ShinyHunters breach SaaS integrator Anodot, steal auth tokens to raid Snowflake customers - 12+ companies hit

ShinyHunters breached Anodot, an AI-based data anomaly detection platform acquired by Glassbox in late 2025, and stole authentication tokens that connected Anodot to its customers' cloud environments. Using those tokens, the attackers accessed Snowflake data warehouses belonging to over a dozen companies and began exfiltrating data last Friday - timed to the Easter/Passover holiday for maximum dwell time. ShinyHunters also attempted to use the stolen tokens against Salesforce instances but were blocked by AI detection. The group is now extorting affected companies, demanding ransom payments to prevent data release. Anodot's customer list includes Puma, SAP, T-Mobile, and UPS. This is the same playbook ShinyHunters used in the 2025 Snowflake campaign and the Gainsight/Salesforce attacks - breach a trusted integration, not the platform itself.

Check

Audit every third-party SaaS integration connected to your Snowflake, Salesforce, or other cloud data platforms. Identify which ones hold active authentication tokens with read access to your data.

Affected

Any organization using Anodot (now Glassbox) integrations connected to Snowflake, Salesforce, S3, or Amazon Kinesis. Broader risk: any company with SaaS-to-SaaS integrations that use long-lived OAuth tokens or API keys.

Fix

Revoke and rotate all authentication tokens for Anodot/Glassbox integrations immediately. Review Snowflake query logs for unusual data access patterns since late March. Enable network policies to restrict Snowflake access by IP. Audit all third-party integrations for least-privilege access - most SaaS connectors have broader permissions than they need. Monitor for ShinyHunters extortion communications.