Rockstar Games is dealing with another security threat. On April 11, hacking group ShinyHunters posted a message on its dark web leak site claiming it had accessed the GTA 6 developer’s Snowflake database instances. The group set a ransom deadline of April 14 and warned it would publish stolen files if Rockstar did not pay.
The message reads: “Rockstar Games, your Snowflake instances were compromised thanks to Anodot.com. Pay or leak. This is a final warning to reach out by 14 Apr 2026 before we leak.”
Rockstar and its parent company, Take-Two Interactive, have not commented publicly on the claim.
How the Attack Happened
The breach did not come from a direct attack on Rockstar’s own systems. ShinyHunters said it exploited a vulnerability in Anodot, a SaaS platform used for cloud cost monitoring and analytics, as the entry point.
Snowflake confirmed to BleepingComputer that Anodot is the third-party integration platform that suffered a security incident. Over a dozen companies have suffered data theft attacks after the SaaS integration provider was breached and authentication tokens stolen.
The attacks were carried out on a bank holiday in several countries, coinciding with the Easter/Passover period, which may have slowed down detection and response.
Once inside Anodot, the attackers pulled authentication tokens. Those tokens gave them access to connected Snowflake accounts without needing to crack passwords or exploit Snowflake’s own systems directly. Snowflake confirmed “unusual activity” and said it locked down potentially impacted customer accounts.
The attackers also attempted to access data from Salesforce using the same tokens, but those efforts were reportedly blocked by AI detection systems.
What Data May Be at Risk
Compromised material could include financial records, player spending data, geographic data, marketing timelines, and contracts with Sony, voice actors, and music labels.
There is no evidence that customer passwords or payment details have been accessed. The breach appears limited to corporate data.
This is not ShinyHunters‘ first campaign of this kind. The group has been operating since 2020 and typically targets identity systems, third-party integrations, and APIs. Over the past six years, they have breached Microsoft, Wattpad, AT&T, the European Commission, SoundCloud, and Ticketmaster.
In 2024, ShinyHunters ran a major customer data theft campaign where they used stolen usernames and passwords to log into Snowflake customer environments that did not use multi-factor authentication. Sensitive data was taken from AT&T, Ticketmaster/Live Nation, Santander, Neiman Marcus, and others.
Earlier this March, the group said it had obtained Salesforce-linked data tied to more than 400 companies, and had published data from 26 of those organizations by the time the Rockstar claim surfaced.
The April 14 deadline gives Rockstar very little time to respond. If no ransom is paid, ShinyHunters says it will release the data publicly. The group has followed through on similar threats before, publishing files from 26 companies.
