How did Cybercriminals Breach GTA 6 Maker Rockstar Games?

A ransomware note has been issued to Rockstar Games – the company behind fan favourite game GTA. 

After threat actors accessed confidential company data, they threatened the company with a deadline of April 14 2026, past which they would publish the stolen material, in case their demand for payment in cryptocurrency was denied. 

The English-speaking cybercrime group ShinyHunters – notorious for cloud-based attacks –  has claimed responsibility and released data that they say belongs to the gaming titan. 

A representative of the group told Reuters it had stolen 78.6 million records from Rockstar’s Snowflake environment.

“We can confirm that a limited amount of non-material company information was accessed in connection with a third-party data breach,” a spokesperson from Rockstar Games told the BBC.

GTA 6 secrets in stolen data?

The breach at Rockstar Games comes ahead of the widely-anticipated release of GTA 6 in November this year. 

A Bitdefender blog points out: "The stolen files appear to centre on analytics used to monitor Rockstar’s online operations, including service performance, support workflows and internal business metrics, according to reporting on the leak.

"References reportedly point to Grand Theft Auto Online and Red Dead Online, with data tied to player behavior, revenue patterns and support analytics. There were also reported signs of fraud-detection and anti-cheat testing data in the exposed material.

“Even if the company is accurate in describing the breach as non-material, those categories can still be valuable to threat actors because they reveal how a publisher measures abuse, monetisation and platform health behind the scenes.”

It marks the second time Rockstar has been hacked in the last two years. 

Aamil Karimi, Principal Consultant at Optiv, explains: "In 2022, a member of Lapsus$ breached Rockstar games via the internal Slack messaging platform and later continued their third-party breach campaigns against Okta, Snowflake and Salesforce."

What happened this time?

While numerous details of the incident are yet to be established, the point of entry was, yet again, a third-party provider. 

Since the morning of April 4, Anodot, the vendor in question, has been experiencing server issues.

Anodot is a SaaS analytics and monitoring provider which connects into customer cloud environments like Snowflake allowing customers to monitor their data. 

ShinyHunters said it had stolen data belonging to a dozen different companies using Anodot authentication tokens. 

A statement reported by Tom’s Hardware said: "Rockstar Games, your Snowflake instances were compromised thanks to Anodot.com.

"Pay or leak. This is a final warning to reach out by 14 Apr 2026 before we leak, along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline."

While acknowledging a breach, the gaming giant has noted that the incident "has no impact on our organisation or our players". 

Fourth-party supply chain attacks

Aamil notes that ShinyHunters is known for third-party software breaches to access internal environments, noting that the collective often embarks on industry-focused campaigns.

He adds: "Multiple Technology and gaming companies were compromised by members of the group in 2022-2023, while retail companies became targets in 2025.

"There looks to be a growing trend (whether incidental or intentional) of what I’m referring to as ‘fourth-party’ supply chain attacks and breaches, of which this recent Rockstar breach seems to echo."

Aamil continues: "In this case, a breach of cloud analytics company, Anodot, resulted in the breach of Rockstar’s Snowflake instance, which then resulted in the compromise and unauthorised access to Rockstar’s data and systems. 

"These attack vectors are extremely difficult to predict or proactively address since they occur outside of an organisation’s purview and control. 

"This is similar to what companies experienced when Salesloft Drift and Gainsight were compromised; both resulted in secondary compromises of credentials and tokens which, in some cases, allowed access into Salesforce instances."