A failed extortion attempt against Rockstar Games has backfired spectacularly, with hacker collective ShinyHunters dumping over 78.6 million records from the publisher's Snowflake cloud infrastructure on April 14, 2026. The leak, accessed through a third-party analytics tool, exposed the financial internals of GTA Online, a title generating roughly $500 million annually for parent company Take-Two Interactive. Rather than damaging the business, the disclosure triggered a $1 billion market cap surge as investors digested the game's previously undisclosed revenue mechanics.

What Happened

On April 14, 2026, ShinyHunters published a cache of 78.6 million records pulled from Rockstar Games' Snowflake environment. The group had attempted to extort Take-Two before going public, but the publisher declined to pay. In retaliation, attackers released the dataset in full. The compromise originated not in Rockstar's core infrastructure but in a connected third-party analytics integration with elevated access to Snowflake data warehouses, consistent with the broader pattern of Snowflake-tenant compromises observed across multiple industries over the past two years.

What Was Taken

The leaked trove contains granular business telemetry rather than customer secrets. Investigators and journalists reviewing the dump confirmed it includes per-platform revenue breakdowns, player spending cohort analysis, Shark Card and GTA+ subscription metrics, and daily booking totals. Notable figures exposed include the $1.3 million daily revenue average, $7.3 million weekly Shark Card sales, $2.3 million weekly GTA+ subscription income, and PlayStation 5 weekly bookings of $4.49 million. GTA+ subscriber counts peaked at 1.3 million in December 2025. Critically, the dump contained no passwords, payment card data, personally identifiable information, or GTA VI source code.

Why It Matters

The Take-Two incident is a textbook example of how third-party data platform compromises can expose strategic business intelligence even when traditional "crown jewel" assets remain untouched. For defenders, the takeaway is that the blast radius of a Snowflake or analytics tenant breach extends well beyond regulated data categories into competitive intelligence, investor-sensitive metrics, and pre-disclosure financial figures. For a publicly traded company, leaked revenue telemetry is itself material non-public information. The stock moved from roughly $202 to nearly $208 on the news, a reminder that data exposure and capital markets impact are now tightly coupled.

The Attack Technique

ShinyHunters gained access via a third-party analytics tool integrated with Rockstar's Snowflake cloud data warehouse. This mirrors the group's established playbook: harvesting or purchasing credentials for SaaS and data-platform tenants, often belonging to contractors or integration partners, then exfiltrating large volumes of business data through legitimate query interfaces. The absence of multi-factor authentication enforcement on third-party service accounts has been the recurring weak point across prior ShinyHunters Snowflake campaigns. No zero-day or novel exploitation technique has been reported in the Take-Two case.

What Organizations Should Do

  1. Enforce mandatory MFA on every Snowflake user, service account, and integration token, with no exceptions for legacy analytics connectors.
  2. Inventory all third-party tools with read access to cloud data warehouses and apply network policies restricting access to known IP ranges.
  3. Rotate credentials for any SaaS integration that has not been audited in the past 90 days, and remove dormant service accounts.
  4. Enable Snowflake query and access logging into a SIEM with alerting on anomalous bulk exports or off-hours activity.
  5. Classify business telemetry and financial metrics as sensitive data categories in DLP tooling, not just PII and payment data.
  6. Pre-draft investor and regulatory disclosure playbooks that account for leaks of material non-public operational data, not only customer breaches.

Sources: Take-Two's Unwitting Advertisers: Hackers Reveal GTA Online's $500 Million Engine