Anodot Breach Exposes Snowflake Customer Data, Including Rockstar Games

The situation: What's reported and confirmed

Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. The majority of those attacks targeted Snowflake environments.

Snowflake confirmed "unusual activity" in a small number of customer accounts linked to a specific third-party integration. Following the discovery, Snowflake launched an investigation, locked down potentially impacted accounts, and notified customers. Their stated position was this incident was not the result of a vulnerability or compromise within Snowflake's own systems.

Snowflake subsequently confirmed to BleepingComputer that the attacks stem from a security incident at Anodot, an AI-based analytics company acquired by Glassbox in November 2025. Anodot's status page has shown all connectors down across all geographic regions since the incident, affecting Snowflake, S3, and Amazon Kinesis integrations. Anodot and Glassbox have not responded publicly.

ShinyHunters confirmed to BleepingComputer that they were behind the attacks, claiming to have stolen data from dozens of companies using authentication tokens from Anodot. The group also hinted they may have had access to Anodot for some time before acting.

Rockstar Games confirmed as first named victim

On April 13, ShinyHunters published what they claim is Rockstar Games data on their extortion site, stating: "Your Snowflake instances metrics data was compromised thanks to Anodot.com."

Rockstar confirmed the breach to Kotaku, stating that "a limited amount of non-material company information was accessed in connection with a third-party data breach," adding that the incident has no impact on their organization or players.

According to ShinyHunters, the leaked dataset contains more than 78.6 million records. The threat actors told BleepingComputer the data primarily consists of internal analytics used to monitor Rockstar's online services, including in-game revenue and purchase metrics, player behavior tracking, and game economy data for Grand Theft Auto Online and Red Dead Online. The dataset also appears to contain customer support analytics from Rockstar's Zendesk instance, along with references to fraud detection systems and anti-cheat model testing.

Rockstar's characterization of the data as "non-material" is notable. The exposed records are operational and behavioral analytics, not credentials or player PII. Whether that framing holds under scrutiny will depend on how regulators and affected parties assess the sensitivity of that data in aggregate.

Of the other alleged victims, only Payoneer has confirmed awareness of the Anodot incident, stating it was not impacted. Google's Threat Intelligence Group is tracking the situation but has not shared further detail.

Why this attack path matters to defenders

If the access path relies on stolen tokens, this is an integration-layer incident, not a product exploit. That distinction matters for how you scope your response.

Authentication tokens and non-human identities (NHIs) are designed to be persistent and automated. Once compromised, they are difficult to distinguish from legitimate activity, which makes them an efficient, repeatable attack path.

Vorlon's Agentic Ecosystem Security Gap: 2026 CISO Report found that 87% of surveyed CISOs cannot see sensitive data flows across their applications, and 27.4% reported experiencing breaches via compromised OAuth tokens or API keys. The gap isn't theoretical: it shows up in incidents like this one.

The plausible attack chain

Based on reported and confirmed information, the simplest evidence-aligned model of the attack is:

• Initial access: Compromise of Anodot, a third-party SaaS integration provider.
• Credential harvesting: Theft of legitimate downstream authentication tokens.
• Lateral movement: Attempts to access customer environments using those tokens, confirmed heavily against Snowflake, with blocked attempts against Salesforce.
• Impact: Downstream data theft across dozens of companies, followed by extortion pressure and, in Rockstar's case, public data publication after ransom refusal or non-response.

The blocked attempts against Salesforce, which ShinyHunters attributed to AI detection, illustrate how a single integration foothold can expand into multi-system exposure quickly. The Rockstar publication shows the escalation path when victims don't pay: data goes public.

Immediate steps

Treat this as a prompt for a blast-radius exercise on your integrations and non-human identities.

Audit your ecosystem. Inventory all third-party integrations connected to Snowflake and other sensitive data stores. Document the specific identities they run as and their effective permissions.

Enforce least privilege. Rotate or revoke secrets for any high-privilege, uncertain, or dormant connectors. Reduce overly broad roles to strict least-privilege access.

Hunt for anomalies. Look for abnormal data access behavior tied to integration identities: new IP addresses, off-hours activity, sudden query spikes, access to unusual warehouses or objects, large data exports.

Preserve your logs. Retention gaps can erase the forensic evidence needed to validate scope and timeline. Lock down your logs early.

How Vorlon helps

Vorlon ingests API telemetry out-of-band and maps which third-party integrations and non-human identities have access to your sensitive data. It establishes behavioral baselines to surface abnormal integration activity consistent with token misuse, enabling targeted containment. Security teams can revoke or block a specific access path without broad disruption to operations.