Personal computer showing data breach at game maker

Data Breach Hits GTA V and Red Dead Redemption 2 Maker Rockstar Games

Rockstar Games has confirmed a “limited” data breach stemming from a third-party cloud provider, following threats from prolific hackers to leak the stolen information online.

The game developer owns several billion-dollar blockbuster titles, including Red Dead Redemption, Grand Theft Auto (GTA), and the Max Payne series.

The notorious hacking group behind the Rockstar data breach has published samples of the stolen information and threatens to release the whole trove if a ransom is not paid within the deadline.

Rockstar Games confirms data breach

According to the company’s spokesperson, the GTA developer claims the incident affected only a “limited amount of non-material company information.” Rockstar Games also claims the data breach did not affect its infrastructure or players. Similarly, no disruptions from the data breach were reported.

“This incident has no impact on our organization or our players,” the game maker claimed.

Nonetheless, this is hardly the first time Rockstar Games has experienced data breaches. In 2022, Lapsus$ hackers breached the Red Dead Redemption 2 game maker via Slack and leaked 90 minutes of the then-highly anticipated Grand Theft Auto VI on GTAForums.

ShinyHunters takes credit for the Rockstar Games data breach

At the time of publication, Rockstar Games had not disclosed the identity of the affected third-party cloud developer or that of the threat actor. However, the prolific English-speaking hacking group ShinyHunters has claimed responsibility for the Rockstar Games data breach.

On April 11, ShinyHunters listed the GTA 5 developer alongside McGraw Hill, Hallmark Cards, and the National Railroad Passenger Corporation on its data leak site and threatened to publish the stolen information online if the game maker refused to pay an unspecified ransom by April 14.

ShinyHunters typically demands between $1 million and $2 million in ransom, though it can request ridiculous amounts of up to $65 million, as in the case of Telus Digital.

While the Red Dead Redemption developer has not disclosed the nature of the stolen data, it reportedly includes over 78.6 million records of analytics data, support tickets, contracts, financial documents, and marketing plans. Limited personal information of GTA or Red Dead Online players was also potentially exposed.

“This is a final warning to reach out by 14 Apr 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline,” the group warned.

“While Rockstar has labeled the loss ‘non-material,’ the leaked dataset – spanning eight years of regional revenue metrics, KPI benchmarks, and 2.4 million customer support tickets – provides a goldmine for competitors and social engineers,” said Damon Small, Board of Directors, Xcape. “This is not a failure of Snowflake’s infrastructure but a failure of identity perimeter management.

Rockstar Games breached via Snowflake and Anadot

ShinyHunters disclosed that it breached the game developer’s Snowflake cloud instance via the SaaS analytics platform Anadot.

“Rockstar Games! Your Snowflake instances were compromised thanks to Anodot.com. Pay or leak,” the group wrote.

Anodot had experienced a security breach that could have enabled the attackers to compromise Rockstar Games’ Snowflake instance. During the attack, ShinyHunters reportedly exfiltrated authentication tokens from Anadot, potentially enabling them to compromise other connected services, including Snowflake.

“For security leaders, the priority is clear: move beyond simple password policies and audit the ‘shadow permissions’ granted to business intelligence (BI) and analytics integrations,” added Small. “Defenders should immediately revoke and rotate all API keys and session tokens for high-privilege third-party connectors, particularly those with bulk-export capabilities.”

In early April, Anadot had experienced disruptions affecting a small number of customer accounts, including Snowflake, Amazon Kinesis, and Amazon S3 data collectors. However, it remains unclear whether the Rockstar data breach stemmed from the cyber incident or if the attackers had exfiltrated Amazon’s authentication tokens.

“We are experiencing issues in collecting data, and detecting and dispatching anomaly type alerts,” the analytics platform.

Meanwhile, ShinyHunters has built a notorious reputation for compromising SaaS cloud applications, exfiltrating large volumes of data, and demanding ransom to avoid leaking the stolen information.

The hacking group was attributed to the Salesforce data breach that affected hundreds of organizations, including Google, Cisco, Telus Digital, Odido, Betterment, SoundCloud, and Crunchbase. The group also claims to have breached Microsoft and Ticketmaster.

“This is the same playbook they used in 2024 when they hit Ticketmaster, AT&T, and Santander through Snowflake, and the same third-party targeting pattern we’ve tracked through the Trivy and LiteLLM supply chain compromises earlier this year,” noted Michael Bell, Founder & CEO at Suzu Labs.

ShinyHunters also collaborated with the Scattered Spider and Lapsus$ hacking groups to breach the European Space Agency and allegedly steal mission-critical data. The coalition, known as Scattered Lapsus$ Hunters, claims to have stolen 200 GB of data after compromising the space agency’s JIRA and Bitbucket servers for at least a week.