Snowflake Customers Hit in Data Theft Attacks After SaaS Integrator Breach

A wave of data theft incidents has surfaced after a third‑party SaaS integration provider was breached, resulting in the theft of authentication tokens. More than a dozen companies appear to have been affected as attackers leveraged those tokens to access a range of cloud storage and SaaS services. Among the victims, Snowflake—the cloud data warehouse platform—has been the focal point of several investigations and alerts.

Snowflake confirmed to investigators that unusual activity was detected within a small subset of customer accounts associated with a particular integration partner. In response, the company launched a thorough internal review, temporarily locking down potentially impacted accounts and working to limit further exposure. Customers identified as potentially affected were notified, and Snowflake offered precautionary guidance to help bolster security on their end. Importantly, Snowflake stressed that its own systems were not compromised and that the breach stemmed from an issue with the third‑party integration rather than a flaw in Snowflake’s infrastructure.

As part of the fraud chain, the attackers reportedly attempted to exploit stolen tokens to exfiltrate data from Salesforce. This effort was detected before any data could be extracted, suggesting that automated monitoring and anomaly detection tools were effective in early intervention. The broader story, however, points to a wider campaign targeting organizations that rely on integrated SaaS ecosystems and token‑based access for data flows.

Further context ties the incident to Anodot, a data anomaly detection company that provides real‑time analytics for revenue, transactions, and system performance. Glassbox acquired Anodot in November 2025, and industry sources indicate that multiple organizations are now being pressured by extortion groups following the breach. The ShinyHunters gang has publicly claimed responsibility, stating that dozens of companies were compromised in the period surrounding the breach and that ransom demands were issued to deter the release of stolen data. The group acknowledged attempts to access Salesforce data but claimed those efforts were thwarted by AI‑driven defenses.

Several companies have publicly acknowledged awareness of the breach situation, while others have remained silent pending confirmation. Payoneer, for example, issued a statement noting that, after review, it did not appear to be impacted by the integrator breach. Google’s Threat Intelligence Group has been monitoring the situation and is actively tracking developments, though it did not disclose additional specifics at the time. Attempts to reach Anodot and its parent company Glassbox for comment have so far gone unanswered.

The incident underscores how a breach at a single intermediary can ripple across multiple service providers and customer environments. When authentication tokens are compromised, even well‑defended cloud services can face heightened risk, particularly for organizations relying on interconnected analytics, financial, and customer‑facing platforms. In an era of growing automation and machine‑driven monitoring, the role of token management, access governance, and third‑party risk monitoring becomes ever more central. As investigations continue, security teams are likely to reexamine their token lifecycles, partner risk assessments, and the visibility of cross‑system access that underpins complex data workflows.