The attack originated reportedly from a security incident affecting Anodot, a SaaS analytics and anomaly detection platform that integrates with multiple cloud services (e.g., Snowflake, S3, and streaming pipelines). Threat actors reportedly obtained authentication tokens associated with these integrations, enabling direct access to customer environments without requiring additional authentication steps. These tokens effectively acted as persistent credentials, allowing attackers to query and exfiltrate data from connected platforms.
The majority of observed activity targeted Snowflake customer environments, where attackers used valid tokens to perform data access operations. Additional attempts were made to access Salesforce environments, though these were reportedly detected and blocked. Following data exfiltration, victims were contacted by ShinyHunters and extorted under threat of public data release. Evidence suggests the attackers may have maintained access to the integrator environment for some time prior to the campaign.