Rockstar Games refused to blink — and now millions of records from its online gaming platforms are sitting on the dark web.
The ShinyHunters threat group followed through on its ransom ultimatum today, publicly dumping data it claims to have stolen from Rockstar's Snowflake-hosted analytics environment. The leak caps off a week of escalating pressure on the GTA 6 developer, which had quietly confirmed the breach but held its ground on not paying.
The intrusion did not involve breaking through Snowflake's own defenses. Attackers exploited Anodot — a third-party SaaS platform Rockstar uses for cloud cost monitoring and analytics — as the entry point, reportedly extracting authentication tokens that then granted access to the connected Snowflake account without exploiting any vulnerability in Snowflake itself.
The access would have appeared entirely legitimate to security teams — valid credentials being used as intended, just by someone who shouldn't have them. That's the playbook ShinyHunters has been running across the industry. The group has a history of targeting identity systems and third-party SaaS integrations, with confirmed victims including Cisco, Telus, and the European Commission.
What's in the Leak
According to information shared with CyberInsider, the compromised data is described as a "multi-domain analytics dataset" tied to GTA Online and Red Dead Online. The archive allegedly spans revenue metrics, player behavior tracking, in-game economy balancing, fraud detection systems, and customer support data, totaling over 78 million records.
The good news for players: there is currently no indication that passwords, account credentials, or directly identifiable personal information were included in the leaked dataset. However, the exposure of fraud detection and customer support data is not trivial — that information can provide attackers with insights into how Rockstar identifies suspicious behavior, potentially helping bad actors stay under the radar on GTA Online.
Rockstar's official position has not changed. A spokesperson described it as "a limited amount of non-material company information accessed in connection with a third-party data breach," adding that the incident has no impact on its organization or players. Take-Two Interactive, Rockstar's parent company, saw its stock drop over 6% in pre-market trading after news of the hack broke, though prices later recovered.
A Pattern, Not a One-Off
ShinyHunters is linked to "the Com," a loose network of English-speaking cybercriminals, largely between the ages of 16 and 25. Aiden Sinnott, a principal threat researcher at Sophos, described the group as consistent with the wider Com demographic.
This is Rockstar's second major breach in three years. In 2022, a teenager from the Lapsus$ collective accessed Rockstar's internal Slack channels and leaked over 90 minutes of in-development GTA 6 footage. Rockstar later said the recovery cost around $5 million and thousands of hours of staff time.
GTA 6 remains on track for its November 19 launch date, and Rockstar has not indicated any development disruption.
This breach is a textbook example of why third-party SaaS integrations have become the soft underbelly of enterprise security. A company can harden its own infrastructure and still be exposed through a vendor it trusts. GTA Online players don't need to panic about passwords right now — but the exposure of internal fraud and economy data is a reminder that "non-material" breaches can carry consequences that take longer to surface.