Grafana refuses ransom after attacker steals codebase

Grafana Labs disclosed a breach this weekend. An attacker stole their codebase and demanded a ransom — and Grafana publicly refused to pay. On May 16, 2026, Grafana announced via a 6-tweet thread that an unauthorized party obtained a token with access to its GitHub environment and used it to download the company's codebase. Per Grafana, the investigation found no customer data, no personal information, and no evidence of impact to customer systems or operations — and the investigation is still ongoing. After the attacker attempted to blackmail them, Grafana quoted the FBI's published stance on ransom payments and announced they would not pay. A post-incident review is promised when the investigation concludes. The group claiming the attack is Coinbase Cartel, a data-extortion group that emerged in September 2025 and has hit roughly 168 organizations since. They steal data and demand payment without encrypting systems. Per Bitdefender, multiple security firms have hypothesized Coinbase Cartel may be an offshoot of ShinyHunters — that connection hasn't been validated. Sources: https://www.hookphish.com/blog/ransomware-group-coinbasecartel-hits-grafana/ https://www.ransomware.live/group/coinbasecartel https://www.bitdefender.com/en-us/blog/businessinsights/coinbase-cartel-ransomware-group-extortion-tactics More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday. #cybersecurity #grafana #ransomware