Rockstar Games, publisher of Grand Theft Auto VI, has confirmed a third-party data breach after the ShinyHunters extortion collective claimed access to its Snowflake data warehouse through compromised Anodot connectors. The incident, disclosed to Kotaku on April 13, 2026, is the 165th confirmed victim in an ongoing Snowflake credential-theft campaign that has run since 2024 and previously hit Ticketmaster, AT&T, and Santander.

What Happened

On April 11, 2026, ShinyHunters posted an extortion notice on its dark web leak site naming Rockstar Games and specifically calling out Anodot as the pivot point into Rockstar's Snowflake instances. The group issued a three-day deadline of April 14, 2026 for Rockstar to negotiate payment before the stolen data would be leaked.

The incident traces back to April 4, 2026, when Anodot, a cloud analytics provider acquired by Glassbox in 2025, reported service outages across its Snowflake, Amazon S3, and Amazon Kinesis connectors. The outages were publicly framed as routine connectivity issues, but they coincided with unauthorized access to authentication tokens stored inside the Anodot platform. Attackers used those tokens to authenticate to Rockstar's Snowflake tenancy as a trusted analytics integration.

Rockstar confirmed the breach on April 13, describing the stolen information as "a limited amount of non-material company information" with "no impact on our organization or our players." The April 14 deadline passed without a public data dump, though researchers continue to monitor ShinyHunters channels.

What Was Taken

Rockstar has characterized the exposed data as "non-material company information," a framing that suggests the intrusion did not reach player account databases, payment records, or Grand Theft Auto VI source code repositories. ShinyHunters has not published a sample to contradict this characterization.

Based on the attack path through an analytics integration, the most likely exposure involves business telemetry data routed through Anodot: product usage metrics, operational dashboards, marketing analytics, and internal KPI datasets that analytics platforms typically ingest from Snowflake. Full scope remains unverified pending either a leak or a more detailed disclosure from Rockstar.

Why It Matters

This is the 165th organization compromised through the Snowflake credential-theft pattern tracked since 2024, and it demonstrates that the campaign has evolved beyond direct infostealer harvesting of customer credentials into compromise of the SaaS analytics vendors that hold privileged Snowflake tokens on behalf of their customers. One vendor breach now fans out to every downstream Snowflake tenant that vendor was integrated with.

For defenders, the Rockstar case reinforces that Snowflake tenant security is now bounded by the weakest OAuth-connected integration in the environment. It also shows ShinyHunters continuing to prioritize high-visibility consumer brands with strong reputational leverage, timing extortion to maximize media pressure on publishers in pre-release cycles.

The Attack Technique

The chain is a textbook token-theft supply chain intrusion. Attackers obtained authentication tokens Anodot had stored to connect to customer Snowflake, S3, and Kinesis environments. Using those tokens, they authenticated to Rockstar's Snowflake warehouse as Anodot, bypassing MFA because the integration was designed for machine-to-machine auth.

Once authenticated, the actors executed standard SQL query and export operations rather than dropping malware or escalating privileges. This tradecraft is deliberate: analytic query traffic from a known integration blends into the legitimate workload pattern Snowflake customers expect to see from that same service principal, significantly raising the bar for anomaly detection. Exfiltration appears to have occurred before Anodot's April 4 outage made the compromise publicly visible.

What Organizations Should Do

1. Inventory every OAuth application, service account, and programmatic user connected to your Snowflake, S3, and Kinesis tenants, and identify which third-party vendors hold those tokens.
2. Rotate all Anodot-issued credentials, OAuth tokens, and key pairs immediately, and force re-authentication of any Glassbox or Anodot integration.
3. Enforce network policies on Snowflake service accounts so integration tokens only authenticate from the vendor's published IP ranges, and require key-pair authentication over password auth for all machine users.
4. Review Snowflake QUERY_HISTORY and ACCESS_HISTORY for the March 28 to April 11 window, looking for unusual SELECT volumes, new object access patterns, or exports from service principals tied to analytics vendors.
5. Set row-count and bytes-scanned thresholds on service-account queries and alert on deviations, since ShinyHunters intentionally mimics analytical workloads to evade coarse detection.
6. Treat every SaaS analytics, observability, and BI vendor as an extension of your Snowflake trust boundary in your third-party risk program, including contractual breach-notification SLAs measured in hours rather than days.

Sources: Rockstar Games Breach: 165 Victims in Snowflake Hack [2026]