A suspected breach at an Israeli AI analytics firm may be at the center of a fresh wave of attacks targeting Snowflake customers, with hackers using stolen authentication tokens to access sensitive data across multiple companies.
According to Bleeping Computer, more than a dozen companies have suffered data theft incidents after attackers obtained authentication tokens from “a compromised SaaS integration provider,” believed to be linked to Anodot.
While several platforms were targeted, the majority of activity appears to have focused on Snowflake environments, echoing concerns raised during an earlier breach campaign involving the multi-cloud data warehousing platform.
The firm said that it had detected “unusual activity” affecting a limited number of customer accounts linked to a “specific third-party integration.”
It added that its own systems had not been directly compromised, that it had locked affected accounts, and that it had notified customers.
While Snowflake did not confirm which third-party partner was linked to these attacks, Bleeping Computer was told by numerous sources that the attacks stem from a security incident at data anomaly detection firm Anodot.
Several posts on X also claimed that the Israeli analytics company has been breached.
The platform is designed to integrate directly with corporate data environments, a feature that can also create potential points of access if credentials or tokens are exposed.
The ShinyHunters connection
The attacks are being linked to the ShinyHunters group, which claims it stole data from dozens of companies in a coordinated campaign carried out on Friday – a bank holiday in several countries and coinciding with the Easter/Passover period, which may have slowed down detection and response.
The criminals also attempted to access data from Salesforce – a repeated target of ShinyHunters campaigns – using the same tokens, though those efforts were reportedly blocked.
Google Threat Intelligence Group said it was aware of the incident and is tracking developments, according to the report, though it has not provided further details.
Has your password leaked?
The ShinyHunter’s claimed timeline also overlaps with a service incident reported by Anodot in early April, when the company said data collectors – including those connected to Snowflake – were failing to retrieve samples across multiple regions, potentially limiting visibility into customer environments at the time.
While a full list of affected companies has not been confirmed, Anodot’s customer base includes sports brand Puma, SAP, T-Mobile and UPS.
Another Anodot customer, Payoneer, said it was aware of the incident but had not been impacted.
Following the spate of 2024 attacks, Google’s Mandiant began helping organizations investigate compromises of their Snowflake database and wrote a 65-page guide to help companies fend off cybercriminals intent on exploiting the latest Snowflake vulnerabilities.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked