The Rockstar Games Data Breach Didn't Start at Rockstar

Rockstar Games got breached — again.

But the real story isn't about GTA.

It's about the vendor your vendor forgot to lock down.

Coffee at the ready.…

The Rockstar Games data breach just exposed 78.6 million records — and the hackers never touched Rockstar's systems.

ShinyHunters got in through a tool so obscure even Rockstar's own staff may not know it exists. A dozen other companies were breached in the exact same way.

Last time Rockstar got hacked, a teenager leaked GTA VI gameplay.

This time, the loot was spreadsheets.

Before we slurp into today’s brew…

Here are some wordies from today’s sponsor.

Intrepid's co-founder and CEO don't do corporate gloss. Their opening letter in the Integrated Annual Report gets into what 2025 actually required: the hard calls, the strategy reset, and how a nearly 30% growth year still came with real challenges.

Read their story

Anodot is the sort of tool most employees never see.

It monitors cloud spending, spots billing anomalies, and connects to sensitive data platforms like Snowflake and Salesforce. When ShinyHunters breached Anodot in early April, every platform Anodot touched was fair game.

Snowflake confirmed it locked down impacted accounts — but more than a dozen companies were already exposed.

ShinyHunters — a loose extortion collective linked to past breaches at Microsoft, Ticketmaster, and AT&T — ran a familiar Snowflake playbook, with one upgrade.

In 2024, stolen passwords enabled the group's affiliates to access 165 Snowflake accounts. This time, stolen tokens — the credentials SaaS tools swap behind the scenes. Passwords get rotated. Tokens can sit untouched for months. Google's Threat Intelligence Group is tracking the campaign. Salesforce spotted the intrusion and shut it down.

Rockstar found out from the ransom note.

Supply chain breaches cost an average of $4.91 million.

They take 267 days to detect — the longest of any attack type. Third-party breaches surged to 15% of all incidents. Every new SaaS integration adds another set of tokens that an attacker can steal. The stack keeps growing.

Nobody audits the tokens holding it together.

Rockstar's stolen data reportedly includes in-game revenue metrics, purchase trends, and player behaviour analytics from GTA Online and Red Dead Online.

No source code, no player passwords, no GTA VI assets. The leaked data won't sink Rockstar. But the method should terrify every company running a SaaS stack. If a cloud-monitoring tool can open the door to 78.6 million records…

Every vendor integration is a bet on someone else's security posture.

Pro: Rockstar's response was textbook — fast confirmation, no ransom paid, player data untouched, and Snowflake's own systems weren't breached. The company classified the data correctly as non-material before the leak even dropped.

Con: Containment after the fact doesn't fix the root problem — enterprises still treat vendor access audits as a compliance checkbox rather than a live threat surface.

Our read: Until boards treat third-party token management as they do financial controls, supply chain breaches will remain the cheapest door into the most expensive rooms.

[Report] IBM — "Cost of a Data Breach Report 2025"

Supply chain breaches take 267 days to identify and contain — longer than any other attack type.

Why it matters: Nine months is long enough to grow a human. It's also long enough for an attacker to copy every file in the building.

$21 billion: US cybercrime losses in 2025.

Source: FBI IC3 Report

The Cyber Express — North Korea's Lazarus Group hijacked the Axios npm package, forcing OpenAI to revoke its macOS signing certificates. Same theme, different stack: supply chain trust is the new attack surface. [Analysis]

RH-ISAC — The full threat intelligence brief on the Anodot-Snowflake campaign. Dry reading, sharp detail on how token-based access bypassed every traditional detection layer. [Report]

SecurityWeek — The FBI's 2025 Internet Crime Report in context. Over one million complaints, $21 billion gone, and AI-enabled scams are now their own category. The receipts behind the Spit Take. [Analysis]

You can read all our back issue newsletters for free here.

For the love of coffee, see you tomorrow!

Enjoy your Wednesday, keep it caffeinated.

Thanks for reading!

Are you subscribing?

Join your crew of caffeinated sceptics today.

Be sure to get your daily Curse and Coffee fix by hitting the button below.

Open Monday to Friday.

Read yesterday’s newsletter about a Molotov, a shooting, and an FBI raid here.

Learn how to read any government/company PDF without crying!

Take advantage of what others miss. We teach you how to extract the gems from the dirt.

Share the Curse and Coffee newsletter with just 1 real person to download your Receipts Toolkit instantly—a field guide for caffeinated sceptics who want to pull signal from filings, datasets, and reports.

No law degree needed—a no-nap promise.

Unlock and never struggle to identify opportunities in long, drawn-out documents again.

“Receipts over vibes. Always.”

Thank you for sharing…

And be sure to use your toolkit to extract max alpha from any document you read.

Stay Caffinated!