A suspected breach at an Israeli AI analytics firm, Anodot, is being linked to a series of attacks targeting customers of the Snowflake data platform, with hackers reportedly using stolen authentication tokens to access sensitive information across multiple organizations.
Token Theft and SaaS Integration Exposure
According to reports, more than a dozen companies have experienced data theft incidents after attackers obtained authentication tokens from what has been described as a compromised SaaS integration provider, believed to be connected to Anodot. The activity appears to have largely focused on Snowflake environments, raising concerns similar to those seen in an earlier breach campaign involving the data warehousing platform.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
Anodot said it had detected unusual activity affecting a limited number of customer accounts linked to a specific third-party integration. The company added that its own systems were not directly compromised, that affected accounts had been secured, and that customers had been notified.
Unconfirmed Attribution and Ongoing Claims
While Snowflake has not confirmed which third-party partner may be responsible, multiple sources cited in reports have pointed to a security incident involving Anodot. Several posts circulating on social media have also claimed that the Israeli analytics firm itself has been breached, though no official confirmation has been provided.
The platform’s design allows integration with corporate data environments, a feature that can also create potential entry points if credentials or tokens are exposed. This has heightened scrutiny over how third-party integrations are secured in enterprise ecosystems.
ShinyHunters Link and Broader Impact Concerns
The attacks are being linked to the ShinyHunters group, which has claimed responsibility for stealing data from dozens of companies in a coordinated campaign. The activity reportedly coincided with a bank holiday across several countries and the Easter or Passover period, which may have delayed detection and response.
Attempts were also made to access data from Salesforce using the same stolen tokens, although these efforts were reportedly blocked. Google’s Threat Intelligence Group said it is aware of the incident and is monitoring developments, though it has not released further details.
Anodot’s customer base includes companies such as Puma, SAP, T-Mobile and UPS. Another customer, Payoneer, said it was aware of the incident but had not been affected. The company had earlier reported a service disruption in early April involving data collectors linked to Snowflake, which may have limited visibility into customer environments at the time.
