Grafana Labs refuses ransom after hackers steal already-open-source code

Grafana Labs refuses ransom after hackers steal already-open-source code

Briefly

"Grafana Labs disclosed that hackers broke into its development environment, exfiltrated a copy of its codebase, and demanded a ransom to prevent the code from being released. The company said no, and the codebase is already open source. Grafana’s statement on X confirmed that the attackers obtained a stolen token credential, which gave them access to the company’s GitHub environment used for code development. The token did not provide access to customer records, customer systems, or financial data."

"The mechanics are the part that matters. Grafana’s own statement on X confirmed that the attackers obtained a stolen token credential, which gave them access to the company’s GitHub environment, which Grafana uses for code development. The token did not, on the company’s account, provide access to customer records, customer systems, or financial data. The token has since been invalidated, and additional security controls have been layered on top."

"The Hacker News reports that the root cause was a recently enabled GitHub Action containing a 'Pwn Request' misconfiguration, in which a pull_request_target workflow granted external contributors access to production CI secrets, and that the intrusion was caught by one of Grafana’s deployed canary tokens, triggering an internal alert. The attackers, identified across Register and HelpNet coverage as a data-extortion group calling itself CoinbaseCartel, framed the leverage as a release-or-pay choice."

"Grafana cited the FBI’s long-standing advice that paying ransoms doesn’t guarantee you or your organization will get any data back, 'offers an incentive for others to get involved in this type of illegal activi'. The company’s response, in its own words: 'The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase.'"