Open source tool maker Grafana Labs says hackers stole its code, refuses to pay ransom

At a glance:

• Grafana Labs confirmed hackers accessed its GitLab environment and stole source code via a stolen token
• The company refused to pay ransom to prevent release of its code, following FBI recommendations
• Unlike Instructure, which recently paid hackers, Grafana cited no customer data was accessed

The Incident

Grafana Labs, the creator of its popular open source web visualization software, has confirmed it experienced a security breach where hackers gained access to its code repositories. According to the company's social media announcements, the attackers exploited a stolen token credential that provided access to the company's GitLab environment, which is used for code development. This token did not provide access to customer records or financial data, but it did allow the hackers to obtain the company's repositories of source code. In response, Grafana has invalidated the compromised token and implemented additional security measures to prevent similar incidents in the future.

The Ransom Demand

"The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase," Grafana stated in its public communications. The company made it clear that it would not comply with the ransom demand, citing the FBI's long-standing advice that victims should not pay cybercriminals. This guidance emphasizes that paying does not guarantee the return of stolen data or prevent the attackers from publishing it later. Additionally, critics argue that paying ransoms helps fund future cyberattacks, potentially perpetuating the cycle of extortion.

Open Source Implications

Grafana's software is open source and publicly available, meaning anyone can download and modify its code. This raises questions about the value of the stolen code to the attackers, as much of it was already accessible to the public. However, it remains unclear if the hackers obtained any proprietary code or internal information that wasn't part of the public repositories. The company has not yet provided details about whether any non-public code or sensitive information was compromised during the breach.

Contrast with Instructure

This incident contrasts sharply with the recent hack at education technology giant Instructure, which last week "reached an agreement" to pay the hackers who had compromised its network twice in recent weeks. The attackers had demanded an unspecified ransom, threatening to release stolen data about staff and students who use Instructure's software following a massive data breach and website defacement. While Instructure's situation involved actual customer data that was at risk of exposure, Grafana's case appears to focus primarily on the company's proprietary code and development environment.

Industry Response

The cybersecurity community has generally supported Grafana's decision not to pay the ransom. Security experts have long advocated for organizations to resist ransom demands, as doing so can help break the economic model that incentivizes cybercriminals. The FBI and other law enforcement agencies consistently advise against paying ransoms, noting that it does not guarantee the safe return of data and may encourage further attacks. Grafana's public stance aligns with these recommendations and sends a message to other organizations about the importance of maintaining this principle.

Ongoing Investigation

Grafana Labs has indicated that its investigation into the security breach is ongoing and that it will share its findings once the probe concludes. The company has not provided a timeline for when this might occur or what specific measures it has taken beyond invalidating the token and adding additional security controls. Organizations and users of Grafana's tools will likely be watching closely for updates on how the breach occurred, what data was accessed, and what steps the company is taking to prevent similar incidents in the future.