Grafana GitHub token breach led to extortion

Grafana Labs said on May 16 that an unauthorized party obtained a token with access to its GitHub environment, used it to download the company’s codebase and then attempted to extort the company. Grafana said it had found no evidence that customer data or personal information was accessed, and no evidence of impact to customer systems or operations. The company said it invalidated the compromised credentials and launched a forensic review after discovering the activity. (thehackernews.com) ### How did the breach start? Grafana said the intrusion began with a stolen token tied to its GitHub environment. Security coverage citing the company said the attacker used that token to access Grafana’s repositories and download code. Cybersecurity News reported Grafana traced the root cause to a recently enabled GitHub Action containing a “Pwn Request” vulnerability tied to `pull_request_target`, a workflow pattern that can expose secrets during CI runs if misconfigured. (thehackernews.com) The attacker, according to that report, forked a Grafana repository, injected code through a curl command, dumped environment variables to an encrypted file and then deleted the fork. The same report said the attacker repeated the technique against additional private repositories after extracting privileged tokens. Grafana itself has publicly framed the core fact more narrowly: an unauthorized party obtained a token that enabled access to its GitHub environment and a download of its codebase. (cybersecuritynews.com) ### What did the attacker get, and what did Grafana say was not touched? Grafana said the attacker downloaded its codebase. The company did not identify in its public statements which parts of the codebase were taken or whether any internal tooling beyond repository access was reached. The Hacker News reported Grafana had not said when the attacker first gained access or how long that access lasted. Grafana said its investigation found no customer data or personal information was accessed during the incident. (cybersecuritynews.com) The company also said it had found no evidence of impact to customer systems or operations. Those points matter because the breach centered on developer infrastructure and source code access rather than a disclosed compromise of customer environments. ### Where does the extortion part come in? Grafana said the attacker tried to blackmail the company after downloading the codebase. (thehackernews.com) Security reports said the demand was framed as payment in exchange for not publishing the stolen material. Grafana said it did not pay. The Hacker News said Grafana cited FBI guidance against paying ransoms, saying payment does not guarantee recovery and can encourage further attacks. SecurityWeek separately reported Grafana confirmed the breach after a cybercrime group claimed it had stolen data, though the public attribution remained unsettled in initial reporting. (thehackernews.com) ### Why are GitHub tokens and CI workflows such sensitive targets? GitHub tokens can carry access to repositories, automation and release processes, depending on how broadly they are scoped. (thehackernews.com) In this case, the reporting indicates the token was valuable because it opened a path into Grafana’s development environment and enabled code download. That is why CI/CD credentials are treated as high-risk secrets: they can sit close to source code, build systems and release infrastructure. Grafana has dealt with GitHub workflow security issues before. In an earlier incident review published by the company, Grafana described how a vulnerable GitHub workflow had allowed unauthorized access to tokens and said it later added controls including action scanning and credential scanning across repositories. That earlier write-up provides context for why workflow configuration has become a recurring focus in Grafana’s security disclosures. (cybersecuritynews.com) ### What has Grafana done since disclosing the incident? Grafana said it invalidated the compromised credentials immediately after identifying the breach and put additional security measures in place to block unauthorized access. Cybersecurity News reported the company also removed the vulnerable GitHub Action and disabled workflows across public repositories as part of containment. The next concrete step is Grafana’s ongoing investigation. As of the public statements and follow-up reports published May 17 through May 19, the company had not reported customer impact, had not named a threat actor in its own disclosure and had continued to say the review was focused on the scope of repository and code access. (grafana.com) (thehackernews.com)