Credential theft
β Supply Chain
Anodot SaaS Integrator Breach - ShinyHunters Snowflake Token Theft
Primary Source βIncident Details
In April 2026, ShinyHunters disclosed that they had breached Anodot (an Israeli AI analytics company acquired by Glassbox in November 2025), maintaining access ‘for some time.’ By stealing authentication tokens from Anodot’s systems, they accessed Snowflake environments of over a dozen downstream Anodot customers. ShinyHunters then launched extortion campaigns against victim companies. ShinyHunters also confirmed they attempted to pivot into Salesforce from Anodot but failed. This incident mirrors the 2024 UNC5537/Snowflake campaign and reflects a recurring pattern of supply chain compromise via SaaS integration platforms to gain downstream access to Snowflake data environments.
Technical Details
- Initial Attack Vector
- ShinyHunters maintained persistent access to Anodot's (an AI analytics SaaS integrator) infrastructure and stole authentication tokens used to connect Anodot to downstream customer Snowflake environments
- Vendor / Product
- Anodot (AI analytics/SaaS integration platform); Snowflake (cloud data warehouse)
- Supply Chain Attack
- β Confirmed third-party / vendor compromise
Timeline
- 2026-03-01 Breach occurred
- 2026-04-07 Publicly disclosed
- 2026-04-07 Customers notified