the threat gazette
Afternoon Update 2026-04-12
Intraday Update
Cloud

ShinyHunters Breaches Rockstar Games via Third-Party Snowflake Access Through Anodot

LAPSUS$ Scattered Spider

Updated from this morning's coverage: the access vector for ShinyHunters' claimed Rockstar Games breach is now attributed to Anodot, a FinOps/cost-monitoring SaaS platform with read access to Rockstar's Snowflake environment. This is a supply-chain lateral move through the Snowflake ecosystem — not a direct credential compromise against Snowflake itself. The April 14 ransom deadline has passed with no public confirmation of payment. Rockstar's public statements continue to minimize impact, consistent with their 2022 breach communications posture and likely driven by liability management rather than technical assessment. A data publication event is the probable next step. The operational significance for financial institutions: the Snowflake attack surface is no longer limited to direct credential hygiene. Any SaaS integration granted Snowflake access — analytics platforms, cost monitors, observability tools — is now a validated pivot point. This extends the same supply-chain chokepoint exploited in the 2024 UNC5537 campaign that hit Santander and ~165 other Snowflake tenants, but through a more sophisticated vector.

This is a maturation of the Snowflake ecosystem targeting playbook. After Mandiant's May 2024 UNC5537 disclosure drove widespread MFA enforcement on direct Snowflake access, adversaries have predictably shifted to the constellation of SaaS tools that hold delegated credentials. Anodot is a FinOps tool — exactly the kind of integration that gets provisioned with broad read access and then forgotten. Any Snowflake-dependent org should be inventorying which third-party platforms hold credentials and what scopes they've been granted.

2026-04-12
1 source
+ LAPSUS$ · + Scattered Spider
Security | The Verge

Editorial

The ShinyHunters/Scattered Spider nexus targeting Snowflake has quietly completed an evolutionary leap: the breach vector into Rockstar wasn't Snowflake credentials at all, but Anodot — a FinOps SaaS platform with read access to the warehouse. This is the 2024 Snowflake campaign playbook matured past its awkward adolescence. The actors learned the obvious lesson from Mandiant's response last time: if credential stuffing the front door gets noisy, compromise the dozens of SaaS tools that already have keys. For financial institutions running Snowflake, the uncomfortable question isn't whether your Snowflake credentials are rotated — it's whether you can even enumerate every third-party integration holding warehouse credentials, and whether those vendors' own security postures would survive contact with Scattered Spider's social engineering.

The appearance of both LAPSUS$ and Scattered Spider as newly attributed actors in the trajectory data is worth flagging — these groups share personnel and TTPs but represent distinct operational clusters, and their simultaneous attribution suggests law enforcement or threat intel firms are still untangling the web of who did what. The broader pattern is clear regardless of attribution: data warehouse platforms have become the gravitational center of a supply-chain attack surface that extends through every SaaS tool granted read access. The perimeter isn't Snowflake anymore — it's the entire constellation of integrations orbiting it.

Briefs