Grafana Labs Refuses Ransom After Hackers Steal Already Open-Source Code
May 18, 2026 – 4:49 pm
The hackers exfiltrated a codebase that was already open source, then demanded payment to keep it from being released. Grafana said no, and cited the FBI’s standing advice. It is the second high-profile extortion case in seven days.
The Incident
Grafana Labs, the open-source monitoring and visualization company, disclosed on Monday that hackers had broken into its development environment, exfiltrated a copy of its codebase, and demanded a ransom to prevent the code from being released.
The company said no, and the codebase, ironically, is already open source.
Mechanics of the Attack
According to Grafana’s own statement on X, the attackers obtained a stolen token credential, which gave them access to the company’s GitHub environment used for code development. The token did not provide access to customer records, customer systems, or financial data. The token has since been invalidated, and additional security controls have been implemented.
Root Cause
The Hacker News reports that the root cause was a recently enabled GitHub Action with a ‘Pwn Request’ misconfiguration, allowing external contributors access to production CI secrets. The intrusion was caught by one of Grafana’s deployed canary tokens, triggering an internal alert.
The Hackers’ Demands
The attackers, identified across Register and HelpNet coverage as a data-extortion group calling itself CoinbaseCartel (active since September 2025), framed the leverage as a release-or-pay choice.
Grafana’s response:
‘The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase.’
Grafana cited the FBI’s long-standing advice that paying ransoms doesn’t guarantee data recovery and offers an incentive for further attacks.
A Seven-Day Comparison
In a parallel incident, education-technology giant Instructure, whose Canvas learning-management platform serves 275 million users across more than 8,800 institutions, reached an agreement with hackers last week after being breached twice in successive weeks by the ShinyHunters group. While Grafana refused to pay, Instructure paid an unconfirmed amount estimated at around $10 million. Instructure received ‘digital confirmation of data destruction (shred logs)’ and assurances that customers would not be subsequently extorted, although security professionals remained skeptical.
The two cases represent contrasting approaches: Instructure paid because the stolen data was student and staff personal information that could not be undone once published, while Grafana refused because the stolen material was code that anyone could already download for free.