Snowflake customers hit in data theft attacks after SaaS integrator breach

Source: Bleeping Computer

Snowflake data theft attacks

Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen.

While numerous cloud storage and SaaS vendors were targeted using the stolen tokens, BleepingComputer has learned that the majority of the data theft attacks targeted the cloud‑based data warehouse platform Snowflake.

Snowflake confirmed “unusual activity” to BleepingComputer, stating that a small number of its customers were impacted.

“We recently detected unusual activity within a small number of Snowflake customer accounts linked to a specific third‑party integration,” Snowflake told BleepingComputer.
“We immediately launched an investigation and, out of an abundance of caution, locked down potentially impacted customer accounts. We also notified potentially impacted customers and provided precautionary guidance to help them further protect their accounts.”
Snowflake stressed that the attacks did not involve any vulnerability or compromise of its systems.

As part of these attacks, the threat actor allegedly attempted to use the stolen authentication tokens to steal data from Salesforce, but was detected before they could succeed.

Data theft after alleged Anodot breach

• Snowflake would not confirm which third‑party integration partner was linked to the attacks.
• Multiple sources told BleepingComputer that the attacks stem from a security incident at data‑anomaly detection company Anodot.
• Anodot is an AI‑based analytics company providing real‑time anomaly detection.
• Glassbox acquired Anodot in November 2025.

BleepingComputer was told that numerous companies are now being extorted by the ShinyHunters extortion gang, which is demanding ransom payments to prevent the release of stolen data.

• The ShinyHunters group confirmed they were behind the attacks, claiming to have stolen data from dozens of companies on a recent Friday.
• They also confirmed attempts to steal data from Salesforce, but said they were blocked by AI detection.

The blocked attempt comes amid a wave of data theft attacks over the past year targeting Salesforce customers:

• FBI warns of UNC6040/UNC6395 hackers stealing Salesforce data

The threat actors also hinted that the attack stems from a prolonged security incident at Anodot.

The threat actor shared some of the companies allegedly affected, but BleepingComputer will not name them without confirmation.

Payoneer response

Only one company, Payoneer, replied to our emails:

“We’re aware of a security incident involving a third‑party service provider, Anodot. Based on our review, Payoneer has not been impacted,”

Google’s Threat Intelligence Group, which has been tracking many of this year’s data‑theft campaigns, also confirmed awareness of the incident and is tracking it, but had no further details to share.

BleepingComputer has sent multiple emails to Anodot and its parent company, Glassbox, but has not yet received a reply.

Automated Pentesting Covers Only 1 of 6 Surfaces

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.