Stolen Rockstar Games Analytics Data Leaked by ShinyHunters Extortion Gang

ShinyHunters Leaks Rockstar Games Data via Anodot Supply Chain Attack

The ShinyHunters extortion gang has published data belonging to Rockstar Games on its leak site, following a breach of third-party cloud analytics provider Anodot. The incident is part of a broader supply chain attack campaign that has left over a dozen companies facing extortion demands after attackers accessed their data through compromised Anodot credentials.

Rockstar Games issued a brief statement downplaying the breach: "We can confirm that a limited amount of non-material company information was accessed in connection with a third-party data breach. This incident has no impact on our organization or our players."

ShinyHunters set an extortion deadline of April 14, 2026, for ransom payment before publishing the data — a deadline that has now passed.

How the Attack Unfolded

The attack did not target Rockstar's own infrastructure directly. Instead, threat actors compromised Anodot, a cloud cost monitoring and business analytics SaaS platform, and used that access to pivot into connected customer environments:

Anodot credentials compromised — Attackers gained unauthorized access to Anodot's platform through stolen or brute-forced authentication tokens
Customer data accessed — Anodot's integrations with downstream cloud services (including Snowflake data warehouses) provided attackers with a path to customer business data
Snowflake pivoting — Authentication tokens extracted from Anodot enabled access to Rockstar's Snowflake data warehouse, which housed analytics and business intelligence data
Extortion campaign launched — Over a dozen companies affected by the Anodot breach received ransom demands before ShinyHunters began publishing stolen data publicly

What Data Was Stolen

Rockstar characterized the exposed data as "non-material company information." Security researchers tracking the incident suggest the stolen data likely includes:

Category	Description
Financial analytics	Cloud cost data, spend reports, and budget metrics
Business intelligence	Marketing analytics, player spending behavioral data
Internal documents	Contract summaries, planning documents, operational reports
Authentication tokens	Credentials enabling Snowflake access

Rockstar confirmed no player personal data or financial information related to players was compromised.

ShinyHunters' Ongoing Extortion Playbook

This incident follows a well-established ShinyHunters pattern. The group rose to prominence through a series of high-profile Snowflake-adjacent breaches in 2024-2025, targeting organizations by:

Compromising third-party SaaS vendors with broad data access
Exfiltrating data from Snowflake environments using stolen credentials
Issuing pay-or-leak ultimatums with short deadlines
Publishing stolen data when ransoms go unpaid to establish credibility for future demands

Previous notable ShinyHunters victims include AT&T, Ticketmaster, Santander, and dozens of other enterprises breached through Snowflake credential compromise.

The Broader Anodot Breach

Rockstar is one of more than a dozen companies confirmed or suspected to be impacted by the Anodot supply chain compromise. The full scope of the campaign is still being assessed. Companies with Anodot integrations — particularly those connecting the platform to Snowflake, AWS, Azure, or GCP environments — should:

Audit Anodot integration permissions and revoke unnecessary data access
Review Snowflake access logs for unauthorized queries or data exports
Rotate all Anodot-linked authentication credentials immediately
Check for unauthorized API access in connected cloud environments
Monitor for extortion contact from ShinyHunters or affiliated actors

Incident Response Considerations

For security teams at organizations using Anodot or similar cloud cost/analytics platforms, this incident underscores the risk profile of third-party SaaS integrations:

Least privilege principle — Limit what data SaaS analytics platforms can access
Token rotation policies — Regularly rotate API keys and OAuth tokens for third-party integrations
Vendor breach monitoring — Subscribe to vendor security notifications and monitor threat intelligence for SaaS provider compromises
Data classification — Understand what business-sensitive data flows into analytics platforms

References

ShinyHunters Leaks Rockstar Games Data via Anodot Supply Chain Attack

ShinyHunters set an extortion deadline of April 14, 2026, for ransom payment before publishing the data — a deadline that has now passed.

How the Attack Unfolded

Anodot credentials compromised — Attackers gained unauthorized access to Anodot's platform through stolen or brute-forced authentication tokens
Customer data accessed — Anodot's integrations with downstream cloud services (including Snowflake data warehouses) provided attackers with a path to customer business data
Snowflake pivoting — Authentication tokens extracted from Anodot enabled access to Rockstar's Snowflake data warehouse, which housed analytics and business intelligence data
Extortion campaign launched — Over a dozen companies affected by the Anodot breach received ransom demands before ShinyHunters began publishing stolen data publicly

What Data Was Stolen

Rockstar characterized the exposed data as "non-material company information." Security researchers tracking the incident suggest the stolen data likely includes:

Category	Description
Financial analytics	Cloud cost data, spend reports, and budget metrics
Business intelligence	Marketing analytics, player spending behavioral data
Internal documents	Contract summaries, planning documents, operational reports
Authentication tokens	Credentials enabling Snowflake access

Rockstar confirmed no player personal data or financial information related to players was compromised.

ShinyHunters' Ongoing Extortion Playbook

This incident follows a well-established ShinyHunters pattern. The group rose to prominence through a series of high-profile Snowflake-adjacent breaches in 2024-2025, targeting organizations by:

Compromising third-party SaaS vendors with broad data access
Exfiltrating data from Snowflake environments using stolen credentials
Issuing pay-or-leak ultimatums with short deadlines
Publishing stolen data when ransoms go unpaid to establish credibility for future demands

Previous notable ShinyHunters victims include AT&T, Ticketmaster, Santander, and dozens of other enterprises breached through Snowflake credential compromise.

The Broader Anodot Breach

Audit Anodot integration permissions and revoke unnecessary data access
Review Snowflake access logs for unauthorized queries or data exports
Rotate all Anodot-linked authentication credentials immediately
Check for unauthorized API access in connected cloud environments
Monitor for extortion contact from ShinyHunters or affiliated actors

Incident Response Considerations

For security teams at organizations using Anodot or similar cloud cost/analytics platforms, this incident underscores the risk profile of third-party SaaS integrations:

Least privilege principle — Limit what data SaaS analytics platforms can access
Token rotation policies — Regularly rotate API keys and OAuth tokens for third-party integrations
Vendor breach monitoring — Subscribe to vendor security notifications and monitor threat intelligence for SaaS provider compromises
Data classification — Understand what business-sensitive data flows into analytics platforms

Stolen Rockstar Games Analytics Data Leaked by ShinyHunters Extortion Gang

ShinyHunters Leaks Rockstar Games Data via Anodot Supply Chain Attack

How the Attack Unfolded

What Data Was Stolen

ShinyHunters' Ongoing Extortion Playbook

The Broader Anodot Breach

Incident Response Considerations

References

Snowflake Customers Hit in Data Theft Attacks After SaaS Integrator Breach

Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting

Nike Hit by Data Breach: 1.4 TB of Supply Chain Data Leaked

Stolen Rockstar Games Analytics Data Leaked by ShinyHunters Extortion Gang

ShinyHunters Leaks Rockstar Games Data via Anodot Supply Chain Attack

How the Attack Unfolded

What Data Was Stolen

ShinyHunters' Ongoing Extortion Playbook

The Broader Anodot Breach

Incident Response Considerations

References

Snowflake Customers Hit in Data Theft Attacks After SaaS Integrator Breach

Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting

Nike Hit by Data Breach: 1.4 TB of Supply Chain Data Leaked