The popular data visualization tool 'Grafana' was subjected to unauthorized access, and tokens that allowed access to the GitHub codebase were stolen.

Grafana Labs, the developer of the open-source application Grafana which enables analysis and interactive visualization, has revealed that its GitHub environment was compromised. The attackers demanded a ransom in exchange for not making the stolen data public, but Grafana Labs has stated that it will not pay the ransom.

🚨 We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase. (1/6)

— Grafana (@grafana) May 17, 2026

Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt
https://thehackernews.com/2026/05/grafana-github-token-breach-led-to.html

Grafana is software that visualizes data collected from servers, cloud services, network devices, and other sources as graphs and dashboards. It is widely used for system monitoring, fault detection, and performance analysis, and is adopted by many companies and cloud service providers.

Grafana Labs, the company that provides Grafana, revealed in a post on X on May 17, 2026, that 'We recently discovered that an unauthorized third party obtained a token to access Grafana Labs' GitHub environment, which allows attackers to download our codebase.'

GitHub tokens can be used not only to view source code, but also, depending on the settings, to modify code, access pipelines, and obtain confidential information, making them a target in attacks aimed at development infrastructure. Grafana Labs has stated that 'our investigation has revealed no evidence that customer data or personal information was accessed during this incident, and we have not found any evidence of impact on customer systems or operations.' They also claim that they promptly initiated a forensic analysis to identify the cause of the credential breach after the attack was discovered, invalidated the compromised credentials, and implemented additional security measures, and that there are no issues with using the software.

Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations. (2/6)

— Grafana (@grafana) May 17, 2026

According to Grafana Labs, the attackers demanded a ransom to prevent the release of the stolen codebase. However, Grafana Labs stated that they decided not to pay the ransom, as the FBI's page on ransomware points out that 'the FBI does not recommend paying ransoms in response to ransomware attacks. There is no guarantee that your data will be returned even if you pay the ransom. Rather, paying only encourages this type of illegal activity and provides an incentive for more people to participate in criminal activity.'

… we've determined the appropriate path forward is to not pay the ransom.

As part of Grafana Labs' standard security practices, we will share additional information from our post-incident review when our investigations are complete. (6/6)

— Grafana (@grafana) May 17, 2026

Grafana only described the incident as 'recently' on May 17, 2026, without specifying when the attack occurred or how long the attackers had access to the system. Grafana Labs also did not provide any specific information about the attackers. Hackmanac, a platform that tracks cyberattacks, stated that the cybercrime group 'Coinbase Cartel' claimed responsibility for the incident, and cited May 15, 2026, as the observation date.

🚨Cyber Alert‼

🇺USA - 𝗚𝗿𝗮𝗳𝗮𝗻𝗮

Coinbase Cartel hacking group claims to have breached Grafana.

Threat actor: Coinbase Cartel
Sector: ICT
Data exposure (claimed): Not specified
Data type: Not specified
Observed: May 15, 2026
Status: Pending verification
ESIX©: 5.58… pic.twitter.com/SJ99iK2E3A

— Hackmanac (@H4ckmanac) May 15, 2026