Connect with us

CyberSecurity

Grafana Labs confirms code theft in GitHub breach, refuses to pay ransom

Published

on

Grafana Labs confirms code theft in GitHub breach, refuses to pay ransom

Grafana Labs, the company behind the widely used open source visualization platform, has confirmed that hackers broke into its GitHub environment and stole source code. However, the firm has decided not to give in to ransom demands.

The breach came to light through a series of social media posts by the company. According to its initial investigation, attackers exploited a stolen token credential that granted access to the GitHub repositories where Grafana’s source code is stored. Importantly, the compromised token did not provide access to customer records or financial data. The company has since revoked the token and implemented additional security measures to prevent future incidents.

Details of the Grafana Labs hack

The attackers attempted to extort Grafana Labs by demanding payment in exchange for not releasing the stolen codebase. “The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase,” the company stated.

Given that Grafana’s core software is open source, much of its code is already publicly available on platforms like GitHub. It remains unclear whether the hackers managed to steal any proprietary or confidential code that is not part of the public repository. A spokesperson for Grafana Labs did not immediately respond to requests for comment.

Why the company refused to pay

This incident stands in stark contrast to a recent hack at education technology giant Instructure, which chose to negotiate with attackers. Instructure reportedly reached an agreement to pay a ransom after hackers compromised its network twice in recent weeks, threatening to release sensitive data about staff and students.

In Grafana’s case, no customer data was compromised. The company cited long-standing advice from the FBI urging victims not to pay hackers. Law enforcement agencies argue that cooperating with cybercriminals does not guarantee the return of stolen data or prevent its future publication. Critics also point out that paying ransoms effectively funds further cyberattacks.

Ongoing investigation and security lessons

Grafana Labs has stated that its investigation is ongoing and that it will share detailed findings once the probe concludes. The company has not yet disclosed how the token credential was stolen or whether any proprietary code was accessed.

This breach serves as a reminder for organizations using GitHub to safeguard their access tokens. Security experts recommend rotating tokens regularly, using minimal necessary permissions, and monitoring for unusual activity. For more on securing GitHub environments, check out our guide on GitHub security best practices.

As cyberattacks targeting software supply chains become more common, incident response plans should include clear policies on ransom payment. The Grafana Labs hack reinforces the principle that refusing to pay can be a viable strategy, especially when customer data is not at risk. For further reading, see our analysis of ransomware response strategies for tech companies.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

Medtronic Confirms Data Breach After ShinyHunters Allegations: What We Know

Published

on

Medtronic Confirms Data Breach After ShinyHunters Allegations: What We Know

The medical technology giant Medtronic has officially confirmed a Medtronic data breach affecting its corporate IT systems. This announcement comes after the notorious cybercrime group ShinyHunters claimed to have stolen millions of records from the company.

According to Medtronic, an unauthorized party gained access to certain internal systems. However, the company stressed that there has been no disruption to its products, patient safety, or overall operations. This distinction is critical for a firm that provides life-saving medical devices to hospitals worldwide.

The ShinyHunters Allegations: A Closer Look

ShinyHunters, a group known for targeting major corporations, listed Medtronic on its leak site in mid-April. The group alleged that it exfiltrated over nine million records containing personal information, alongside massive volumes of internal corporate data. They also set a deadline for ransom negotiations, threatening to publish the data if their demands were not met.

Interestingly, Medtronic was later removed from the leak site. This move often signals ongoing negotiations or other developments, though no official confirmation has been provided. Medtronic has not verified the group’s figures, stating that the investigation is still in its early stages.

Corporate Systems Breach Under Investigation

The intrusion was limited to specific corporate IT environments, according to Medtronic. Importantly, the company emphasized that hospital networks used by its customers are managed independently and were not exposed through this incident. This means that patient care and device functionality remain unaffected.

An investigation is now underway to determine whether sensitive data was accessed. If confirmed, affected individuals will be notified and offered support services. The company acted quickly after detecting the breach, activating incident response measures and bringing in external cybersecurity specialists.

What This Means for Healthcare Data Security

This incident adds to a growing number of cyber-attacks targeting large healthcare and medical technology organizations. Healthcare data security is a pressing concern, as these organizations hold vast amounts of sensitive patient information. The Medtronic data breach serves as a reminder that even industry leaders are not immune to sophisticated cyber threats.

Building on this, the healthcare sector must adopt more robust security measures. For instance, implementing multi-factor authentication, regular security audits, and employee training can reduce the risk of similar incidents. Ransomware prevention strategies are also essential for protecting critical infrastructure.

Impact on Medtronic and Its Customers

Medtronic stated that it does not expect a material impact on its business or financial performance. However, the full implications will depend on the outcome of the ongoing investigation and any confirmed data exposure. For customers, the key takeaway is that patient safety has not been compromised.

Nevertheless, this incident could erode trust if personal data is confirmed stolen. Medtronic has a history of prioritizing security, but this breach highlights the challenges of protecting corporate systems in an increasingly hostile digital landscape. Incident response planning is crucial for minimizing damage and maintaining stakeholder confidence.

Lessons from the Medtronic Incident

This breach underscores the importance of separating corporate IT systems from operational technology. Medtronic’s quick containment of the intrusion to corporate environments likely prevented a more devastating attack on medical devices or hospital networks.

As a result, other healthcare organizations should review their network segmentation strategies. Additionally, they must prepare for the possibility of data leaks by having clear communication plans for affected individuals. The Medtronic data breach is a case study in how rapid response and transparency can mitigate reputational damage.

In conclusion, while the full extent of the breach remains unclear, Medtronic’s handling of the situation sets a benchmark for other companies facing similar threats. The healthcare industry must continue to invest in cybersecurity to protect both patient data and operational integrity.

Continue Reading

CyberSecurity

NYC Health + Hospitals data breach: Hackers stole medical records and fingerprints of 1.8 million patients

Published

on

NYC Health + Hospitals data breach: Hackers stole medical records and fingerprints of 1.8 million patients

A massive NYC Health + Hospitals data breach has exposed the personal and medical information of at least 1.8 million individuals, including sensitive biometric data like fingerprints. The attack, which went undetected for months, ranks among the largest healthcare-related cyber incidents this year.

NYC Health + Hospitals (NYCHHC) is the largest public health system in the United States, serving over one million New Yorkers, many of whom are uninsured or rely on state benefits like Medicaid. The breach was disclosed in a notice filed with the U.S. Department of Health and Human Services, confirming the scale of the incident.

How the NYC Health + Hospitals data breach unfolded

The healthcare system detected the cyberattack on February 2, 2026, after hackers had already infiltrated its network. According to the breach notice, unauthorized access began in November 2025 and persisted until February 2026. During this window, cybercriminals copied files from NYCHHC’s systems before the organization managed to secure its network.

The breach originated from a compromise at a third-party vendor, though NYCHHC has not named the vendor involved. This incident highlights a growing trend: attackers targeting healthcare providers through their supply chain, exploiting weaker security links.

What data was stolen in the healthcare data breach?

The exposed data varies by individual but includes a wide array of sensitive information. Stolen records contain health insurance plan details, policy numbers, medical information such as diagnoses, medications, test results, and imaging scans. Additionally, billing, claims, and payment information were compromised.

Beyond medical data, hackers also accessed government-issued identity documents, including Social Security numbers, passports, and driver’s licenses. The breach notice mentions the theft of “precise geolocation data,” suggesting that user-uploaded photos of identity documents may have revealed exact locations where they were captured.

Most alarming is the theft of biometric data, specifically fingerprints and palm prints. Unlike passwords or credit card numbers, biometric identifiers are permanent and cannot be replaced. NYCHHC did not explain why it stored this data, though prospective employees typically provide fingerprints for criminal background checks. It remains unclear if patient biometrics were also taken.

Why healthcare remains a prime target for cybercriminals

This healthcare data breach is part of a broader pattern. Healthcare organizations have become frequent targets for financially motivated hackers due to the wealth of sensitive patient information they hold. Ransomware attacks, where criminals encrypt data and demand payment, are particularly common.

The FBI’s latest annual cybercrime report covering 2025 confirms that healthcare remains a top target for ransomware attackers. These criminals often steal data before encrypting it, threatening to publish the information if ransoms are not paid.

A notable example is the ransomware attack on UnitedHealth-owned Change Healthcare, which allowed Russian-linked hackers to steal medical and billing information from over 190 million Americans. That incident is considered the largest theft of U.S. medical data in history.

Impact on patients and response efforts

For affected individuals, the consequences are severe. Stolen medical records can be used for identity theft, fraudulent insurance claims, or even blackmail. Biometric data theft is particularly concerning because fingerprints cannot be changed, leaving victims vulnerable for life.

NYCHHC’s website was briefly offline as of Monday morning, complicating communication efforts. A spokesperson did not respond to inquiries about why the breach took months to detect or whether hackers demanded a ransom. The incident appears unrelated to a separate data breach at the National Association on Drug Abuse Problems (NADAP), which affected over 5,000 NYCHHC patients earlier this year.

Patients are advised to monitor their accounts for suspicious activity and consider placing fraud alerts on their credit reports. For more guidance, read our article on protecting your identity after a data breach. Additionally, learn about healthcare data security best practices for organizations.

What NYCHHC patients should do now

If you are a NYCHHC patient, take immediate steps to safeguard your information. Check your health insurance statements for unauthorized claims. Review your credit reports from the three major bureaus: Equifax, Experian, and TransUnion. Consider freezing your credit to prevent new accounts from being opened in your name.

Building on this, be cautious of phishing attempts. Hackers may use stolen data to craft convincing emails or phone calls. Never share personal information unless you are certain of the recipient’s identity.

The NYC Health + Hospitals data breach serves as a stark reminder of the vulnerabilities in healthcare systems. As cyber threats evolve, both providers and patients must remain vigilant to protect sensitive data.

Continue Reading

CyberSecurity

BlackFile Extortion Group Strikes Retail and Hospitality with Vishing Attacks

Published

on

BlackFile Extortion Group Strikes Retail and Hospitality with Vishing Attacks

A newly identified extortion group, known as BlackFile, has been systematically targeting retail and hospitality businesses since February 2026. Security researchers from Palo Alto Networks Unit 42, in collaboration with the Retail and Hospitality Information Security and Analysis Center (RH-ISAC), published a detailed report on April 23. The report, titled Extortion in the Enterprise: Defending Against BlackFile Attacks, sheds light on the group’s financially motivated tactics.

This activity cluster, designated CL-CRI-1116, overlaps with publicly known threats like UNC6671 and Cordial Spider. Experts believe it is linked to the notorious collective “The Com.” Unlike many cybercriminal groups, BlackFile avoids custom malware. Instead, it relies on living off the land by misusing APIs and legitimate internal resources.

How BlackFile Uses Vishing to Breach Defenses

BlackFile’s primary entry point is through vishing attacks—voice phishing that impersonates an IT helpdesk. Attackers use spoofed VoIP numbers or fraudulent Caller ID names to hide their identity. Their goal is credential theft, often targeting one-time passwords.

To achieve this, they deploy phishing pages that mimic legitimate corporate single sign-on portals. Additionally, they employ antidetect browsers and residential proxies to mask their geographic location. This helps them bypass basic IP-based reputation filters, making detection harder.

Credential Theft and MFA Bypass

Once they steal a user’s credentials, BlackFile registers a new device to bypass multi-factor authentication (MFA). This step ensures persistent access. From there, they move laterally from standard employee accounts to high-privileged accounts. They scrape internal employee directories to build contact lists for executives.

By compromising senior accounts through further social engineering, they gain broad-spectrum access. This access mirrors legitimate executive session activity, making it difficult to flag as malicious.

Data Exfiltration and Extortion Tactics

Inside the victim’s network, BlackFile focuses on SaaS data discovery and API abuse. They scrape SharePoint sites, searching for keywords like “confidential” and “SSN.” They also target Salesforce for high-value files and reports.

Data exfiltration happens directly through the browser or via API exports. By leveraging Salesforce API access and standard SharePoint download functions, they move large volumes of data—including CSV datasets of employee phone numbers and confidential business reports—to attacker-controlled infrastructure. This activity often occurs under legitimate SSO-authenticated sessions to avoid triggering simple user-agent alerts.

Building on this, the group extorts victims via random Gmail addresses or compromised employee email accounts. They typically demand a seven-figure sum. In some cases, they resort to SWAT-ing C-suite executives to pressure payment.

Defending Against BlackFile Attacks

To mitigate these threats, organizations should focus on security policies and multi-factor identity verification for callers. Protocols around what information can be shared during calls are crucial. IT support actions should require escalation to management for sensitive requests.

Furthermore, security awareness training for frontline phone staff can be effective. Simulation-based scenarios help staff identify signs of social engineering, such as vague answers and high-pressure requests for immediate action. For more insights, check out our guide on cybersecurity best practices or learn about anti-phishing tools.

As a result, retail and hospitality businesses must stay vigilant. The BlackFile extortion group demonstrates how simple social engineering can lead to massive data breaches and financial loss. Proactive defense is the best countermeasure.

Continue Reading

Trending