Quote: “ The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase. ...we’ve determined the appropriate path forward is to not pay the ransom.”
>We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase.
I don't much like the securityese dialect of bureaucratese, but doesn't it make more sense as "We recently discovered that a threat actor obtained a token with access to the Grafana Labs GitHub environment, enabling the unauthorized party to download our codebase" ?
you can't just drop in buzzwords willy nilly, they buzz better in the right places.
I wonder if this is related to the supply chain attack they talked about at GrafanaCon[1] or a fresh leak. If latter, wonder what they missed since it seemed like they got their detectors/scanners set up well. Curious to read the report on this.
I was recently considering an engineering job offer at Grafana. At the end I was turned off by the amount of their AI-related mindless propaganda and demands they have put right in the job offer. (Which is by the way quite rare; it is rather untypical to state in the position description how a developer should use AI tools; even though everyone can imagine how it looks like).
Looks like they could have invested more energy in the processes and security rather than catching up "innovation" craze that much
11 comments
[ 2.0 ms ] story [ 28.4 ms ] threadhttps://github.com/grafana/grafana
/s
I don't much like the securityese dialect of bureaucratese, but doesn't it make more sense as "We recently discovered that a threat actor obtained a token with access to the Grafana Labs GitHub environment, enabling the unauthorized party to download our codebase" ?
you can't just drop in buzzwords willy nilly, they buzz better in the right places.
[1] https://youtu.be/4D068lS85NY
So many companies internal codebases are of approximately zero value to any outsider. The code is only a small proportion of the business.
Critical vulnerability in that source code could enable further access to other production systems or databases.
Edit: typo
Looks like they could have invested more energy in the processes and security rather than catching up "innovation" craze that much
"We recently discovered.." then later "..The attacker attempted to blackmail us"
So, I'd wager they had no idea of the breach until the attacker tried to blackmail them.