Grafana Labs says hackers stole source code from GitLab

Grafana Labs says hackers accessed its GitLab development environment using a stolen token credential and copied repositories containing the company’s source code, according to TechCrunch. The open-source software maker said the token did not provide access to customer records or financial data, and that it has since invalidated the credential and added additional security measures. The attackers then tried to extort the company by threatening to release the codebase unless a ransom was paid, but Grafana Labs said it refused.

The incident lands in an awkward corner of modern software security: the code that runs much of the internet is often developed in public, but the systems that build and ship it are not. Grafana’s flagship product is open source and already available for anyone to download and modify, which makes the blackmail threat less straightforward than a typical “we will leak your secrets” ransomware play. But a company’s development repositories can still contain material that is not meant to be public—internal tooling, unreleased features, security notes, or credentials that were mistakenly committed—so “open source” does not automatically mean “nothing to steal.” TechCrunch notes it remains unclear whether any proprietary code or other non-public information was taken.

The breach also illustrates why token-based access has become a preferred target. A single credential can bypass many of the controls that protect a corporate network, especially when it is tied directly to the place where code is written, reviewed, and packaged. Even when customer databases are untouched, source-code access creates downstream risks: attackers can study implementation details for weaknesses, or attempt follow-on attacks against developers and build pipelines. The FBI’s standard advice not to pay ransoms, which Grafana cited, is partly about this asymmetry—payment does not buy proof of deletion, and it signals that extortion is a workable business model.

TechCrunch contrasts Grafana’s stance with the recent case of education technology company Instructure, which reportedly agreed to pay hackers after its network was compromised twice in recent weeks and attackers threatened to release data about staff and students. Grafana’s case is smaller on the data-privacy axis, but it is a reminder that software supply chains can be pressured even when the immediate blast radius looks contained.

Grafana Labs says its investigation is ongoing and that it will share findings once it concludes. For now, the breach appears to have hinged on one stolen token that opened the door to the company’s code repositories.