Open source tool maker Grafana Labs says hackers stole its code, refuses to pay ransom
Open source tool maker Grafana Labs says hackers stole its code, refuses to pay ransom
开源工具制造商 Grafana Labs 称遭黑客窃取代码,拒绝支付赎金
Grafana Labs, the maker of its eponymous popular open source web visualization software, confirmed it had been hacked but that it refused to pay the hackers who had threatened to release the company’s codebase. Grafana Labs 是同名热门开源 Web 可视化软件的制造商,该公司证实其已遭到黑客攻击,但拒绝向威胁要泄露其代码库的黑客支付赎金。
In a series of posts on social media, the lab said its investigation found that the hackers had abused a stolen token credential that allowed access to the company’s GitHub environment, which it uses for storing its source code, but the token did not allow access to customer records or financial data. 该实验室在社交媒体上发布的一系列帖子中表示,调查发现黑客滥用了一个被盗的令牌凭证,从而获得了对其 GitHub 环境的访问权限(该环境用于存储源代码),但该令牌无法访问客户记录或财务数据。
The company has since invalidated the token and added additional security measures to prevent a repeat incident. “The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase,” the company said. 此后,该公司已将该令牌失效,并增加了额外的安全措施以防止此类事件再次发生。该公司表示:“攻击者试图勒索我们,要求支付费用以阻止我们的代码库被泄露。”
Grafana’s code is open source and public, meaning anyone can download the software and edit its code before running it on their own machines. It’s unclear if the hackers stole any proprietary code or information. A spokesperson for the company did not immediately return a request for comment. Grafana 的代码是开源且公开的,这意味着任何人都可以下载该软件并在其自己的机器上运行之前编辑其代码。目前尚不清楚黑客是否窃取了任何专有代码或信息。该公司发言人未立即回复置评请求。
The incident contrasts with the recent hack at education tech giant Instructure, which last week “reached an agreement” to pay the hackers who had compromised its network twice in recent weeks. The hackers had demanded an unspecified ransom, threatening to release stolen data about staff and students who use its software following a massive data breach and a subsequent website defacement. 此次事件与教育科技巨头 Instructure 最近遭受的黑客攻击形成了鲜明对比。Instructure 上周“达成协议”,向近期两次入侵其网络的黑客支付了赎金。黑客曾要求支付数额不详的赎金,并威胁称,在发生大规模数据泄露和随后的网站篡改事件后,将泄露使用其软件的教职员工和学生的被盗数据。
While in Grafana’s case, no customer data was taken, the company cited the FBI’s long-standing advice urging victims not to pay hackers, as cooperating with them does not guarantee they will return stolen data or refrain from publishing it later. Critics also say paying cybercriminals helps to fund future cyberattacks. 虽然在 Grafana 的案例中没有客户数据被窃取,但该公司援引了联邦调查局(FBI)长期以来的建议,敦促受害者不要向黑客支付赎金,因为与他们合作并不能保证他们会归还被盗数据或承诺以后不会发布这些数据。批评人士还指出,向网络犯罪分子支付赎金有助于资助未来的网络攻击。
Grafana said its investigation was ongoing and will share its findings once its probe concludes. This story was updated to correct that the hackers compromised access to Grafana’s GitHub environment. Grafana 表示调查仍在进行中,并将在调查结束后分享其调查结果。本文已更新,以更正黑客入侵的是 Grafana 的 GitHub 环境这一事实。