ShinyHunters compromised Rockstar Games' Snowflake data warehouse instances through the Anodot analytics platform, leaking 78.6 million GTA Online records after the publisher missed an April 14, 2026 extortion deadline. Rockstar confirmed the third-party breach to Kotaku on April 13, characterizing the stolen data as "non-material," but the leak makes Rockstar the latest of 165 organizations compromised through the ongoing Snowflake credential-theft campaign.

What Happened

On April 4, 2026, Anodot, a cloud analytics provider acquired by Glassbox in 2025, reported service outages affecting its connectors for Snowflake, Amazon S3, and Amazon Kinesis. The disruption appeared routine at the time, but it coincided with unauthorized access to authentication tokens stored within Anodot's platform. ShinyHunters used those tokens to log into Rockstar Games' Snowflake instances as a trusted third party, then exfiltrated data using standard query operations designed to blend with legitimate analytical workloads.

On April 11, ShinyHunters posted an ultimatum on its dark web leak site: "Rockstar Games! Your Snowflake instances were compromised thanks to Anodot. Pay or leak by April 14, 2026." Rockstar publicly acknowledged the incident two days later but did not negotiate. When the deadline expired on April 14, the group released 78.6 million records tied to GTA Online to its leak channel.

What Was Taken

The published archive contains 78.6 million GTA Online records, including player handles, account email addresses, hashed credentials, IP addresses, session metadata, transaction histories tied to Shark Card purchases, and internal telemetry from the Anodot analytics pipeline. While Rockstar maintains that no source code, unreleased GTA VI assets, or production game infrastructure was accessed, the stolen player data is sufficient to enable large-scale credential stuffing, account takeover, and targeted phishing against the GTA Online community.

Why It Matters

This is the latest data point in a Snowflake-focused campaign that has now compromised 165 organizations since 2024, including Ticketmaster, AT&T, and Santander. What changed is the entry point: rather than reusing infostealer-harvested credentials directly against Snowflake, ShinyHunters pivoted through a SaaS analytics vendor whose connectors held privileged tokens. Any organization that has granted a third-party platform persistent OAuth or token-based access to a cloud data warehouse now has the same exposure profile as Rockstar, regardless of how mature their own identity controls are.

The Attack Technique

The intrusion chain combined supply chain compromise with cloud-native living-off-the-land techniques. Attackers first obtained access to Anodot's connector infrastructure, harvesting authentication tokens that Anodot maintained for customer Snowflake, S3, and Kinesis integrations. Those tokens were valid, scoped to legitimate analytics roles, and not protected by network ACLs or MFA on the Rockstar side. ShinyHunters then issued ordinary SELECT queries against production tables, exfiltrating data through Snowflake's standard egress paths in volumes consistent with Anodot's normal workload, which delayed detection until the extortion notice was published.

What Organizations Should Do

Sources: Rockstar Games Breach: 165 Victims in Snowflake Hack [2026]