ShinyHunters Breach Anodot, Steal Data From Snowflake Customers

The ShinyHunters extortion gang has breached Israeli AI analytics firm Anodot and used stolen authentication tokens to access data from dozens of Snowflake customers. The supply chain attack represents another example of how SaaS integrations can become vectors for mass data theft when third-party security fails.

Snowflake confirmed the incident on April 9, acknowledging that "a small number of customer accounts" showed unusual activity linked to the compromised integrator. The company stressed its own systems weren't breached—the attackers exploited trusted connections from a legitimate partner.

The Attack Chain

Anodot provides AI-powered anomaly detection for business and operational data, connecting to customer systems including Snowflake data warehouses to analyze metrics in real-time. Glassbox acquired Anodot in November 2025.

According to BleepingComputer's investigation, ShinyHunters extracted authentication tokens from Anodot's infrastructure. These tokens provided access to customer Snowflake environments without requiring additional credentials.

The attackers claimed to have stolen data from multiple companies last Friday using the Anodot tokens. While they targeted various cloud storage and SaaS vendors, the majority of successful theft focused on Snowflake instances.

ShinyHunters told BleepingComputer they conducted the assault and hinted at long-term access to Anodot's systems—though the exact dwell time remains unclear.

Extortion Campaign Underway

Multiple companies are now receiving ransom demands from ShinyHunters threatening to release stolen data. The gang's extortion model is familiar: pay to prevent publication on their leak site, or watch sensitive business information become public. The approach mirrors the Scattered Spider attacks that compromised 22 million Aflac records last year.

The group also attempted to access Salesforce accounts using stolen credentials but was apparently detected and blocked before successful infiltration. This suggests some targeted organizations had monitoring in place that caught the anomalous activity.

For organizations unfamiliar with how modern breaches unfold, our data breach fundamentals guide explains common attack patterns and post-breach extortion tactics.

Third-Party Risk Realized

The Anodot breach illustrates a persistent blind spot in enterprise security: integrations with SaaS vendors often grant broad access to sensitive data, but receive less security scrutiny than direct connections.

Anodot's status page showed all connectors down across geographic regions starting Saturday morning—likely when the company began investigating and containing the breach. The extended outage suggests significant remediation work.

ShinyHunters has built a reputation for targeting exactly these kinds of integration points. The group previously exploited support platform credentials at Hims & Hers to access customer data through a similar supply chain approach.

The pattern is consistent: find a SaaS vendor with connections to many downstream customers, compromise their credentials or tokens, then pivot to access data across the entire customer base.

Snowflake's Response

Snowflake detected the unusual activity and immediately launched an investigation, locking down potentially impacted customer accounts. The company emphasized the distinction between a Snowflake platform breach (which this wasn't) and unauthorized access via a compromised integration partner.

"Snowflake's systems were not compromised, and no bugs were leveraged," the company stated. From Snowflake's perspective, the access came through legitimate, authorized channels—just controlled by the wrong people.

This technical distinction matters less to affected customers, who now face the same data exposure regardless of which system the attackers initially compromised.

What Organizations Should Do

Companies using Anodot or similar SaaS integrations should:

1. Audit integration permissions — Review what data each third-party connector can access and whether that access is still necessary
2. Rotate credentials — Assume any authentication tokens shared with potentially compromised vendors are exposed
3. Enable anomaly alerts — Configure Snowflake audit logging to flag access from unusual IPs or at unusual times
4. Implement IP allowlisting — Restrict integration access to known, authorized IP ranges where possible
5. Review data classification — Ensure sensitive data isn't accessible through integrations that don't require it

Snowflake customers should check the admin console for unrecognized sessions or queries against sensitive tables. The company's incident response guidance provides specific hunting queries.

The Bigger Picture

Supply chain attacks through SaaS integrations have become a reliable playbook for data thieves. The 2024 Snowflake incident involving stolen credentials demonstrated the same principle: compromise one point of integration, access many victims.

Organizations increasingly rely on interconnected SaaS tools, each representing potential attack surface that's outside direct control. Until enterprises implement more rigorous third-party security assessments and principle-of-least-privilege access controls, these supply chain breaches will continue.

ShinyHunters has likely already moved on to the next target. The question is whether affected organizations will learn from this incident and reduce exposure before the next integration-based attack.