Stolen SaaS Integration Tokens Fuel Data Theft at Snowflake Customers
A breach at a third-party SaaS integration provider allegedly exposed authentication tokens that were then used to steal data from more than a dozen companies, with most of the activity targeting Snowflake customer environments. Snowflake said it detected unusual activity affecting a small number of customers tied to a specific third-party integration and emphasized that its own platform was not compromised through a vulnerability. Reporting identified the suspected source as Anodot, a data anomaly detection company owned by Glassbox, though neither company publicly responded at the time.
The threat actor identified as ShinyHunters claimed responsibility, saying it stole data from dozens of organizations and sought extortion payments to prevent publication of the information. The campaign reportedly also targeted other cloud and SaaS providers, while an attempted theft involving Salesforce was said to have been blocked by AI-based detection. Google Threat Intelligence Group said it was tracking the incident, and Payoneer said it was aware of the provider breach linked to Anodot but had determined it was not affected.
Timeline
Apr 28, 2026
Vimeo confirms user data exposure from Anodot-linked breach
Vimeo disclosed that attackers accessed some customer and user data as a downstream result of the Anodot breach, including technical data, video titles, metadata, and in some cases email addresses. The company said uploaded video content, credentials, and payment card data were not affected, and it disabled Anodot credentials, removed the integration, and notified law enforcement.
Apr 13, 2026
Rockstar Games identified as Anodot breach victim
Rockstar Games was named as one of the companies affected by the Anodot-linked token theft campaign. The company said attackers accessed only a limited amount of non-material company information.
Apr 8, 2026
Snowflake locks impacted accounts and notifies affected customers
As part of its response to the Anodot-linked intrusion activity, Snowflake said it locked potentially impacted customer accounts and notified affected customers. The company reiterated that its own systems were not compromised and no software vulnerability was exploited.
Apr 7, 2026
Google tracks incident and Payoneer says it was not impacted
Google Threat Intelligence Group said it was aware of and tracking the incident. Payoneer also acknowledged awareness of the Anodot-related provider breach and said it determined it was not affected.
Apr 7, 2026
ShinyHunters claims responsibility and extortion of victims
The ShinyHunters threat actor claimed responsibility for the attacks, saying it stole data from dozens of companies and demanded ransom payments to prevent publication. The campaign was described as an extortion operation following the token theft.
Apr 7, 2026
Attempted Salesforce data theft reportedly blocked
The threat actor said it also attempted to steal data from Salesforce, but the effort was blocked by AI-based detection systems. This was reported as part of the broader token-enabled intrusion campaign.
Apr 7, 2026
Snowflake confirms unusual activity tied to third-party integration
Snowflake said it detected unusual activity affecting a small number of customers linked to a specific third-party integration. The company stated its own systems were not compromised and no Snowflake vulnerability was involved.
Apr 7, 2026
Data theft attacks hit more than a dozen companies
Using the stolen tokens, attackers conducted data theft attacks against more than a dozen companies across cloud and SaaS environments. Most of the observed activity targeted Snowflake customer accounts.
Apr 7, 2026
SaaS integrator breach allegedly exposes authentication tokens
A security issue at SaaS integration provider Anodot allegedly led to the theft of authentication tokens later used to access customer environments. Anodot and parent company Glassbox had not responded publicly at the time of reporting.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
1 more from sources like wiz cloud threats
Related Stories
ShinyHunters SaaS Data Theft via Vishing-Enabled SSO Credential and MFA Capture
**ShinyHunters** has been linked to a wave of SaaS-focused data-theft and extortion activity enabled by targeted **voice phishing (vishing)** and company-branded phishing portals designed to capture **SSO credentials** and **MFA codes**. Mandiant reported that attackers impersonate IT/helpdesk staff, direct employees to realistic login pages, and use real-time interaction (including guiding victims to approve push prompts or provide one-time codes) to authenticate and then **enroll attacker-controlled devices into MFA**. After account takeover, the actor pivots through **Okta, Microsoft Entra, or Google** SSO dashboards to rapidly access downstream SaaS services (e.g., *Salesforce*, *Microsoft 365/SharePoint*, *DocuSign*, *Slack*, *Atlassian*, *Dropbox*, *Google Drive*), turning a single compromised identity into broad cloud data access. Separately, **Bumble** reported a phishing-driven compromise of a **contractor account**, after which ShinyHunters allegedly claimed theft of ~**30 GB** of data—reported as largely internal files sourced from **Google Drive** and **Slack**—while Bumble stated there was no evidence of exposure of user chats or profiles. Reporting also tied ShinyHunters to other claimed or alleged thefts affecting consumer and enterprise brands (including Match Group properties such as *Hinge*, *Match*, and *OkCupid*), consistent with the broader pattern of leveraging compromised identities and SaaS access paths for data exfiltration and extortion leverage.
Today
ShinyHunters Claims Cisco Breach Exposed Salesforce Records and Cloud Data
ShinyHunters has claimed responsibility for breaching Cisco and stealing more than **3 million Salesforce records** along with internal corporate data, **GitHub repositories**, and contents from **AWS S3 buckets**, then posted a **"FINAL WARNING"** on its leak site threatening to publish the data after April 3. Reports said the alleged haul may include information tied to Cisco customers, employees, and personnel from U.S. and foreign government agencies, while screenshots shared by the group purportedly showed access to Cisco-linked AWS infrastructure and multiple connected cloud accounts. The intrusion was linked in reporting to three alleged access paths involving **Salesforce CRM**, **Salesforce Aura/Experience Cloud**, and AWS environments, and to activity tracked as **`UNC6040`** and **`UNC6395`**. Threat intelligence cited in the coverage said the attackers have used **vishing** to trick employees into approving malicious Salesforce OAuth applications, then abused stolen tokens to bypass MFA and move deeper into cloud environments; recommended defenses included auditing connected OAuth apps, revoking suspicious tokens, tightening API access controls, and monitoring for unauthorized Salesforce Data Loader activity. Cisco had not publicly addressed the March 2026 extortion claim at the time of reporting.
3 days ago
Scattered LAPSUS$ Hunters Target Salesforce via Gainsight Supply Chain Attack
The cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH), an amalgamation of groups including Scattered Spider, LAPSUS$, and ShinyHunters, has intensified its campaign of data theft and extortion against major corporations. In November 2025, Salesforce detected unusual activity involving Gainsight-published applications, leading to the revocation of access tokens and removal of affected apps from its AppExchange. Salesforce determined that the incident was not due to a vulnerability in its platform, but rather unauthorized access to customer data through compromised app connections. The breach was traced back to a supply chain attack on Salesloft Drift in August 2025, which enabled attackers to obtain secrets used to access additional Salesforce instances. Gainsight confirmed that stolen OAuth tokens were used in the attack, and indicators of compromise were shared with affected customers. SLSH has leveraged this access to threaten public data leaks and extort both Salesforce and its customers, with a new extortion portal listing dozens of victim companies, including Toyota, FedEx, Disney/Hulu, and UPS. The group has also escalated its tactics by openly recruiting insiders from large organizations, offering rewards for internal access to facilitate further breaches. Recent reports indicate that SLSH's activities are coordinated through Telegram channels, and the group has been linked to high-profile incidents involving both data theft and attempted insider recruitment. Security advisories and ongoing investigations highlight the persistent threat posed by SLSH and the importance of monitoring supply chain risks and insider threats.
1 months ago