Cybersecurity

ShinyHunters Shear Rockstar Games: When The Sky Pasture Bites Back

Victor Woolridge

2 min read
ShinyHunters Shear Rockstar Games: When The Sky Pasture Bites Back

I want you to understand something. I have been warning about third-party analytics vendors since before most of your current security staff were in primary school. And yet, here we are.

Rockstar Games, the studio responsible for convincing millions of people to steal virtual cars, has had its actual data stolen. The ShinyHunters extortion gang has leaked analytics data lifted not from Rockstar directly, but from Anodot, a third-party analytics provider. The flock trusted a stranger with the grain, the stranger left the barn door open, and the wolves walked right in.

This is a supply chain exposure. The wolves did not need to breach Rockstar's fence at all. They found a softer target in the supply chain, extracted what they wanted, and are now airing it publicly after the ransom presumably went nowhere. Classic extortion playbook. We studied this in 1994. Nothing has changed except the gang names and the dramatically lower attention spans of the shepherds.

Now, ShinyHunters is not new. This particular pack of wolves has a long and distinguished career of luring credentials and parasites into major platforms. They are professionals. I will give them that grudging respect. Your analytics vendor, apparently, is not.

The Sky Pasture, everyone. The magnificent, convenient, absolutely terrifying Sky Pasture. You handed sensitive telemetry to a cloud analytics firm and then, I can only assume, went back to your ergonomic chairs and your cold brew coffee and thought nothing more of it.

In the old days, your analytics lived on a magnetic tape in a locked room. You knew exactly where it was. You could physically sit on it if necessary. Nobody was leaking that tape to a criminal forum at 2 AM.

But sure. The cloud is "scalable."

Remediation

Listen carefully, because I will not repeat myself at this volume.

First. Audit every third-party vendor touching your data. Every single one. If you cannot name them without checking a spreadsheet, you have already failed.

Second. Apply the ointment. Patch your vendor contracts to include mandatory security standards and breach notification windows. A handshake and a pricing tier is not due diligence.

Third. Segment your data. Not every analytics partner needs access to everything. Give them a sheep tunnel with limited visibility, not a guided tour of the entire pasture.

Fourth. Assume the wolves are already inside any vendor you have not audited in eighteen months. Act accordingly.

The flock does not get to be surprised by this. The shepherds were warned. Repeatedly. By people like me.

Stay paranoid, the pasture is not safe.

Original Report: https://www.bleepingcomputer.com/news/security/stolen-rockstar-games-analytics-data-leaked-by-extortion-gang/