Over a dozen companies data exposed after SaaS integration provider Snowflake breach
Data Leak
Summary
Hide ▲
Show ▼
A stolen-token attack from a SaaS integration provider breach has led to data theft claims affecting over a dozen companies, creating immediate exposure and extortion risk. The largest cluster of activity centered on Snowflake customer accounts, where unusual activity was detected in a small number of accounts and those accounts were locked down. The same tokens were also used in attempted access against Salesforce, but that effort was blocked before the theft succeeded. The actors claimed to have stolen data from dozens of companies and were seeking ransom payments to stop release.
Related Happenings
Grafana Labs Says GitHub hit by cyberattack
Incident
First: 17.05.2026 10:13
Last: 17.05.2026 10:13
Sources 1
About this happening:
A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
Grafana Labs Says GitHub hit by cyberattack
IncidentAbout this happening: A **Grafana Labs** incident was later tied to the **Mini Shai-Hulud** supply-chain campaign against **TanStack npm packages**. Grafana said an unauthorized party used a token to a...
ADT hit by data theft breach
Incident
First: 25.04.2026 01:53
Last: 25.04.2026 01:53
Sources 1
About this happening:
**ADT** confirmed a **data breach** after detecting **unauthorized access** to customer and prospective customer data on **April 20, 2026**, and the company said it terminated the...
ADT hit by data theft breach
IncidentAbout this happening: **ADT** confirmed a **data breach** after detecting **unauthorized access** to customer and prospective customer data on **April 20, 2026**, and the company said it terminated the...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile victims' Salesforce and SharePoint data leak
Data Leak
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
BlackFile's **stolen documents** were published on a **dark web leak site**, exposing employee and business records taken from **Salesforce** and **SharePoint** environments. The...
BlackFile victims' Salesforce and SharePoint data leak
Data LeakAbout this happening: BlackFile's **stolen documents** were published on a **dark web leak site**, exposing employee and business records taken from **Salesforce** and **SharePoint** environments. The...
ShinyHunters data-theft extortion campaign targeting Salesforce customers
Campaign
First: 07.04.2026 22:39
Last: 07.04.2026 22:39
Sources 1
How related:
The incident is part of a larger data theft campaign linked to a recent security incident at Anodot, a data anomaly detection company that integrates with a wide range of SaaS cloud platforms.
About this happening:
The **ShinyHunters** extortion campaign is actively pressuring **numerous companies** with ransom demands tied to **stolen data**, increasing exposure for **Salesforce customers**...
ShinyHunters data-theft extortion campaign targeting Salesforce customers
CampaignHow related: The incident is part of a larger data theft campaign linked to a recent security incident at Anodot, a data anomaly detection company that integrates with a wide range of SaaS cloud platforms.
About this happening: The **ShinyHunters** extortion campaign is actively pressuring **numerous companies** with ransom demands tied to **stolen data**, increasing exposure for **Salesforce customers**...
Latest development: 11.05.2026 12:00
ShinyHunters' pay-or-leak campaign exposed data from Zara customers, with HaveIBeenPwned citing over 197,000 affected customers after an April 2026 incident that involved stolen Anodot authentication tokens reaching BigQuery and Snowflake, and the same operation later targeted Instructure's Canvas Learning Management System in late April 2026, affecting 8,809 users across 50 countries and aligning with other victims such as Vimeo, Rockstar Games and McGraw Hill.
Timeline
-
07.04.2026 22:39 2 articles · 1mo ago
Stolen-token campaign hits Snowflake and Salesforce accounts
Campaign Scope UpdateThis past Friday, a stolen-authentication-token campaign followed a breach of a SaaS integration provider and was used to steal data from over a dozen companies, with the majority of the activity focused on Snowflake customer accounts; the same stolen tokens were also used in an attempted theft from Salesforce, where the actors were detected before succeeding. The ShinyHunters group later said it stole data from dozens of companies and was demanding ransom payments to prevent release of the stolen data.
Show sources
- Snowflake customers hit in data theft attacks after SaaS integrator breach — www.bleepingcomputer.com — 07.04.2026 22:39
- Video service Vimeo confirms Anodot breach exposed user data — www.bleepingcomputer.com — 28.04.2026 22:04
-
07.04.2026 22:39 1 articles · 1mo ago
Snowflake detects unusual activity and locks accounts
Initial DisclosureSnowflake detected unusual activity in a small number of customer accounts linked to a specific third-party integration, locked potentially impacted accounts, notified customers, and said the activity did not involve a vulnerability or compromise of its systems. Separate reporting tied the activity to an alleged Anodot security incident, Payoneer said it was not impacted, and Google's Threat Intelligence Group said it was tracking the incident.
Show sources
- Snowflake customers hit in data theft attacks after SaaS integrator breach — www.bleepingcomputer.com — 07.04.2026 22:39