Snowflake Data Theft via SaaS Integrator Breach

Over a dozen companies have been hit by data theft attacks after a SaaS integration provider was compromised, exposing authentication tokens that attackers used to access cloud platforms. The primary target in these Snowflake data theft attacks was the cloud data platform Snowflake, though threat actors also attempted to breach Salesforce before being blocked.

Snowflake confirmed "unusual activity" in a small number of customer accounts tied to a specific third-party integration. The company locked down impacted accounts and notified affected customers, but emphasized its own systems were not breached. The vulnerability was not in Snowflake itself. It was in the trust relationship between Snowflake and an external integration partner.

How the Anodot Breach Enabled the Attacks

Multiple sources told BleepingComputer the breach originated at Anodot, an AI-based analytics company that provides real-time anomaly detection for business and operational data. Anodot was acquired by data analytics company Glassbox in November 2025. Since Saturday, Anodot's status page has shown all connectors down across every geographic region, including Snowflake, S3, and Amazon Kinesis.

The ShinyHunters extortion group has claimed responsibility. They told BleepingComputer they stole authentication tokens from Anodot last Friday and used those tokens to pull data from dozens of companies. They also hinted they may have had access to Anodot systems for longer than a single incident window suggests. That detail matters a lot. It means token exposure may predate the known breach window by days or weeks.

Why Stolen Auth Tokens Are So Dangerous

Authentication tokens bypass password-based controls entirely. Once an attacker has a valid token, they authenticate as a legitimate service account. No brute force needed. No MFA prompt triggered (in most integrations). The attacker just looks like Anodot querying your Snowflake instance.

This is the core problem with SaaS-to-SaaS integrations. Each integration point is a new trust boundary, and each one can become an attack surface. If a third-party integration provider stores long-lived tokens without proper rotation or scope limiting, a breach of that provider hands attackers the keys to every customer environment connected through it.

ShinyHunters also attempted to exfiltrate data from Salesforce accounts using the same stolen tokens, but AI-based detection blocked the attempt before data left.

Impact on Developers and Engineering Teams

If your organization uses Anodot or any similar third-party analytics or anomaly detection service with Snowflake or Salesforce integrations, your environment could be in scope. Even if you were not directly impacted, this incident points to a systemic risk in how SaaS integrations handle credential storage and token lifecycle management.

The extortion angle adds pressure. ShinyHunters is actively demanding ransom payments from affected companies to prevent public data release. Payoneer confirmed awareness of the Anodot breach but stated it was not impacted after an internal review.

How to Reduce Your Exposure

Audit every third-party integration connected to your Snowflake, Salesforce, or other cloud data platform accounts. Specifically, look for:

• Long-lived tokens with broad data access granted to external SaaS providers
• Integration accounts without IP allowlisting or scope restrictions
• Any integration using service accounts that lack MFA or session limits

Rotate all Snowflake integration tokens immediately if you use Anodot. Review Snowflake's access history logs for unusual query patterns in the last two weeks, not just since Saturday. Check your SIEM for outbound data transfers tied to Anodot connector IPs.

Going forward, enforce short token lifespans and require integration partners to document their own credential storage and rotation policies before you grant access. You can also run an automated scan of your web-facing endpoints to identify exposed authentication surfaces that could be leveraged in similar integration-based attacks.

More detail on securing SaaS-to-SaaS trust boundaries is covered in our guide to third-party integration security.

What exactly did ShinyHunters steal from Anodot? The group claims they obtained authentication tokens stored by Anodot, which they then used to query Snowflake environments belonging to Anodot's customers. The full scope of stolen data has not been confirmed publicly.

Does this mean Snowflake itself was hacked? No. Snowflake's own systems were not compromised. The attack exploited tokens held by a third-party integration provider. The breach was in Anodot's environment, not Snowflake's infrastructure.

How do I know if my Snowflake account was accessed? Check your Snowflake account's login history and query logs for activity originating from Anodot service accounts or unfamiliar IP ranges, especially between April 4 and April 7, 2026. Contact Snowflake support if you see anomalies.

Run a free automated scan on your web properties at VibeWShield to surface exposed authentication endpoints and integration vulnerabilities before attackers find them first.