Grafana says stolen credential led to code theft attempt

Grafana Labs, the company behind the widely used open source observability platform, says it was hacked after attackers abused a stolen token credential that granted access to its GitLab development environment. According to the company’s public statements, the compromised token did not provide access to customer records or financial information, but it did allow the attackers to obtain the company’s source code repositories.

The company says it has already invalidated the token and added additional security measures while its investigation continues. It also says it will publish more findings once that probe is complete.

Extortion attempt met with refusal

Grafana says the attacker demanded payment in exchange for not releasing the codebase. The company refused. In explaining that decision, Grafana pointed to long-standing FBI guidance that discourages victims from paying extortionists because payment does not guarantee the safe return of data or prevent later publication.

The case is unusual because Grafana’s flagship software is open source and already publicly available. That complicates the extortion claim: while attackers may have accessed repositories, the company says its main code is public by design, leaving open the question of whether any proprietary internal material was also taken.

A photograph of a red fedora
More in News

Backdoored Red Hat NPM packages show how fast supply-chain attacks spread

Attackers used an official Red Hat NPM channel to distribute malware that steals credentials and republishes infected packages through other accounts.

Read article

Why this still matters for an open source company

Even when a core product is open source, a compromise of development systems is still a serious security event. Source repositories can contain far more than the code that users download. They may also include internal tooling, unreleased features, operational scripts, issue histories, and architectural details that can help attackers understand how a company builds and ships software.

That is why Grafana’s statement that customer and financial data were not accessed is important, but not sufficient to make the incident trivial. Access to engineering systems creates its own risks, especially if attackers can map internal processes or search for secrets that were committed by mistake.

A growing pattern in software security

The breach also reflects a broader reality in software security: stolen credentials remain one of the fastest routes into critical systems. Rather than discovering a novel flaw in a target’s product, attackers often target the weaker point around it, such as a token, password, or access workflow that unlocks development infrastructure.

Development platforms like GitLab sit close to the center of a modern software company. They can expose code, collaboration records, release pipelines, and in some cases deployment paths. That makes them attractive targets even when the end product is itself open source.

Photo illustration of Dario Amodei of Anthropic.
More in News

Anthropic files confidentially to begin IPO process

Anthropic says it has submitted a draft registration statement to the U.S. Securities and Exchange Commission, starting the process toward a public listing.

Read article

Contrast with recent ransom decisions elsewhere

TechCrunch notes a contrast with the recent case involving education technology company Instructure, which reportedly reached an agreement to pay attackers after a separate compromise involving stolen data and a later website defacement. Grafana has taken the opposite position, arguing that refusal is the more defensible response.

That stance is likely to be welcomed by many security professionals, who have long argued that routine ransom payments help sustain the criminal business model behind extortion attacks. At the same time, companies that refuse to pay accept the possibility that stolen material could still be released.

What to watch next

The most important unanswered question is whether the attackers obtained anything beyond repositories tied to Grafana’s public code. The company has not yet said whether proprietary internal code, credentials, or operational documentation were exposed. Its final incident report will determine whether this was primarily an embarrassing extortion attempt or a more consequential engineering breach.

For now, the clearest facts are narrow but significant: a stolen token opened the door, source repositories were accessed, customer and financial data were not exposed according to the company, and Grafana chose not to pay.

This article is based on reporting by TechCrunch. Read the original article.

I put my smart TV setup behind a router-based VPN and never looked back - here's why
More in News

Smart TV VPN use is becoming a home-network security play

A router-based VPN for smart TVs is being pitched not just for streaming access, but as a way to reduce data exposure across connected home devices.

Read article

Originally published on techcrunch.com