The ShinyHunters extortion gang has leaked internal analytics data belonging to Rockstar Games, the studio behind Grand Theft Auto. According to reporting from BleepingComputer, the breach traces back to a security incident at Anodot, an anomaly detection vendor, where stolen authentication tokens were abused to reach data held in Snowflake environments. The exposed dataset spans more than 78.6 million records covering player behavior tracking, in-game revenue, and support analytics. Rockstar, in a statement to Kotaku, acknowledged the incident but said it had no impact on its organization or its players.
What Happened
The attack did not start at Rockstar. ShinyHunters compromised Anodot, a third-party data anomaly detection company, and harvested authentication tokens during that intrusion. Those tokens were then used to authenticate into Snowflake cloud data environments where Rockstar analytics were stored. This is a textbook supply chain pivot: rather than breaching the game studio directly, the actor exploited trust between Rockstar and a downstream analytics provider. Once inside the Snowflake tenant, the group exfiltrated the data and moved to extortion, publishing the records to pressure the victim.
What Was Taken
The leak comprises over 78.6 million records of internal analytics used to monitor Rockstar's online services and support operations. The data reportedly includes player behavior tracking, in-game revenue metrics, and game economy figures for titles such as Grand Theft Auto Online and Red Dead Online. It also appears to contain customer support analytics tied to the company's Zendesk instance, along with references to fraud detection systems and anti-cheat model testing. While Rockstar characterizes the impact as limited, analytics on fraud and anti-cheat logic carry real operational sensitivity if exposed to adversaries.
Why It Matters
This breach is a reminder that analytics and observability pipelines are high-value targets, not just back-office plumbing. Game economy data, fraud detection signals, and anti-cheat testing logic give attackers and cheat developers a roadmap to evade controls and monetize exploits. The incident also continues a pattern for Rockstar, which in 2022 suffered the Lapsus$ leak of Grand Theft Auto 6 footage and source code. For defenders across the gaming and SaaS sectors, the broader lesson is that third-party data warehouses inherit your risk, and a vendor compromise can become your breach without a single alert firing on your own perimeter.
The Attack Technique
ShinyHunters leaned on stolen authentication tokens rather than exploiting a software vulnerability in Rockstar's products. Tokens lifted from Anodot allowed the group to authenticate into Snowflake environments as a trusted party, bypassing the need to crack passwords or defeat front-door defenses. This mirrors the wider 2024 wave of Snowflake-targeted intrusions, where attackers used valid stolen credentials and tokens against cloud data tenants that lacked enforced multi-factor authentication and network restrictions. The technique is effective precisely because token-based access often looks like legitimate, expected traffic.
What Organizations Should Do
- Enforce multi-factor authentication and network allowlisting on all Snowflake and cloud data warehouse access, with no exceptions for service or vendor accounts.
- Rotate and short-lit authentication tokens, and treat long-lived tokens as a liability that must be inventoried and expired aggressively.
- Audit third-party and analytics vendors for token handling, storage, and access scope, and require breach notification clauses in contracts.
- Apply least-privilege scoping so that a single compromised token cannot reach broad datasets across multiple business units.
- Monitor cloud data platforms for anomalous query volume, bulk exports, and access from unexpected geographies or token sources.
- Classify analytics covering fraud, anti-cheat, and revenue as sensitive data and apply the same controls used for customer PII.
Sources: Rockstar Games Analytics Data Leaked: Inside the ShinyHunters Extortion Gang Attack (2026)