What happened
ShinyHunters has added Rockstar Games to its dark web leak site. The attackers say they didn’t break into Rockstar or Snowflake directly. Instead, they went through Anodot, a SaaS cloud-cost monitoring tool Rockstar uses. From there, they pulled authentication tokens that let them walk into Rockstar’s Snowflake environment as if they were a legitimate internal service. They’ve set a ransom deadline of April 14. Pay or they release the data. This appears to be part of a broader wave hitting companies through Salesforce and Anodot integrations – Cisco and Telus have both been caught in it.
UPDATE: A Rockstar Games Spokesperson Has Confirmed the Breach
We can confirm that a limited amount of non-material company information was accessed in connection with a third-party data breach. This incident has no impact on our organization or our players.
Original Story Below
How it actually worked
Anodot is an AI analytics platform. Companies use it to track cloud costs and catch spending anomalies. To do that, it needs deep access to a company’s cloud infrastructure, in Rockstar’s case, their Snowflake data warehouse.
The attackers didn’t crack Snowflake’s encryption. They got into Anodot’s systems and pulled authentication tokens. These tokens are the digital equivalent of a pass key that lets one software talk to another without a human typing in a password each time. Because Rockstar’s Snowflake instance trusted those tokens, the attackers essentially walked in through the front door.
The scarier part: because the access looked like a legitimate internal monitoring process, Rockstar’s security team likely saw nothing unusual. ShinyHunters reportedly ran database exports for a while before anything was flagged.
Who are ShinyHunters?
They’ve been around since roughly 2020. They don’t go after individual users but target APIs, identity systems, and integrations, then sell or leak what they find. Past victims include Microsoft (a claimed 500GB source code theft in 2020), Wattpad (270 million user records), Cisco, AT&T, and Ticketmaster. They’re also linked to the Snowflake-related credential theft wave that caused problems throughout 2025.
They’re not amateurs. They know how to generate press coverage to increase pressure on targets.
Was Snowflake breached?
Almost certainly not. Snowflake’s platform did what it was supposed to – it let in someone with valid credentials. The problem is that those credentials were stolen from a third party Rockstar trusted.
This is the core issue: if you give a tool like Anodot broad read permissions on your Snowflake warehouse and that tool gets compromised, the data is gone. Snowflake isn’t the weak link here; the integration policy is.
Why Rockstar specifically?
GTA VI is arguably the most anticipated game release in years. That makes Rockstar’s internal data like source code, release schedules, platform agreements, revenue figures, player analytics genuinely valuable. In 2022, a teenager leaked early GTA VI footage through a Slack compromise. This is more methodical.
If ShinyHunters really has access to Rockstar’s Snowflake instances, the potential exposure includes financial records from GTA Online and Red Dead Online, player spending and geographic data, marketing timelines, and contracts with Sony, Microsoft, voice actors, and music labels.
As of writing, Rockstar and Take-Two have not commented. That’s typical for them.
Rockstar isn’t alone
ShinyHunters recently claimed data from over 400 companies linked to Salesforce integrations. Other named victims in this wave include Cisco, Canadian telecom Telus, Dutch provider Odido, and hints at European Commission data in various forum posts. One compromised tool, a lot of downstream damage.
What companies should actually do
Token rotation. Tokens that don’t expire for years are a liability – automated rotation means a stolen token becomes useless fast. Least privilege access – did Anodot need access to all of Rockstar’s Snowflake data? Probably not and limiting that scope limits the blast radius. Egress monitoring – watching who comes in matters, but watching what goes out matters more. A sudden multi-terabyte transfer to an unknown IP should shut the connection down automatically. And where possible, MFA even for service accounts.
The legal side
If player data gets leaked before the April 14 deadline, Rockstar faces GDPR and CCPA disclosure obligations, potential FTC scrutiny, class action exposure, and the kind of trust damage that’s hard to recover from when you’re two steps from a major game launch.
On your GTA Online account
There’s no evidence so far that individual player passwords or payment details were accessed. The breach appears to target corporate data. Still, if you haven’t enabled 2FA on your Rockstar Social Club account, now’s a reasonable time to do it.
One final note
This isn’t a story about a firewall failure or a weak password. The entry point was an authentication token sitting inside a third-party analytics tool that a major game studio trusted with broad access to its data. That’s where the exposure was, and it’s the kind of thing most companies still aren’t watching closely enough.
Disclaimer: This report is based on claims by threat actors and ongoing investigations. Rockstar Games has not confirmed the scope of any breach.
