Games, News

Rockstar Games Confirms Breach: ShinyHunters “Pay or Leak” Deadline via Anodot Snowflake Token Theft

Photo of author

By TGT Staff

ShinyHunters Claims Rockstar Games Snowflake Breach via Anodot | The Game Tribune
⚠ Security Breach

When Your Cloud Monitor Becomes the Backdoor: The Rockstar–Anodot–Snowflake Chain

ShinyHunters didn’t break Snowflake’s security — they walked around it. Here’s exactly how, and what Rockstar confirmed.

On April 11, 2026, hacking group ShinyHunters posted on its dark web leak site claiming it had accessed Rockstar Games‘ Snowflake cloud environment — with a ransom deadline set for April 14. Rockstar confirmed the same day that a “limited amount of non-material company information” was accessed through a third-party breach. No player data or passwords are believed to have been compromised. The stated entry point was Anodot — a SaaS cloud cost monitoring and analytics platform connected to Rockstar’s Snowflake environment. This appears to be part of a wider campaign in which ShinyHunters has targeted companies through third-party cloud integrations, with the group having previously claimed access to data from over 400 companies via Salesforce in March 2026. Below is an interactive breakdown of the attack chain, key facts, and the full timeline.

How It Happened
The Attack Chain — Tap Each Step
ShinyHunters never cracked Snowflake’s encryption. They used a side door that was already trusted.
1
🎯
Anodot Breached
Third-party SaaS platform compromised
2
🔑
Token Theft
Auth tokens extracted from Anodot systems
3
🚪
Snowflake Entry
Tokens used to enter as a trusted service
4
📦
Data Exported
Corporate data pulled via normal DB operations
5
💬
Ransom Demand
Pay by April 14 or data gets leaked publicly
👆 Tap any step above to see the detail
Each step in the chain is explained in plain English when tapped.
By the Numbers
ShinyHunters — The Scale of Their Operations
2020
Year ShinyHunters became active
400+
Companies claimed in March 2026 Salesforce campaign
26
Organisations whose data was published post-ransom
Apr 14
Rockstar ransom deadline set by ShinyHunters
$5M
Cost to Rockstar from the 2022 Lapsus$ breach
90
GTA VI development clips leaked in 2022
ShinyHunters — Dark Web Post, April 11
“Rockstar Games, your Snowflake instances were compromised thanks to Anodot.com. Pay or leak. This is a final warning to reach out by 14 Apr 2026 before we leak, along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline.”
— ShinyHunters, Dark Web Leak Site, April 11, 2026
Full Timeline
Rockstar Breaches — 2022 to 2026
Two separate incidents, four years apart, carried out by two different groups using two entirely different methods.
September 2022
Arion Kurtaj — then 18, from Oxford, and a member of hacking group Lapsus$ — accessed Rockstar Games’ internal Slack channel while on bail for separate cybercrime charges. He used an Amazon Fire Stick, a hotel television and a mobile phone to carry out the attack. Over 90 in-development GTA VI clips were leaked online. The breach cost Rockstar $5 million and thousands of staff hours. In December 2023, a UK judge issued Kurtaj an indefinite hospital order in a secure psychiatric facility, citing his continued intent to reoffend and the risk he posed to the public.
March 2026
ShinyHunters claims to have obtained data tied to more than 400 companies through a Salesforce-linked campaign. The group subsequently published data from 26 of those organisations on its dark web leak site. Cisco and Canadian telecom Telus were among named victims in this broader wave. See also: PS6 Device Leak and the security landscape in 2026.
April 11, 2026 — Claim Posted
ShinyHunters publishes a message on its dark web leak site claiming access to Rockstar Games’ Snowflake cloud instances via Anodot. The group sets a ransom deadline of April 14. Anodot‘s own site shows “crucial maintenance” active in its Frankfurt Cluster during this period. Snowflake confirmed to BleepingComputer that Anodot had suffered a security incident.
April 11, 2026 — Rockstar Confirms
Rockstar Games issues an official statement: “We can confirm that a limited amount of non-material company information was accessed in connection with a third-party data breach. This incident has no impact on our organization or our players.” No player passwords or payment data are believed to have been compromised. The data accessed is described as limited corporate information.
April 14, 2026 — The Deadline
ShinyHunters’ stated deadline for Rockstar to respond. If no contact or payment is made, the group has threatened to release the stolen data publicly. The exact ransom amount and full scope of data have not been disclosed. As of the deadline date, no data has been published. GTA VI — with a November 2026 window previously confirmed by Take-Two — has not been affected per Rockstar’s statement.
Official Response
Rockstar Games’ Statement
🎮 Rockstar Games — Spokesperson, April 11, 2026
“We can confirm that a limited amount of non-material company information was accessed in connection with a third-party data breach. This incident has no impact on our organization or our players.”
Statement provided to Kotaku, April 11, 2026
Plain English Breakdown
Not a Tech Person? Here’s What It All Means
Tap any card to expand the explanation.
❄️ What is Snowflake?
Snowflake is a cloud data warehouse used by thousands of companies — including many in gaming. It stores large volumes of business data: financials, analytics, marketing data, user behaviour. Snowflake’s own security was not breached here. The attackers bypassed it entirely by entering through a trusted third-party connection.
📊 What is Anodot?
Anodot is a SaaS platform companies use to monitor and optimise their cloud spending and detect anomalies. To do that job it needs broad access to cloud infrastructure, including Snowflake. Snowflake confirmed Anodot suffered a security incident. Anodot’s own site also showed active maintenance in its Frankfurt Cluster around the time of the breach.
🔐 What is an Authentication Token?
An authentication token is a digital pass key that lets one software service communicate with another automatically — no human types a password each time. When ShinyHunters extracted Anodot’s tokens, Rockstar’s Snowflake environment read the access as legitimate and trusted. ShinyHunters reportedly ran database exports for a period of time before anything was flagged.
💼 What data was potentially at risk?
Based on what Snowflake environments are typically used for, corporate data potentially at risk could include financial records from GTA Online and Red Dead Online, marketing timelines, platform contracts, player analytics, and internal business documents. Rockstar has confirmed the accessed data was limited and “non-material.” There is no evidence that player passwords, payment data, or GTA VI development files were accessed.
👥 Who are ShinyHunters?
ShinyHunters is a hacking group active since 2020. Rather than exploiting software vulnerabilities, they focus on API keys, identity systems and third-party integrations to gain access that appears legitimate. Past confirmed victims include Microsoft, Ticketmaster, AT&T, Wattpad, SoundCloud, and Cisco. In late 2025, they were linked to a Mixpanel breach affecting OpenAI and others.
🎮 Does this affect GTA VI?
Rockstar has stated the breach has “no impact on our organization or our players.” There is no confirmed evidence that game source code or development assets were part of the accessed data. Take-Two Interactive had previously confirmed a November 2026 release window for GTA VI. The company has not issued any statement connecting the breach to GTA VI’s development or release schedule.

The incident was reported after Rockstar Games confirmed its systems were accessed through a third-party data breach. The company’s statement described the data as limited and non-material, with no impact on players or internal operations. ShinyHunters’ April 14 ransom deadline was covered across cybersecurity and gaming outlets. Rockstar’s previous major breach occurred in September 2022, when Lapsus$ member Arion Kurtaj accessed the company’s internal Slack channel using an Amazon Fire Stick and leaked over 90 GTA VI development clips. Kurtaj received an indefinite hospital order from a UK court in December 2023.

The 2026 breach involved no direct attack on Rockstar’s systems or on Snowflake‘s own infrastructure. Access was obtained through authentication tokens extracted from Anodot, a third-party cloud monitoring platform Rockstar used. Further reading: Samson PC Launch — Liquid Swords | PS6 Device Leak Details.

Sony’s $649 PS5 Hike and PS6 Three-Device Leak With $999 Ceiling Put 2027 Launch on Thin Ice

Leave a comment