ShinyHunters has added Grand Theft Auto developer Rockstar Games to its leak site, claiming it siphoned Snowflake metrics data by abusing access through Anodot, a third-party cloud cost-monitoring tool wired into Rockstar's data warehouse. Rockstar has confirmed to Kotaku that "a limited amount of non-material company information" was accessed via a third-party breach, while insisting players and operations are unaffected. The extortion crew has set a 14 April 2026 deadline, threatening to leak the data alongside unspecified "annoying (digital) problems" if the publisher refuses to pay.
What Happened
According to the ShinyHunters leak-site post seen by The Register, the group did not breach Snowflake directly. Instead, the intruders claim to have lifted authentication tokens belonging to Anodot.com, a SaaS integration plugged into Rockstar's Snowflake environment for cost and metrics monitoring. Those tokens were then replayed against Rockstar's tenant, allowing the attackers to impersonate a legitimate internal service and pull metrics-layer data. Rockstar has publicly confirmed third-party-linked exposure but has declined to identify the attacker, describe the data, or confirm whether a ransom demand was received.
What Was Taken
Rockstar's public statement characterizes the loss as "a limited amount of non-material company information." ShinyHunters describes the stolen content as "Snowflake instances metrics data," suggesting telemetry, usage statistics, query patterns, and cost or pipeline data rather than game source code or player records. Neither side has disclosed the volume of records exfiltrated. Even if the haul is limited to metrics, such data can expose internal table names, query frequency, pipeline topology, and the identities of business-critical datasets, all useful for follow-on targeting.
Why It Matters
This incident underscores a now-familiar pattern: the soft underbelly of modern enterprises is not the data warehouse itself but the chain of SaaS tools authorized to read from it. Anodot is a legitimate, sanctioned integration; abusing its tokens means there is no exploit chain to detect, no malware to flag, and no obvious anomaly in authentication logs. For Rockstar, a studio still scarred by the 2022 Slack intrusion that leaked early GTA VI footage, the optics are damaging even if the dataset proves trivial. For the wider industry, it is another data point in ShinyHunters' methodical campaign against SaaS integrations, following claimed hits on Cisco, Telus, and a string of Salesforce customers.
The Attack Technique
If ShinyHunters' account is accurate, the operation is a textbook OAuth and service-token abuse scenario. The attackers compromised Anodot, harvested the credentials Anodot used to query Rockstar's Snowflake tenant, and replayed them from infrastructure of their choosing. Because the tokens were valid and scoped to a trusted integration, the traffic would have blended into normal analytics workloads. ShinyHunters has built its franchise on precisely this playbook: hunting APIs, identity providers, and third-party SaaS connectors rather than burning zero-days on hardened perimeters. The 2024 Snowflake customer wave, which leaned heavily on stolen credentials and infostealer logs, established the template that this Rockstar incident appears to extend.
What Organizations Should Do
- Inventory every third-party SaaS tool with read or write access to Snowflake, BigQuery, Databricks, or similar warehouses, and treat each integration as an extension of your attack surface.
- Rotate all OAuth tokens, PATs, and service-account credentials issued to Anodot or similar cost and observability vendors, and enforce short token lifetimes going forward.
- Bind warehouse-bound service credentials to network policies, allow-listing only the vendor egress ranges that the integration legitimately uses.
- Enable Snowflake network policies, MFA on all human accounts, and key-pair authentication for service users; disable legacy password-only auth.
- Hunt for anomalous query patterns from integration accounts: new client IPs, off-hours bursts, unusual
SHOWorINFORMATION_SCHEMAenumeration, and access to tables outside the integration's documented scope. - Require third-party SaaS vendors to disclose token storage practices, breach notification SLAs, and evidence of credential rotation as part of procurement and renewal reviews.