCartel** is a data extortion group that emerged in September 2025. It is believed to be an offshoot of the **ShinyHunters**, **Scattered Spider**, and **LAPSUS$** ecosystems. The group focuses exclusively on data theft and extortion, targeting victims across various sectors, including healthcare, technology, transportation, manufacturing, and business services. They have reportedly amassed approximately 170 victims. ### Impact and Affected Codebase **Grafana** has not disclosed the specific codebase that was downloaded. **Grafana** offers solutions such as **Grafana Cloud**, a cloud-hosted observability platform. ### Parallels with Instructure Breach This incident follows **Instructure**'s controversial decision to settle with the **ShinyHunters** extortion group after they threatened to leak terabytes of data belonging to thousands of schools and universities across the U.S.