Snowflake cloud data warehouses belonging to Anodot customers were directly accessed by ShinyHunters using stolen Anodot OAuth and API tokens, enabling unauthorized query execution and data exfiltration without any direct breach of Snowflake’s own infrastructure. This mirrors the structural pattern of the 2024 UNC5537 Snowflake credential campaign. Organizations using both Anodot and Snowflake should immediately query SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY and QUERY_HISTORY for authentication events from Anodot-associated service accounts or OAuth clients, revoke all Anodot-provisioned tokens, and audit Snowflake sharing configurations for any unauthorized shares created during the compromise window.