Executive Summary
On 7 April 2026, reports emerged in open source that multiple companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. While numerous cloud storage and SaaS vendors were targeted using the stolen tokens, the majority of the data theft attacks targeted the cloud-based data warehouse platform Snowflake.
Snowflake confirmed “unusual activity” to BleepingComputer, stating that a small number of its customers were impacted, linked to a specific third-party integration. Snowflake stressed that the attacks did not involve any vulnerability or compromise of its own systems.
Key Takeaways
- Supply chain is the vector: The breach exploited a trusted third-party SaaS integrator with privileged access.
- Token theft: Authentication tokens were the primary attack instrument, bypassing traditional password-based controls.
- Extortion underway: ShinyHunters is actively demanding ransom; affected organizations face immediate data exposure risk.
- Lateral movement attempted: The attacker attempted to pivot from Snowflake environments to Salesforce, signaling efforts at a broad, multi-platform campaign.
- Dwell time concern: The threat actor hinted at prolonged access to Anodot systems before the campaign was executed.
Technical Details
Threat Actor
Numerous companies are now being extorted by the ShinyHunters extortion gang, which is demanding ransom payments to prevent the release of stolen data. The group claimed to BleepingComputer that they were behind the attacks, claiming to have stolen data from dozens of companies.
The threat actors also claimed the attack stems from a security incident at Anodot, an AI-based analytics company that provides real-time anomaly detection for business and operational data, alleging that they had access to the company for some time.
Attempted Lateral Movement
As part of these attacks, the threat actor attempted to use the stolen authentication tokens to steal data from Salesforce but was detected before they could succeed. ShinyHunters confirmed their attempts to steal data from Salesforce but said they were blocked by AI detection.
Affected Parties & Confirmed Response
Only one company, Payoneer, replied to BleepingComputer inquiries, stating it was aware of the integrator breach but was not impacted: “We’re aware of a security incident involving a third-party service provider, Anodot. Based on our review, Payoneer has not been impacted.”
Google’s Threat Intelligence Group confirmed it is aware of the incident and is actively tracking it.
Snowflake immediately launched an investigation and, out of an abundance of caution, locked down potentially impacted customer accounts, notifying them and providing precautionary guidance.
Mitigation Options
Immediate Actions
- Audit third-party integrations: Identify all SaaS integrators with access to your Snowflake environment and review their permission scopes.
- Rotate authentication tokens: Revoke and reissue all tokens associated with third-party integrations, particularly those connected to Anodot or Glassbox products.
- Review Snowflake access logs: Look for anomalous query patterns, bulk exports, or access from unfamiliar IP addresses.
- Enable MFA on all Snowflake accounts: Particularly for accounts accessible via third-party integrations.
Short-Term Actions
- Implement least-privilege access: Ensure third-party integrators only have access to the data they strictly require.
- Monitor for extortion contact: Brief legal and communications teams on ShinyHunters TTPs in the event of ransom demands.
- Assess Salesforce exposure: Given the attempted pivot, validate Salesforce access controls and token hygiene.
Strategic Actions
- Strengthen third-party risk management (TPRM): Require SaaS vendors to demonstrate security controls, incident response plans, and breach notification obligations contractually.
- Deploy behavioral threat intelligence: Operationalize threat intelligence to detect anomalous access patterns in real time across cloud platforms.
- Establish supply chain monitoring: Continuously monitor the security posture of integrated SaaS providers, not just point-in-time assessments.
