snowflake - TrustStrike Labs

breach

2026-05-02

Mark Cuban-backed business filing service ZenBusiness leaked - 5 million customer records now public after ShinyHunters extortion failed

ZenBusiness customer data is now public on Have I Been Pwned, with 5,118,184 unique email addresses confirmed - alongside names, phone numbers, and CRM records pulled from Snowflake, Mixpanel, and Salesforce. ShinyHunters had threatened to publish the data in March after a failed extortion attempt; HIBP added the dataset yesterday. ZenBusiness is the AI-driven LLC formation and small business compliance platform backed by Mark Cuban. The breach extends the ShinyHunters wave that's already publicly released Pitney Bowes (8.2M), Carnival (7.5M), Udemy (1.4M), ADT (5.5M), and now ZenBusiness.

zenbusiness shinyhunters mark-cuban llc-formation small-business snowflake mixpanel salesforce leak-confirmed 5m-records

Check: If you used ZenBusiness to set up an LLC, treat any inbound communication referencing your real business name, formation date, or registered agent details as potentially hostile.
Affected: ZenBusiness customers - mostly small business owners, freelancers, and startup founders. The leak includes business formation details that uniquely identify the type of business you set up. Acute risk: small business owners targeted by 'compliance reminder' phishing referencing their real EIN, registered agent address, or annual report deadline.
Fix: Reset ZenBusiness account passwords and rotate any password reused on other accounts. Watch state filing systems for unauthorized changes to your registered agent or business address - attackers can hijack LLCs by changing these. Treat any 'urgent compliance notice' email as potentially hostile. For LLCs holding valuable assets, consider freezing changes through your secretary of state's office where supported.

breach

2026-04-07

ShinyHunters breach SaaS integrator Anodot, steal auth tokens to raid Snowflake customers - 12+ companies hit

ShinyHunters breached Anodot, an AI-based data anomaly detection platform acquired by Glassbox in late 2025, and stole authentication tokens that connected Anodot to its customers' cloud environments. Using those tokens, the attackers accessed Snowflake data warehouses belonging to over a dozen companies and began exfiltrating data last Friday - timed to the Easter/Passover holiday for maximum dwell time. ShinyHunters also attempted to use the stolen tokens against Salesforce instances but were blocked by AI detection. The group is now extorting affected companies, demanding ransom payments to prevent data release. Anodot's customer list includes Puma, SAP, T-Mobile, and UPS. This is the same playbook ShinyHunters used in the 2025 Snowflake campaign and the Gainsight/Salesforce attacks - breach a trusted integration, not the platform itself.

shinyhunters snowflake anodot saas supply-chain token-theft extortion

Check: Audit every third-party SaaS integration connected to your Snowflake, Salesforce, or other cloud data platforms. Identify which ones hold active authentication tokens with read access to your data.
Affected: Any organization using Anodot (now Glassbox) integrations connected to Snowflake, Salesforce, S3, or Amazon Kinesis. Broader risk: any company with SaaS-to-SaaS integrations that use long-lived OAuth tokens or API keys.
Fix: Revoke and rotate all authentication tokens for Anodot/Glassbox integrations immediately. Review Snowflake query logs for unusual data access patterns since late March. Enable network policies to restrict Snowflake access by IP. Audit all third-party integrations for least-privilege access - most SaaS connectors have broader permissions than they need. Monitor for ShinyHunters extortion communications.