Data theft attacks hit Snowflake customers following SaaS integrator breach

A wave of data theft attacks has impacted more than a dozen companies after a breach at a software-as-a-service integration provider led to the theft of authentication tokens, enabling unauthorized access to cloud platforms, including widespread targeting of Snowflake customer accounts.

Snowflake, a U.S.-based cloud data platform provider, identified unusual activity affecting a limited number of customer accounts linked to a third-party integration. The company initiated an investigation, secured potentially affected accounts, and issued guidance to customers to strengthen account protections. The incident did not involve a vulnerability or compromise of Snowflake’s core systems.

The attackers used stolen authentication tokens to access connected services and attempt data exfiltration. In at least one instance, the threat actor attempted to leverage the tokens to extract data from Salesforce, a U.S.-based cloud software company specializing in customer relationship management, but the activity was detected and blocked before any data could be taken.

The campaign has been linked to an alleged security incident at Anodot, an AI-driven analytics company that provides real-time anomaly detection for business and operational data. Anodot, acquired by digital analytics firm Glassbox in November 2025, is believed to have been the source of the compromised integration that enabled the attacks.

The threat group ShinyHunters has claimed responsibility for the campaign, stating that it obtained data from dozens of companies and is now attempting to extort affected organizations by threatening to release the stolen information. The group also indicated that it had access to the integration provider’s environment for an extended period prior to the attacks.

Organizations impacted by the broader incident have begun assessing exposure. Payoneer, a financial services company specializing in cross-border payments, confirmed awareness of the third-party breach but stated that its systems were not affected.

Google’s Threat Intelligence Group, which monitors global cyber threat activity, is tracking the incident as part of a broader pattern of data theft campaigns targeting cloud services and enterprise integrations.