Grafana Labs admits all its codebase are belong to someone who popped its GitHub account

Observability outfit Grafana Labs has revealed that an attacker accessed its GitHub repository and stole its codebase. In social media posts the company blamed the situation on an unauthorized party" who was somehow able to obtain a token that offered access to its GitHub environment. The company thinks it has identified the source of the credential leak, and therefore invalidated the compromised credentials and implemented additional security measures to further secure our environment against unauthorized access." But that didn't stop the attacker from threatening to release the company's code unless Grafana paid a ransom. Grafana says it won't pay. Based on our operational experience and the published stance of the Federal Bureau of Investigation, which notes that paying a ransom doesn't guarantee you or your organization will get any data back' and only offers an incentive for others to get involved in this type of illegal activity,' we have determined the appropriate path forward is to not pay the ransom," the company wrote. It's not clear if that stance is entirely principled, because plenty of Grafana's products are already open source. The company's posts suggest that the attacker accessed code that is not freely available. The Register has sought clarification about just what the attacker accessed, because if they lifted code that's mostly already open source there's little reason for Grafana to pay a ransom! Grafana's decision not to pay may also be easier than it is for other victims of cybercrime because the company says it determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations." The company therefore appears confident that whatever code the attackers downloaded won't make a material different to its business, or harm customers. The same couldn't be said for educationware giant Canvas, which last week paid extortionists after they claimed to have stolen data describing over 275 million students and faculty. The Register will update this story if we receive additional information from Grafana Labs. (R)