Open source tool maker Grafana Labs says hackers stole its code, refuses to pay ransom | TechCrunch
SearchSubmit
Site Search Toggle
Mega Menu Toggle
Topics
Latest
AI
Amazon
Apps
Biotech & Health
Climate
Cloud Computing
Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
Gadgets
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
Security
Social
Space
Startups
TikTok
Transportation
Venture
More from TechCrunch
Staff
Events
Startup Battlefield
StrictlyVC
Newsletters
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
Image Credits: Zf L / Getty Images
Security
Open source tool maker Grafana Labs says hackers stole its code, refuses to pay ransom
Zack Whittaker
6:42 AM PDT · May 18, 2026
Grafana Labs, the maker of its eponymous popular open source web visualization software, confirmed it had been hacked but that it refused to pay the hackers who had threatened to release the company’s codebase.
In a series of posts on social media, the lab said its investigation found that the hackers had abused a stolen token credential that allowed access to the company’s GitHub environment, which it uses for storing its source code, but the token did not allow access to customer records or financial data. The company has since invalidated the token and added additional security measures to prevent a repeat incident.
"The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase," the company said.
Grafana’s code is open source and public, meaning anyone can download the software and edit its code before running it on their own machines. It’s unclear if the hackers stole any proprietary code or information. A spokesperson for the company did not immediately return a request for comment.
The incident contrasts with the recent hack at education tech giant Instructure, which last week "reached an agreement" to pay the hackers who had compromised its network twice in recent weeks. The hackers had demanded an unspecified ransom, threatening to release stolen data about staff and students who use its software following a massive data breach and a subsequent website defacement.
While in Grafana’s case, no customer data was taken, the company cited the FBI’s long-standing advice urging victims not to pay hackers, as cooperating with them does not guarantee they will return stolen data or refrain from publishing it later. Critics also say paying cybercriminals helps to fund future cyberattacks.
Grafana said its investigation was ongoing and will share its findings once its probe concludes.
This story was updated to correct that the hackers compromised access to Grafana’s GitHub environment.
Topics
cyberattack, cybersecurity, data breach, extortion, grafana, open source, Security
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
Zack Whittaker
Security Editor
Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security.
He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com.
View Bio
May 27
Athens, Greece
StrictlyVC Athens is up next. Hear unfiltered insights straight from Europe’s tech leaders and connect with the people shaping what’s ahead. Lock in your spot before it’s gone.
REGISTER NOW
Most Popular
Elon Musk has lost his lawsuit against Sam Altman and OpenAI
Tim Fernholz
Users turn to jailbreaking their older Kindles as Amazon ends support
Lauren Forristal
OpenAI launches ChatGPT for personal finance, will let you connect bank accounts
Ivan Mehta
US orders travelers on Air Force One to throw away gifts, pins, and burner phones after China trip
Lorenzo Franceschi-Bicchierai
OpenAI is reportedly preparing legal action against Apple; it wouldn’t be the first partner to feel burned
Connie Loizos
How to turn off Instagram’s new Instants feature and retract photos you accidentally shared
Aisha Malik
Musk’s xAI is running nearly 50 gas turbines unchecked at its Mississippi data center
Tim De Chant
Loading the next article
Error loading the next article
© 2026 TechCrunch Media LLC.