Snowflake Data Theft Hits Customers After Integrator Breach
▼ Summary
– A breach at SaaS integration provider Anodot led to stolen authentication tokens being used in data theft attacks against over a dozen companies.
– The majority of these attacks targeted the cloud data platform Snowflake, which confirmed unusual activity in a small number of customer accounts.
– The ShinyHunters extortion gang claimed responsibility, stating they stole data from dozens of companies and are now attempting to extort them.
– Snowflake and the threat actors both confirmed an attempted data theft from Salesforce, which was detected and blocked.
– Anodot’s systems have been experiencing widespread outages, and its parent company has not responded to inquiries about the security incident.
A significant data theft campaign has impacted numerous organizations following a breach at a third-party SaaS integration provider. Attackers stole authentication tokens, which they then used to target cloud storage and SaaS platforms. The primary focus of these attacks appears to have been the Snowflake data cloud platform, with over a dozen companies affected. Snowflake has confirmed investigating unusual activity linked to a specific third-party integration, stating that only a small number of customer accounts were involved. The company emphasized that the incident did not stem from a vulnerability or compromise within its own systems.
The attacks are believed to originate from a security incident at Anodot, a data analytics firm specializing in AI-powered anomaly detection. Anodot, which was acquired by Glassbox in late 2025, provides connectors for platforms like Snowflake, Amazon S3, and Kinesis. Its status page has indicated widespread service disruptions since last weekend, noting issues with data collection and alerting systems. While Snowflake did not name the partner, multiple sources point to Anodot as the source of the compromised tokens.
The ShinyHunters extortion gang has claimed responsibility for the campaign, telling sources they stole data from dozens of companies using the stolen Anodot tokens. The group is now attempting to extort ransom payments from the affected organizations to prevent public data leaks. In their communications, the threat actors suggested they may have maintained access to Anodot systems for an extended period. They also confirmed an attempted data theft from Salesforce, which was reportedly blocked by AI detection mechanisms. This aligns with a broader trend of attacks targeting Salesforce customers over the past year.
Only one named company, Payoneer, has publicly commented on the situation. The financial services firm stated it is aware of the Anodot incident but confirmed its own systems were not impacted. Google’s Threat Intelligence Group has also acknowledged it is tracking the campaign. Repeated attempts to contact Anodot and its parent company, Glassbox, for an official statement have so far gone unanswered. The incident underscores the escalating risks associated with third-party integrations and the theft of authentication tokens in modern supply chain attacks.
(Source: BleepingComputer)
