Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 12, 2026 · 5 min read

One Breached SaaS Tool Gave Hackers Access to Dozens of Snowflake Accounts—Including Rockstar Games

ShinyHunters compromised Anodot, an AI analytics platform, and extracted authentication tokens that unlocked customer Snowflake environments across multiple organizations.

Data center server room with one server rack highlighted in orange indicating a security breach

What Happened

Over a dozen companies suffered data theft attacks in early April 2026 after the ShinyHunters extortion group breached Anodot, a SaaS analytics platform that integrates with cloud data warehouses. The attackers extracted authentication tokens from Anodot's systems, then used those tokens to access Snowflake environments belonging to Anodot's customers.

Snowflake confirmed on April 9 that Anodot is the third party integration platform that suffered the security incident. The company said a "small number of Snowflake customer accounts" were impacted and that it immediately locked potentially affected accounts.

How the Attack Worked

Anodot is an AI powered anomaly detection platform that connects to cloud data warehouses like Snowflake to monitor business metrics in real time. To do that, it needs persistent access tokens that authenticate its connections to customer environments.

The attackers compromised Anodot and extracted these tokens. Because the tokens functioned as trusted credentials between services, they granted direct access to connected Snowflake accounts without requiring any Snowflake vulnerability. Once inside a customer's Snowflake environment, the attackers performed standard database operations to query and exfiltrate data. These operations looked like normal Anodot activity, which delayed detection.

By Saturday morning after the breach, Anodot's status page showed all connectors down across every geographic region, with the company warning of issues "collecting data, and detecting and dispatching anomaly type alerts." Glassbox, which acquired Anodot in November 2025, has not publicly detailed how the initial compromise occurred.

Who Was Affected

ShinyHunters claimed to have stolen data from "dozens of companies" through the Anodot breach. On April 11, the group specifically named Rockstar Games, posting: "Rockstar Games! Your Snowflake instances were compromised thanks to Anodot.com. Pay or leak." They set an April 14 deadline for ransom payment.

ShinyHunters also claimed to have attempted access to Salesforce connected entities, reportedly affecting over 400 companies, though they said Salesforce's AI detection systems blocked the attempt. That claim proved premature: the group later breached McGraw-Hill through a Salesforce misconfiguration, threatening to leak 45 million records. The group has confirmed data releases from 26 organizations to date as part of this campaign.

Snowflake emphasized that its own systems were not compromised. The vulnerability was entirely in the third party integration layer, not in Snowflake's infrastructure.

Why Third Party SaaS Breaches Keep Happening

This attack follows a pattern that has become disturbingly common. Rather than targeting well defended primary systems directly, attackers go after the smaller SaaS tools that connect to them. These integration platforms often hold authentication tokens with broad access, making them high value, lower resistance targets.

ShinyHunters has refined this approach. The group was behind the recent TELUS Digital breach, where they stole 1 petabyte of data using credentials from a completely separate compromise. They also hit the Infinite Campus student platform and the European Commission's cloud environment.

The core problem is that every SaaS integration creates a trust chain. When one link in that chain is compromised, every system connected to it becomes accessible. And because these integrations use persistent tokens rather than session based authentication, a single breach can provide access that lasts until the tokens are manually rotated.

What Organizations Should Do

  • Audit third party integrations. Inventory every SaaS tool that holds credentials or tokens to your cloud data warehouse. Know what each integration can access and whether those permissions are scoped to the minimum necessary.
  • Rotate tokens immediately. If your organization uses Anodot or any analytics platform that connects to Snowflake, rotate all associated credentials now, even if you have not been notified of impact.
  • Monitor for unusual query patterns. Legitimate analytics integrations generate predictable query patterns. Sudden bulk exports or queries against tables the integration does not normally access should trigger alerts.
  • Require multi factor authentication on data warehouses. Token based access should be supplemented with additional authentication factors, especially for integrations that have broad read access.
  • Review vendor acquisition history. Glassbox acquired Anodot in November 2025. Acquisitions often introduce security gaps during integration. If a critical vendor has recently changed ownership, reassess their security posture.

The Bigger Picture

The Anodot breach is the latest demonstration that your security posture is only as strong as your weakest integration. Companies invest heavily in securing their primary infrastructure, then hand persistent access tokens to dozens of third party tools with varying security maturity. Attackers have figured this out, and groups like ShinyHunters are systematically exploiting it.

For compliance teams, this breach raises urgent questions about vendor risk management. If a single analytics tool can become the entry point to your entire data warehouse, then every vendor with integration access needs to be evaluated as a critical dependency, not a convenience feature. The question is no longer whether your SaaS vendors will be targeted, but whether your organization will notice when they are.