Rockstar Games: Snowflake Breach via Third-Party Anodot Tokens

On 4 April 2026, the analytics vendor Anodot reported service outages affecting its Snowflake, Amazon S3, and Amazon Kinesis connectors. On 11 April 2026, ShinyHunters issued an extortion demand against Rockstar Games claiming compromise of the company's Snowflake instance via Anodot. On 14 April 2026, Rockstar confirmed the breach after 78.6 million records were leaked, stating that "a limited amount of non-material company information was accessed in connection with a third-party data breach." TechCrunch reporting confirmed that over a dozen Anodot customers were affected in the same wave. The intrusion did not originate inside Rockstar. It originated inside Anodot, a third-party analytics provider that held authentication tokens for its customers' cloud environments. ShinyHunters obtained those tokens from Anodot's compromised infrastructure and used them to issue legitimate queries against multiple downstream customer warehouses.

The technical detail that made detection hard is that the queries executed against Snowflake were syntactically indistinguishable from Anodot's normal analytical traffic. The same client identity, the same query patterns, the same destination tables. To Snowflake's monitoring, the workload looked like analytics being analytics.

For identity architects this is a textbook lesson in three things:

Non-human identity is the supply-chain attack surface. OAuth grants, service accounts, refresh tokens, integration tokens — these are the keys vendors hold into your systems. They typically have long lifetimes, broad scopes, and no human owner. When the vendor is breached, every customer that issued one of those grants is breached at the same time.

Token rotation is not a vendor decision. If your vendor issues long-lived tokens by default, you have an architectural decision to either accept that risk or to require shorter rotation. Most procurement processes do not capture this. Most security teams do not see the actual token lifetimes in production.

Behavioural baselines for service accounts are weaker than baselines for humans. A human running a 50GB export at 03:00 from an unfamiliar geography triggers a control. A service account doing the same does not, because service accounts are expected to be predictable and therefore are not modelled with the same rigour.

The Anodot-Rockstar incident is one of several 2026 cases where the failure surface was a long-lived integration token, not a stolen password. The architectural response — token-scope reduction, short-lived credentials, third-party token inventory, behavioural baselines for NHI — is well understood; the operational reality in most organisations is still service accounts with broad scopes and no expiry.