Hackers have breached Anodot, stolen customer authentication tokens, and turned a single SaaS integration point into a broader extortion campaign that has already pulled in more than a dozen companies, including confirmed fallout at Booking.com and Rockstar Games.
TL;DR
- A breach at Anodot exposed over a dozen companies after attackers stole authentication tokens tied to cloud connectors.
- The incident began April 4, 2026, impacting Snowflake, S3, and Kinesis integrations.
- Booking.com and Rockstar Games confirmed impact, while Snowflake says its systems were not breached.
How The Anodot Breach Turned Into A Supply Chain Attack?
The core issue is not just that Anodot was hacked, but how the breach spread across its customers. Reports show attackers stole authentication tokens, which allowed them to access connected environments, particularly Snowflake accounts.
Security groups like RH-ISAC described this as a supply chain attack, where a trusted SaaS provider with deep access became the entry point for downstream data exposure. This highlights how integrations can become high-risk attack surfaces in modern cloud ecosystems.
Timeline: From Service Disruption To Data Exposure
Anodot’s status page shows the incident began on April 4, 2026, when Snowflake data streams started failing. Soon after, all data collectors went offline, including integrations with Snowflake, Amazon S3, and Kinesis.
By April 11, some services were restored, but data collectors remained down. This extended disruption indicates the breach impacted core infrastructure rather than a limited component.
Snowflake Responds, Draws A Clear Boundary
Snowflake confirmed it detected unusual activity affecting a small number of customer accounts linked to a third-party integration. The company said it locked down impacted accounts and emphasized that its own platform was not breached.
This distinction is critical. It suggests the vulnerability was not within Snowflake itself, but in how third-party tools accessed customer environments using stored credentials or tokens.
Confirmed Impact: Booking.com And Rockstar Games
Booking.com confirmed that attackers accessed customer data including names, email addresses, phone numbers, and booking details. The company said it contained the breach, reset reservation PINs, and notified affected users, though it did not disclose numbers.
Rockstar Games also acknowledged the incident. A spokesperson said only a limited amount of non-material company data was accessed and there was no impact on operations or players.
However, attackers from the ShinyHunters group claimed to possess 78.6 million records linked to Rockstar’s Snowflake environment. This figure remains unverified and should be treated as an extortion claim rather than confirmed data exposure.
Topics for more insights:
Why This Breach Matters For Enterprise Security?
This incident reinforces a growing pattern in cybersecurity. The weakest link is often not the primary platform but the third-party services connected to it.
Reports indicate attackers also attempted to use stolen tokens to access other services like Salesforce, though those attempts were blocked. Combined with more than a dozen affected companies and active extortion efforts, this breach stands out as a clear example of a cloud supply chain failure.
It also highlights the risks of storing long-lived authentication tokens and granting broad access to external analytics or monitoring platforms.
Join The Discussion