anodot - TrustStrike Labs

breach

2026-05-11

Zara confirmed in ShinyHunters Anodot fallout - 197,000 customer support records leaked

Zara is the latest big brand caught in the ShinyHunters extortion campaign tied to the March breach of analytics provider Anodot. The attackers - who got into Anodot in March and used that foothold to raid Snowflake-hosted data for at least a dozen downstream customers - have now published roughly one terabyte of files they say came from Zara's customer support system. Have I Been Pwned loaded 197,376 unique email addresses from the dump, along with product SKUs, order IDs, and the market each support ticket originated in. Zara's parent Inditex says no passwords or payment data were exposed.

shinyhunters extortion supply-chain anodot retail

Check: Search corporate email logs for a spike in phishing or fake order-status messages spoofing Zara customer service over the past 30 days, especially targeting users who shop with their work email.
Affected: Zara customers who contacted customer support are exposed via leaked email addresses, product SKUs, order IDs, and the market of origin (197,376 unique addresses confirmed by HIBP). Inditex has stated no passwords or payment information were included. Any organization whose data was held by Anodot remains part of this broader supply-chain campaign.
Fix: Treat the 197K leaked email addresses as confirmed-exposed for phishing targeting. Apply stricter inbound filtering for Zara order-status or return-label phishing lures. Educate employees who use work email for personal e-commerce. If your company uses Anodot, or routes data through Snowflake integrations exposed by the Anodot breach, follow the remediation Anodot and Snowflake published in April and rotate any tokens shared with Anodot.

breach

2026-04-28

Vimeo confirms user data was exposed via breach at analytics provider Anodot

Vimeo confirmed yesterday that user data was exposed when its analytics provider Anodot was breached. The video service hasn't said how many users are affected or what data was exposed beyond 'limited' account information, but Anodot's role suggests the leaked records include event-level user activity tied to Vimeo accounts: video views, account IDs, and the kind of telemetry analytics providers ingest. The pattern is the same as Citizens Bank, Frost Bank, Pitney Bowes, and now Vimeo: customer data leaks through a third-party vendor that the customer never directly signed up with.

vimeo anodot third-party analytics-provider supply-chain phishing-risk

Check: If you use Vimeo for any work-related video hosting, watch for Vimeo-themed phishing emails over the next few weeks referencing real account activity.
Affected: Vimeo users whose account data was processed by Anodot - a substantial subset given Anodot is a primary analytics provider. The risk is targeted phishing rather than account takeover: scammers who can reference real video views or account creation dates sound legitimate enough to bait credential resets. Organizations hosting marketing or training videos on Vimeo should expect staff targeting.
Fix: Treat any Vimeo email referencing your real account activity as potentially hostile - go to vimeo.com directly. Enable two-factor auth on Vimeo accounts, especially shared organizational ones. Review access logs for unfamiliar logins since April. For organizations: pull your vendor inventory and identify other analytics providers (Mixpanel, Heap, Amplitude) that hold customer data, and confirm breach notification SLAs.

breach

2026-04-07

ShinyHunters breach SaaS integrator Anodot, steal auth tokens to raid Snowflake customers - 12+ companies hit

ShinyHunters breached Anodot, an AI-based data anomaly detection platform acquired by Glassbox in late 2025, and stole authentication tokens that connected Anodot to its customers' cloud environments. Using those tokens, the attackers accessed Snowflake data warehouses belonging to over a dozen companies and began exfiltrating data last Friday - timed to the Easter/Passover holiday for maximum dwell time. ShinyHunters also attempted to use the stolen tokens against Salesforce instances but were blocked by AI detection. The group is now extorting affected companies, demanding ransom payments to prevent data release. Anodot's customer list includes Puma, SAP, T-Mobile, and UPS. This is the same playbook ShinyHunters used in the 2025 Snowflake campaign and the Gainsight/Salesforce attacks - breach a trusted integration, not the platform itself.

shinyhunters snowflake anodot saas supply-chain token-theft extortion

Check: Audit every third-party SaaS integration connected to your Snowflake, Salesforce, or other cloud data platforms. Identify which ones hold active authentication tokens with read access to your data.
Affected: Any organization using Anodot (now Glassbox) integrations connected to Snowflake, Salesforce, S3, or Amazon Kinesis. Broader risk: any company with SaaS-to-SaaS integrations that use long-lived OAuth tokens or API keys.
Fix: Revoke and rotate all authentication tokens for Anodot/Glassbox integrations immediately. Review Snowflake query logs for unusual data access patterns since late March. Enable network policies to restrict Snowflake access by IP. Audit all third-party integrations for least-privilege access - most SaaS connectors have broader permissions than they need. Monitor for ShinyHunters extortion communications.