Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen, with Snowflake customers being the primary target.
Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. While numerous cloud storage and SaaS vendors were targeted using the stolen tokens, BleepingComputer has learned that the majority of the data theft attacks targeted the cloud data platform Snowflake.
Snowflake confirmed "unusual activity" to BleepingComputer, stating that a small number of its customers were impacted. "We recently detected unusual activity within a small number of Snowflake customer accounts linked to a specific third-party integration," Snowflake told BleepingComputer. "We immediately launched an investigation and, out of an abundance of caution, locked down potentially impacted customer accounts. We also notified potentially impacted customers and provided precautionary guidance to help them further protect their accounts."
Snowflake stressed that the attacks did not involve any vulnerability or compromise of its systems. As part of these attacks, the threat actor allegedly attempted to use the stolen authentication tokens to steal data from Salesforce, but was detected before they could succeed.
Data theft after alleged Anodot breach
While Snowflake would not confirm which third-party integration partner was linked to these attacks, BleepingComputer was told by numerous sources that the attacks stem from a security incident at data anomaly detection company Anodot.
Anodot is an AI-based analytics company that provides real-time anomaly detection for business and operational data, helping organizations automatically spot unusual changes in revenue, transactions, and system performance using machine learning. Data analytics company Glassbox acquired the company in November 2025.
BleepingComputer was told that numerous companies are now being extorted by the ShinyHunters extortion gang, which is demanding ransom payments to prevent the release of stolen data. After learning of the attacks, the ShinyHunters group confirmed to BleepingComputer that they were behind them, claiming to have stolen data from dozens of companies this past Friday.
They also confirmed their attempts to steal data from Salesforce, but said they were blocked by AI detection. The blocked attempt comes amid a wave of data theft attacks over the past year targeting Salesforce customers.
The threat actors also claimed the attack stems from a security incident at Anodot, hinting that they allegedly had access to the company for some time. The threat actor shared some of the companies allegedly affected by the incident, but BleepingComputer will not name them without confirmation.
Only one company, Payoneer, replied to our emails, stating that it aware of the integrator breach but was not impacted. "We're aware of a security incident involving a third-party service provider, Anodot. Based on our review, Payoneer has not been impacted," Payoneer said in a statement to BleepingComputer.
Google's Threat Intelligence Group, which has been tracking many of this year's data theft campaigns, also confirmed to BleepingComputer that it is aware of the incident and is tracking it, but had nothing further to share at this time.
BleepingComputer has sent multiple emails to Anodot and its parent company, Glassbox, but has not yet received a reply.
Key takeaways for organizations
This incident highlights several critical security considerations for organizations using cloud services and SaaS integrations:
Third-party risk management: Organizations must thoroughly vet and continuously monitor the security posture of all third-party integration partners, as their security failures can directly impact your data security.
Token security: Authentication tokens represent a significant attack vector. Organizations should implement token rotation policies, monitor for unusual token usage patterns, and consider using short-lived tokens where possible.
Multi-factor authentication: While not mentioned in this specific incident, MFA remains a critical defense layer that can prevent unauthorized access even when tokens are compromised.
Data access monitoring: Implementing robust monitoring for unusual data access patterns can help detect and prevent data exfiltration attempts before they succeed.
Incident response planning: Having a clear incident response plan that includes communication protocols with third-party providers and customers is essential for minimizing damage when breaches occur.
This breach serves as a reminder that in today's interconnected cloud ecosystem, security is only as strong as the weakest link in your supply chain. Organizations must adopt a defense-in-depth approach that extends beyond their own infrastructure to include all third-party services and integrations.
Comments
Please log in or register to join the discussion