Third-party integration: the back door that exposes massive data in Snowflake

A recent incident once again focuses on a risk that companies continue to underestimate: the integration of third parties as means of mass access to sensitive data. According to reports collected by specialized media, multiple organizations suffered information theft following the commitment of a SaaS integration provider; the attackers obtained authentication tokens and used them to access cloud services, with a particular interest in cloud data storage and analysis platforms.

Most of the exfiltration attempts focused on Snowflake, the well-known Warehouse data platform in the cloud, which confirmed that it had detected abnormal activity in accounts linked to a third party integration and prevented potentially affected access. Snowflake has been emphatic in clarifying that there was no failure in its own systems or a violation of the company's infrastructure; the intrusion, according to evidence, was resolved on access to credentials obtained outside its perimeter. You can consult Snowflake's public information on its site and on its status page: Snowflake blog and status page.

Ecosystem sources have pointed out that the origin of the incident could be the Anodot data anomaly detection company, acquired by Glassbox in November 2025, although neither Snowflake nor the integrators involved have made official names public in the first communications. Anodot is presented as a solution that applies machine learning to identify unusual changes in business and operational metrics, and its role as an integration point with platforms such as Snowflake places it in a critical position: deep access to data flows and therefore an interesting goal for malicious actors. More information about Anodot in your website and about Glassbox in Glassbox.

The attackers who claimed the authority, identified by the reports as the group known as ShinyHunters, claimed to have exfiltered data from dozens of companies and to be trying to extort them to avoid the publication of the stolen information. ShinyHunters is an actor who has starred in leaks and sales of data in the past; you can read background about this group in the public documentation available, for example in Your tab on Wikipedia and in specialized journalistic analysis.

One detail that drew attention was the mention of attempts to access Salesforce data using the stolen tokens, which were reportedly detected and blocked before the attackers managed to extract information. The past year has seen a succession of campaigns targeting Salesforce and other CRM platforms, which highlights the persistent pressure on resources with commercially sensitive information. Salesforce maintains information about its status and security practices in your status portal.

Among the companies that reported on the incident, Payoneer indicated that, after reviewing their integrations, there was no evidence of impact on their systems. The response of companies to such alerts often varies; some act immediately, others take time to confirm scope and others avoid divulging details for legal or containment reasons. You can consult media releases and follow-up in specialized media such as BleepingComputer which has covered this and other similar campaigns.

It is also relevant that groups like the Google Threat Analysis Group have reported to be aware and in follow-up to the incident: coordination between threat intelligence teams and suppliers is key to containing these events and mitigating their spread. The response teams recommend, among other measures, blocking committed access, rotating credentials and reviewing logs to identify side movements that may have gone unnoticed. The institutional perspective on cyberincidents and mitigation can be consulted in official resources such as the materials of the CISA and other security agencies.

Beyond who was behind the initial access, the episode presents a structural problem: legitimate integration between services - those that facilitate work, automate processes and are almost invisible to many teams - can become back doors if they are not managed with strict policies. Tokens and integration credentials should be treated as secrets of maximum sensitivity: must have short-term expiry, minimum-bound permits and be rotated frequently. In addition, it is essential to maintain a clear inventory of which external applications have access to which data and with which privileges, something many IT environments still do not do with the required discipline.

For the companies concerned or at risk, there are practical steps that need to be prioritized: to audit and limit third-party integration, to implement strong authentication and data segmentation, to enable alerts on unusual access patterns and to prepare plans for response to leaks. Early detection was precisely the difference that reportedly prevented the attackers from drawing data from Salesforce on this occasion.

If there is a lesson to be highlighted, it is that the attack surface is no longer just the server or the own application, but the complex of external connections, APIs and tokens that make up modern architecture. Security today requires controls that address the complete ecosystem of integration, not just the traditional perimeters.

This episode will continue to be developed and the updates of the suppliers involved and the incident response teams should be kept in mind. For more detailed and technical follow-up, specialized spaces such as BleepingComputer and official company releases provide up-to-date information, while public and private cybersecurity agencies publish guides to strengthen defence against extortion and data theft: BleepingComputer, Snowflake, Anodot, Glassbox and CISA - StopRansomware.