Two Breaches Today. One Was Careful. One Was a Unlocked Door. Both Were Catastrophic.

John Z Black Apr 14, 2026 Incidents & Breaches #rockstar #shinyhunters #data-breach #snowflake #alinto #supply-chain #third-party-risk

ShinyHunters set a ransom deadline. Rockstar declined to pay. Today that deadline expired, and 78.6 million records went public.

The thing is, ShinyHunters didn’t hack Rockstar. They hacked Anodot, a cloud cost analytics tool that had authentication tokens into Rockstar’s Snowflake warehouse. Same technique that hit Ticketmaster and AT&T in 2024. Compromise the vendor with the keys, use their credentials to walk in through a door that was legitimately opened.

Meanwhile, completely unrelated, a French email provider called Alinto left an Elasticsearch cluster sitting on the open internet with no authentication. No attack required. Anyone who found it could read it. What was in it: SMTP records from major clients including L’Oreal, Renault, Hermes, DHL, and French government agencies. At least 14,000 government and embassy email addresses with traffic metadata. That’s not a privacy issue. That’s counter-intelligence material.

One breach took patience and skill. The other took nothing. Both ended up in the same place.

The vendor who got compromised is always someone else’s problem until it isn’t yours.

Full breakdown of both breach mechanisms and what they mean for third-party risk