FRESH

Hacker News

Grafana Labs internal source code accessed

79 points by jschorr

by kunley

2 subcomments

I was recently considering an engineering job offer at Grafana. At the end I was turned off by the amount of their AI-related mindless propaganda and demands they have put right in the job offer. (Which is by the way quite rare; it is rather untypical to state in the position description how a developer should use AI tools; even though everyone can imagine how it looks like).
Looks like they could have invested more energy in the processes and security rather than catching up "innovation" craze that much

by londons_explore

4 subcomments

Is there anything of value in the internal codebase?
So many companies internal codebases are of approximately zero value to any outsider. The code is only a small proportion of the business.

by nusl

0 subcomment

Quite funny how they phrase this.
"We recently discovered.." then later "..The attacker attempted to blackmail us"
So, I'd wager they had no idea of the breach until the attacker tried to blackmail them.

by dijksterhuis

0 subcomment

by oori

1 subcomments

Quote: “ The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase. ...we’ve determined the appropriate path forward is to not pay the ransom.”

by jwr

2 subcomments

"Threat actor"… I love this "security" lingo. Threat actors, attack vectors, state actors :-)

by sangeeth96

0 subcomment

I wonder if this is related to the supply chain attack they talked about at GrafanaCon[1] or a fresh leak. If latter, wonder what they missed since it seemed like they got their detectors/scanners set up well. Curious to read the report on this.
[1] https://youtu.be/4D068lS85NY

by iririririr

0 subcomment

by anotherhue

2 subcomments

Their whole repo had been made public !!!!
https://github.com/grafana/grafana
/s

by fsckboy

1 subcomments

>We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase.
I don't much like the securityese dialect of bureaucratese, but doesn't it make more sense as "We recently discovered that a threat actor obtained a token with access to the Grafana Labs GitHub environment, enabling the unauthorized party to download our codebase" ?
you can't just drop in buzzwords willy nilly, they buzz better in the right places.