On April 11, 2026, the ShinyHunters extortion collective posted a pay-or-leak ultimatum targeting Rockstar Games, claiming compromise of the publisher's Snowflake data warehouse instances through third-party analytics vendor Anodot. Rockstar confirmed the incident to Kotaku on April 13, characterizing the exposure as "a limited amount of non-material company information" accessed via a third-party breach. The incident extends a Snowflake-linked campaign that has now touched 165 organizations since 2024, including Ticketmaster, AT&T, and Santander.

What Happened

Anodot, a cloud analytics provider acquired by Glassbox in 2025, reported service outages on April 4, 2026 affecting its connectors for Snowflake, Amazon S3, and Amazon Kinesis. The disruption was publicly framed as routine connectivity issues, but coincided with unauthorized access to authentication tokens stored within Anodot's platform. ShinyHunters leveraged those tokens to pivot into Rockstar's Snowflake tenant and exfiltrate data over a roughly 10-day window before surfacing on their dark web leak site with a three-day extortion countdown expiring April 14. The deadline passed without a confirmed public dump, though researchers continue monitoring ShinyHunters channels.

What Was Taken

Rockstar has publicly described the stolen records as "non-material company information" with "no impact on our organization or our players," suggesting player databases, account credentials, and Grand Theft Auto VI source code repositories were not in scope. The precise volume and classification of exfiltrated records has not been disclosed by either Rockstar or ShinyHunters. Given the Anodot integration's purpose, the exposed data set most plausibly consists of business telemetry, product analytics, and operational metrics pulled through the compromised connector rather than core production assets.

Why It Matters

This breach is the latest validation of a supply chain attack pattern that treats SaaS analytics vendors as soft entry points into hardened enterprise data warehouses. Snowflake itself was not compromised, yet 165 of its customer tenants have now been reached through credential and token theft at adjacent service providers since 2024. For defenders, the Rockstar incident demonstrates that even organizations with mature internal security postures inherit the weakest identity hygiene of every third-party connector wired into their warehouse. It also reinforces ShinyHunters' operational tempo: outage, silent exfiltration, extortion post, short deadline, selective naming of high-profile victims to maximize pressure.

The Attack Technique

The adversary obtained valid OAuth or service-account authentication material from Anodot's platform, likely during or immediately preceding the April 4 connector outage. With legitimate tokens in hand, the attackers authenticated to Rockstar's Snowflake instances as a trusted integration and issued standard SQL query operations to stage and pull data. Because the activity originated from an allow-listed vendor identity and mirrored normal analytical workloads, it evaded behavior-based detection. No zero-day exploitation of Snowflake was required; the trust relationship between customer and vendor was itself the vulnerability.

What Organizations Should Do

1. Inventory every third-party integration with write or read access to Snowflake, S3, and Kinesis, and enforce short-lived credentials with mandatory rotation rather than static tokens.
2. Require MFA and network policy restrictions on all Snowflake service accounts, including those used by SaaS connectors, and block authentication from vendor IP ranges that fall outside documented allow-lists.
3. Enable Snowflake query tagging and anomaly detection on volume, time-of-day, and destination patterns for integration users; alert on bulk SELECT or COPY INTO operations from analytics accounts.
4. Treat vendor outage notifications as potential security events: correlate each third-party incident window against your own authentication and query logs for that integration.
5. Maintain an egress baseline for each connector so that unexpected data movement to new S3 buckets or external stages triggers immediate review.
6. Pre-negotiate breach notification SLAs with analytics and observability vendors and require disclosure of any token or credential exposure within 24 hours.

Sources: Rockstar Games Breach: 165 Victims in Snowflake Hack [2026]