Anodot Breach Leads to Supply Chain Attack on Snowflake Customers; ShinyHunters Claims Responsibility

SaaS Vendor Anodot Breached; ShinyHunters Gang Uses Stolen Tokens to Attack Snowflake Customers

HIGH
April 10, 2026
5m read
Supply Chain AttackData BreachCloud Security

Impact Scope

Affected Companies

Rockstar GamesPayoneerAmtrakMcGraw HillHallmark Cards

Industries Affected

TechnologyMedia and EntertainmentFinanceTransportationRetail

Related Entities

Threat Actors

ShinyHunters

Products & Tech

Snowflake Salesforce

Other

Anodot Rockstar Games PayoneerAmtrakMcGraw HillHallmark Cards

MITRE ATT&CK Techniques

T1195.001Initial Access

Compromise Software Supply Chain: Compromise Third-party Software/Service

T1528Credential Access

Steal Application Access Token

T1078.004Defense Evasion, Persistence, Privilege Escalation, Initial Access

Valid Accounts: Cloud Accounts

T1213.002Collection

Data from Information Repositories: Data from Cloud Storage Object

T1530Collection

Data from Cloud Storage Object

Full Report

Executive Summary

A major supply chain attack is underway, originating from a security breach at Anodot, an AI-powered cloud cost monitoring and analytics company. The notorious extortion group ShinyHunters has claimed responsibility, stating they compromised Anodot's systems and stole authentication tokens. These tokens, which grant programmatic access to third-party services, were then used to infiltrate the Snowflake cloud data warehouse environments of Anodot's customers. This allowed the attackers to bypass conventional security measures like MFA and steal sensitive data from numerous organizations. ShinyHunters has begun extorting victims, including gaming giant Rockstar Games, threatening to leak stolen data if ransoms are not paid. The incident highlights the critical and often overlooked risk posed by third-party SaaS integrations and the value of API keys and service tokens as a target for threat actors.

Threat Overview

This is a sophisticated supply chain attack that abuses the trust relationship between a SaaS vendor (Anodot) and its customers' cloud platforms (Snowflake). The attack chain is as follows:

  1. Vendor Compromise: ShinyHunters first breached the network or systems of Anodot.
  2. Credential Theft: The primary goal within Anodot was to steal sensitive credentials. In this case, they specifically targeted authentication tokens that Anodot's service uses to connect to its customers' Snowflake instances for data analysis.
  3. Downstream Attack: Using these stolen tokens, ShinyHunters could then directly access the Snowflake accounts of Anodot's customers. From Snowflake's perspective, this access appeared legitimate, as it came from a trusted, authenticated third-party service.
  4. Data Exfiltration and Extortion: Once inside the Snowflake environments, the attackers exfiltrated valuable data. They then posted their claims and ransom demands on their dark web leak site, beginning the extortion phase of the attack.

This method is particularly insidious because it bypasses the victims' own perimeter defenses and authentication controls. The compromise of a single vendor can provide the keys to dozens of downstream customer environments.

Technical Analysis

The core of this attack is the abuse of stolen API tokens/service credentials, a technique classified under T1528 - Steal Application Access Token. These tokens are designed for machine-to-machine communication and often have broad permissions, making them a highly valuable target.

  • Snowflake's Statement: Snowflake confirmed that its own core platform was not breached. The activity was isolated to customer accounts that were accessed using credentials originating from a compromised third-party tool, which they did not name but is confirmed by others to be Anodot.
  • Pivot to Other Platforms: Reports indicate the attackers also attempted to use the access to pivot to other platforms like Salesforce, suggesting a broad campaign to leverage the initial breach as widely as possible.
  • ShinyHunters TTPs: ShinyHunters is a well-known data extortion group that specializes in large-scale data theft and does not typically deploy ransomware. Their primary goal is to steal data and monetize it through ransom payments.

MITRE ATT&CK Mapping

Impact Assessment

The impact is significant and widespread, affecting multiple companies across different industries.

  • Named Victims: Rockstar Games, developer of Grand Theft Auto, has been publicly named and extorted. Other alleged victims include Payoneer, Amtrak, McGraw Hill, and Hallmark Cards.
  • Data Breaches: Each affected company is now facing a significant data breach, with the potential for sensitive corporate data, customer information, and intellectual property to be leaked.
  • Financial Loss: Victims face the cost of incident response, legal fees, regulatory fines, and potentially paying a ransom.
  • Supply Chain Distrust: The incident severely damages trust in SaaS integrations and will force many companies to re-evaluate their third-party risk management programs.

Cyber Observables for Detection

Type Value Description Context Confidence
log_source Snowflake Access History Look for queries or data access from the Anodot service account that are outside the established baseline, such as accessing unusual tables or exfiltrating large volumes of data. Snowflake query logs and access history views. high
user_account_pattern ANODOT_SERVICE_USER Monitor for anomalous behavior from service accounts, such as logins from new IP ranges or attempts to access resources beyond their normal scope. Cloud provider audit logs (e.g., CloudTrail). high
api_endpoint Snowflake API Unusually high volume of GET requests or data transfer from a specific service account token. API gateway logs, Cloud provider flow logs. medium

Detection & Response

Detecting this type of attack is challenging because the activity appears legitimate.

  1. Monitor Service Account Behavior: Implement D3-UBA: User Behavior Analysis focused on non-human service accounts. Baseline the normal activity of third-party integrations (e.g., what data they access, how much, from where) and alert on any significant deviations.
  2. Cloud Security Posture Management (CSPM): Use CSPM tools to audit permissions granted to third-party services. Ensure they adhere to the principle of least privilege.
  3. Token Rotation: Immediately revoke and rotate the credentials for the Anodot integration. This is the primary containment step.

Mitigation

Preventing such attacks requires a robust third-party risk management strategy.

  1. Principle of Least Privilege: When integrating a third-party SaaS tool, grant it the absolute minimum permissions required to function. It should only be able to read the specific data it needs, not the entire data warehouse.
  2. IP Allowlisting: Where possible, configure service account access to be restricted to a known set of IP addresses belonging to the vendor. This would have prevented ShinyHunters from using the stolen tokens from their own infrastructure.
  3. Regular Credential Rotation: Implement a policy for the regular, automated rotation of all API keys and service tokens. This limits the window of opportunity for an attacker if a token is stolen.
  4. Vendor Security Assessments: Do not blindly trust vendors. Conduct thorough security assessments before integrating any third-party service that will have access to sensitive data. This is a key part of M1016 - Vulnerability Scanning applied to the supply chain.

Timeline of Events

1
April 7, 2026
ShinyHunters begins claiming responsibility for attacks on Snowflake customers, attributing them to a breach at Anodot.
2
April 10, 2026
This article was published
3
April 11, 2026
ShinyHunters posts a ransom demand for Rockstar Games, giving them a deadline of April 14.

MITRE ATT&CK Mitigations

Privileged Account Management

M1026

Apply the principle of least privilege to all service accounts and API tokens, granting them only the specific permissions needed to function.

Mapped D3FEND Techniques:

D3-SPP

Audit

M1047

Continuously audit and monitor the activity of third-party service accounts for anomalous behavior, such as accessing unusual data or large-scale exfiltration.

Mapped D3FEND Techniques:

D3-DAM

Limit Access to Resource Over Network

M1035

Use IP address allowlisting to restrict service account access to only the known IP ranges of the trusted vendor.

Vulnerability Scanning

M1016

Extend risk management to the supply chain by conducting thorough security assessments of third-party vendors before integration.

D3FEND Defensive Countermeasures

Resource Access Pattern Analysis

D3-RAPAMaps to MITREM1040
D3FEND

To defend against attacks like the Anodot/Snowflake breach, organizations must implement Resource Access Pattern Analysis for all third-party service accounts. Instead of implicitly trusting the connection, security teams should use a Cloud-Native Application Protection Platform (CNAPP) or SIEM to baseline the service's normal behavior. For Anodot, this would mean establishing a profile of which specific Snowflake tables it queries, the frequency of those queries, and the typical volume of data returned. The system should then alert on any deviation from this pattern. For example, an alert should trigger if the Anodot service account suddenly queries a table named 'customer_pii' or 'source_code_gta7' that it has never touched before, or if it attempts to download 100x its normal data volume. This behavioral detection approach is critical for identifying when a legitimate, stolen token is being abused by an attacker.

Application Configuration Hardening

D3-ACHMaps to MITREM1054
D3FEND

Organizations must apply rigorous Application Configuration Hardening to all third-party integrations. In the context of Snowflake, this means creating a dedicated role for the Anodot service with narrowly scoped, read-only access to only the specific schemas and tables required for cost analysis. The account should be explicitly denied access to all other data. Furthermore, network policies should be applied within Snowflake to restrict the service account's access to a specific, allow-listed set of source IP addresses provided by Anodot. This combination of least-privilege access and network controls would have mitigated this attack in two ways: first, the attackers would have been unable to access sensitive data outside the intended scope, and second, they would have been blocked from using the stolen token from their own infrastructure. This turns a trusted integration from a skeleton key into a key that only opens one specific door.

Sources & References

Active Data Theft Campaign Targeting Snowflake Customers via Anodot Third-Party SaaS Integration Breach
RH-ISAC (rhisac.org) April 9, 2026
ShinyHunters Claims Rockstar Games Snowflake Breach via Anodot
Hackread (hackread.com) April 9, 2026
ShinyHunters claims Rockstar Games data breach
Computing UK (computing.co.uk) April 10, 2026
Rockstar Games receives “pay or leak” warning after cyberattack
Help Net Security (helpnetsecurity.com) April 10, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

supply chain attackshinyhuntersanodotsnowflakedata breachcloud securityrockstar games

📢 Share This Article

Help others stay informed about cybersecurity threats