Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen.
While numerous cloud storage and SaaS vendors were targeted using the stolen tokens, BleepingComputer has learned that the majority of the data theft attacks targeted the cloud data platform Snowflake.
Snowflake confirmed “unusual activity” to BleepingComputer, stating that a small number of its customers were impacted.
“We recently detected unusual activity within a small number of Snowflake customer accounts linked to a specific third-party integration,” Snowflake told BleepingComputer.
“We immediately launched an investigation and, out of an abundance of caution, locked down potentially impacted customer accounts. We also notified potentially impacted customers and provided precautionary guidance to help them further protect their accounts.”
Snowflake stressed that the attacks did not involve any vulnerability or compromise of its systems.
As part of these attacks, the threat actor allegedly attempted to use the stolen authentication tokens to steal data from Salesforce, but was detected before they could succeed.
Data theft after alleged Anodot breach
While Snowflake would not confirm which third-party integration partner was linked to these attacks, BleepingComputer was told by numerous sources that the attacks stem from a security incident at data anomaly detection company Anodot.
Anodot is an AI-based analytics company that provides real-time anomaly detection for business and operational data, helping organizations automatically spot unusual changes in revenue, transactions, and system performance using machine learning. Data analytics company Glassbox acquired the company in November 2025.
BleepingComputer was told that numerous companies are now being extorted by the ShinyHunters extortion gang, which is demanding ransom payments to prevent the release of stolen data.
After learning of the attacks, the ShinyHunters group confirmed to BleepingComputer that they were behind them, claiming to have stolen data from dozens of companies this past Friday. They also confirmed their attempts to steal data from Salesforce, but said they were blocked by AI detection.
The blocked attempt comes amid a wave of data theft attacks over the past year targeting Salesforce customers.
The threat actors also claimed the attack stems from a security incident at Anodot, hinting that they allegedly had access to the company for some time.
The threat actor shared some of the companies allegedly affected by the incident, but BleepingComputer will not name them without confirmation.
Only one company, Payoneer, replied to our emails, stating that it aware of the integrator breach but was not impacted.
“We’re aware of a security incident involving a third-party service provider, Anodot. Based on our review, Payoneer has not been impacted,” Payoneer said in a statement to BleepingComputer.
Google’s Threat Intelligence Group, which has been tracking many of this year’s data theft campaigns, also confirmed to BleepingComputer that it is aware of the incident and is tracking it, but had nothing further to share at this time.
BleepingComputer has sent multiple emails to Anodot and its parent company, Glassbox, but has not yet received a reply.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
