Grafana Labs disclosed that hackers have downloaded its source code after breaching its GitHub environment using a stolen access token.

A relatively new extortion gang known as CoinbaseCartel has claimed the attack by adding Grafana to their data leak site (DLS), although no data has been leaked yet.

Grafana Labs is the company behind Grafana, the popular open-source platform for analytics, monitoring, and real-time data visualization.

Paying customers are primarily large enterprises, cloud providers, telecos, banks, governments, e-commerce platforms, and infrastructure operators. According to Grafana, more than 7,000 organizations use the product, including 70% of the Fortune 50 companies.

No payment for hackers

In an announcement over the weekend, Grafana Labs said that its investigation found no evidence that customer data or personal information was exposed during the incident. Furthermore, the company notes that customer systems remained unaffected.

The forensic analysis revealed the source of the leaked credentials. The company "invalidated the compromised credentials and implemented additional security measures" to prevent future unauthorized access.

The attacker attempted to extort the company, demanding payment in exchange for not publishing the stolen source code. However, Grafana said it chose to follow public guidance from the Federal Bureau of Investigation (FBI) and not pay the ransom, noting that doing so would only encourage other threat actors to pursue similar attacks.

“Based on our operational experience and the published stance of the FBI, which notes that paying a ransom doesn’t guarantee you or your organization will get any data back and only offers an incentive for others to get involved in this type of illegal activity, we’ve determined the appropriate path forward is not to pay the ransom,” Grafana stated.

The company said it would release more details about the attack after completing its post-incident investigation.

BleepingComputer has contacted Grafana with a request for additional details about the breach, but we have not received a response by publishing time.

CoinbaseCartel escalates activity

The CoinbaseCartel launched last September and has been quite active this year, announcing more than 100 victims on its data leak portal. The gang focuses on data theft and uses the DLS to pressure victims into paying a ransom.

The gang announced on its site that they "are behind on many leaks," indicating increased breaches that may have yet to reach the public space.

According to multiple researchers, CoinbaseCartel consists of ShinyHunters and Lapsus$ affiliates that gain access to target networks via social engineering, various forms of phishing, and compromised credentials.

Threat intelligence specialist Joe Shenouda claims that the gang also deploys an in-memory tool called “shinysp1d3r” to encrypt VMware ESXi targets and disable snapshots.

Last year, BleepingComputer analyzed a ShinySp1d3r Windows encryptor developed by the ShinyHunters extortion group. At the time, the threat actor said that they were working on finishing encryptor versions for Linux and ESXi.

After publishing this article, the ShinyHunters extortion gang told BleepingComputer that the CoinbaseCartel is not linked to their group or ransomware operation.