Grafana Labs says attacker accessed GitHub and downloaded codebase, declines ransom
In a thread on X, the company said no customer data was accessed, it invalidated the leaked credentials, and it will publish a post-incident review.
By Ryan Merket ·
Why it matters
Source code exfiltration is a high-signal event even without customer impact. It can expose vulnerabilities and fuel downstream supply chain attempts. For operators, this is a reminder to audit GitHub tokens, rotate credentials, and monitor for unauthorized repo access.
Grafana (@grafana) disclosed that an unauthorized party used a leaked token to access the Grafana Labs GitHub environment and download its codebase, the company said in a thread on X.
Grafana Labs said its investigation has found no evidence that customer data or personal information was accessed, and no impact to customer systems or operations. The company initiated forensic analysis, believes it identified the source of the credential leak, invalidated the compromised credentials, and implemented additional security measures to prevent further unauthorized access.
The attacker attempted to blackmail the company by threatening to release the codebase. Citing the FBI's published stance that paying ransoms does not guarantee data return and can incentivize more attacks, Grafana Labs said it would not pay. The company added that it will share more details after completing its post-incident review.
The disclosure is ongoing and limited to the details provided publicly so far. Grafana Labs did not provide a timeline of the intrusion or specifics on the compromised token beyond stating it was tied to GitHub access.