ShinyHunters Publishes Rockstar Games Data on Leak Site
Rockstar Games has become the latest victim in a sweeping data theft campaign after the ShinyHunters extortion group published what it claims is internal analytics data belonging to the video game developer. The threat actors allege the data was obtained by exploiting authentication tokens stolen during a recent security incident at Anodot, a data anomaly detection company that connects with numerous SaaS cloud platforms.
The listing on ShinyHunters' extortion site states:
"Your Snowflake instances metrics data was compromised thanks to Anodot.com."The group claims to have released more than 78.6 million records tied to Rockstar's internal operations.
Rockstar Confirms Breach, Downplays Impact
Rockstar Games did not respond to multiple requests for comment from BleepingComputer. However, in a statement provided to Kotaku, the company acknowledged the incident while framing it as limited in scope.
"We can confirm that a limited amount of non-material company information was accessed in connection with a third-party data breach. This incident has no impact on our organization or our players."
The company did not elaborate further on the nature or volume of the data involved.
What the Stolen Data Contains
According to information shared directly with BleepingComputer by the threat actors, the leaked dataset is primarily composed of internal analytics used to monitor Rockstar's online services and customer support operations. Specifically, the data allegedly includes:
- In-game revenue and purchase metrics
- Player behavior tracking data
- Game economy data for Grand Theft Auto Online and Red Dead Online
- Customer support analytics tied to Rockstar's Zendesk support instance
A file listing reviewed by BleepingComputer also contained references to fraud detection systems and anti-cheat model testing, suggesting that some operationally sensitive internal tooling data may have been included in the breach.
The Anodot Connection: A Broader Supply Chain Attack
The Rockstar breach does not appear to be an isolated incident. It is part of a larger, coordinated data theft campaign that exploited a security vulnerability at Anodot, a company specializing in data anomaly detection that integrates deeply with a variety of enterprise cloud environments.
As first reported by BleepingComputer, the attackers stole authentication tokens from Anodot's service and leveraged them to gain unauthorized access to customer data stored in connected Snowflake, S3, and Amazon Kinesis instances.
Snowflake confirmed to BleepingComputer last week that it had detected unusual activity affecting a small number of customer accounts linked to a third-party integration. The cloud data platform responded by locking down the affected accounts and notifying impacted customers. Snowflake subsequently confirmed that the third-party integration in question was Anodot.
ShinyHunters Claims Dozens of Victims
The ShinyHunters group, which has a lengthy history of high-profile data extortion operations, told BleepingComputer that it was responsible for the attacks stemming from the Anodot breach. The group claimed it had successfully stolen data from dozens of companies by exploiting the compromised authentication tokens.
The Rockstar Games listing is among the most prominent victims publicly named so far, though the group has indicated it is sitting on a significant volume of stolen data from multiple organizations across different industries.
Ongoing Risk for Anodot-Connected Organizations
The incident highlights the cascading risks posed by third-party SaaS integrations, particularly those with broad access to cloud storage and analytics infrastructure. A single compromised vendor can serve as an entry point into the environments of dozens of downstream customers — a pattern that mirrors several prior large-scale breaches involving shared cloud service providers.
Organizations using Anodot or similar analytics integration platforms that connect to cloud data stores like Snowflake, Amazon S3, or Amazon Kinesis are advised to audit active authentication tokens, review access logs for anomalous activity, and rotate credentials that may have been exposed through the integration chain.
Source: BleepingComputer