> anodot_token_stolen —— snowflake_connected —— exfil_in_progress —— records: 78,600,000 —— detection: none<span class="cursor-blink">_</span>_
On 14 April 2026, the ShinyHunters extortion group released 78.6 million records stolen from Rockstar Games — the studio behind Grand Theft Auto and Red Dead Redemption. The data includes detailed financial analytics, revenue breakdowns, and operational metrics for GTA Online and Red Dead Online. Rockstar declined to pay the ransom, consistent with law enforcement guidance.
But the technical story is not about Rockstar's security posture. Rockstar's own systems were not compromised. No vulnerability in Snowflake was exploited. ShinyHunters walked through a door that a third-party SaaS vendor — Anodot — had left open. The attack chain exploited the trust relationships that underpin modern cloud integration architectures, and it is part of a broader campaign that has already affected dozens of organisations.
Subscribe to our weekly threat briefing — the CVEs that matter, with context your team can act on.
Subscribe to Threat BriefingAnodot is an AI-powered cloud analytics platform, owned by Glassbox, that provides real-time anomaly detection for business metrics — cost spikes, revenue drops, operational glitches. To function, it requires authenticated access to its customers' cloud data environments. For Rockstar, that meant access to their Snowflake data warehouse.
The attack is technically elegant precisely because it is not technically complex. There is no zero-day. No exploit chain. No custom malware. The attacker compromised a trusted vendor, stole credentials that were already authorised, and used them for their intended purpose — querying a data warehouse. The traffic was indistinguishable from normal operations. This is the defining characteristic of supply chain attacks: the initial compromise happens outside the target's visibility, and the subsequent access uses legitimate trust paths.
The Rockstar breach is not an isolated incident. It is part of an ongoing, systematic campaign by ShinyHunters targeting organisations through shared SaaS integration infrastructure.
| Date | Campaign | Vector | Scale |
|---|---|---|---|
| 2024 | Snowflake credential campaign | Stolen usernames/passwords → Snowflake accounts without MFA | AT&T, Ticketmaster, Santander, Neiman Marcus, and others |
| March 2026 | Salesforce integration campaign | Compromised Salesforce-linked SaaS integrations → customer data | 400+ companies claimed; 26 published |
| April 2026 | Anodot/Snowflake campaign | Stolen Anodot auth tokens → customer Snowflake environments | 12+ companies confirmed; Rockstar is highest-profile |
| April 2026 | Salesforce pivot attempt | Attempted lateral movement from Snowflake → Salesforce | Detected and blocked by AI detection |
The evolution is notable. In 2024, ShinyHunters targeted end-user credentials — usernames and passwords for accounts that lacked MFA. In 2026, the group has shifted to targeting service-to-service authentication tokens held by SaaS integration platforms. These tokens are typically long-lived, broadly scoped, and subject to far less monitoring than user credentials. The shift represents a maturation of the attack methodology that makes detection significantly harder.
Snowflake confirmed detecting 'unusual activity' affecting a small number of customer accounts linked to a third-party integration. The company locked down affected accounts and notified customers. Snowflake stressed that its own platform was not breached and no vulnerabilities were exploited. The incident was entirely credential-based, exploiting tokens held by the third-party integrator.
The leaked archive is not what many in the gaming community expected. There is no GTA VI source code, no game assets, no player credentials, and no personally identifiable player data. The data is a multi-domain internal analytics dataset covering GTA Online and Red Dead Online.
Rockstar's public position — that the data is 'non-material' and has 'no impact on our organisation or our players' — is technically defensible but strategically incomplete. The leaked data provides a level of business intelligence visibility that competitors, financial analysts, and threat actors will find highly valuable. For any organisation, the lesson is clear: even data you consider 'non-sensitive' can be weaponised once it is outside your control.
As penetration testers, the Rockstar breach is a textbook example of the attack class we assess in supply chain security engagements. The methodology is instructive.
| Priority | Action | Detail |
|---|---|---|
| Critical | Audit SaaS integration tokens | Identify every third-party service with authentication tokens for your cloud data environment (Snowflake, BigQuery, Redshift, S3). Particular attention to analytics, monitoring, and cost management platforms including Anodot/Glassbox. |
| Critical | Enforce least-privilege scoping | A cost monitoring integration does not need export access to your entire data warehouse. Scope every token to the minimum permissions required. Remove read access to tables and schemas that are not strictly necessary for the integration's function. |
| Critical | Implement token rotation | Long-lived, static tokens are the primary attack vector. Implement automated rotation with maximum token lifetimes. Where possible, use short-lived tokens with just-in-time provisioning. |
| High | Enable MFA on all cloud accounts | Including service accounts where supported. ShinyHunters' 2024 Snowflake campaign specifically targeted accounts without MFA. This remains a baseline control. |
| High | Monitor data warehouse access patterns | Implement anomaly detection on Snowflake (or equivalent) access logs. Alert on unusual export volumes, query patterns outside normal baselines, and access from unfamiliar IP ranges or geographies. |
| High | Assess Salesforce exposure | ShinyHunters attempted to pivot from Snowflake to Salesforce. Review Salesforce access controls, connected apps, and token hygiene. |
| Medium | Strengthen vendor contracts | Require SaaS vendors to demonstrate security controls, maintain incident response plans, provide breach notification within defined SLAs, and permit security assessments of their integration architecture. |
The Rockstar Games breach is a clean, instructive example of the supply chain attack model that now dominates the threat landscape. No zero-day exploits. No custom malware. No sophisticated intrusion chain. Just a compromised vendor, stolen tokens, and legitimate access paths used for illegitimate purposes.
The lesson for every organisation is that your security perimeter now extends to every SaaS integration with access to your data. The Anodot connector was designed to read cloud cost metrics. It did not need — and should not have had — the permissions that allowed an attacker to export 78.6 million records from Rockstar's data warehouse. The gap between the access granted and the access required is where the breach lived.
If you have not audited your own SaaS integration permissions recently, the Rockstar breach should be the catalyst. The attackers who walked through Anodot's door are still active. The NCSC supply chain security guidance and NIST SP 800-161 provide frameworks for assessment. We can help you implement them.
Our <a href="/services/supply-chain-assessment">supply chain security assessments</a> identify over-permissioned integrations, long-lived tokens, and trust chain risks before attackers find them. The Rockstar breach shows what happens when these risks go unmanaged.
Subscribe to our weekly threat briefing — the CVEs that matter, with context your team can act on.
Subscribe to Threat Briefing