Rockstar Games confirms data breach as hackers threaten to leak stolen files

Rockstar Games is confronting another breach, and the pattern is becoming harder to dismiss. The company said a third-party data incident led to access to "a limited amount of non-material company information" and insisted the episode had "no impact on our organization or our players."

The hackers, operating under the ShinyHunters name, said they reached Rockstar through Anodot and the company’s Snowflake data warehouse, then set an April 14, 2026, deadline for payment before the stolen material would be published. TechCrunch reported that the Anodot-related compromise touched at least a dozen companies, putting Rockstar inside a broader wave of extortion aimed at corporate cloud systems rather than a one-off intrusion. The reported haul could involve business information rather than passwords or direct player credentials, but even that narrower exposure carries risks for a studio guarding unfinished assets, internal plans and release strategy around Grand Theft Auto VI, which is expected later in 2026.

Rockstar’s response is measured, but the business context is not. The company is one of the most watched in gaming, and any breach near a flagship launch raises fresh questions about how well the industry is protecting cloud-based data as attackers become more organized and opportunistic. The latest incident also lands in the shadow of a far more damaging leak that hit Rockstar in September 2022, when more than 90 videos and images from an early version of Grand Theft Auto VI spread online.

That earlier breach was linked to Arion Kurtaj, then 18 and associated with Lapsus$, a group built around English-speaking teenage and young-adult hackers. Kurtaj blackmailed Rockstar in a Slack message and threatened to release source code unless the company contacted him. A judge later said the hack caused a huge, unquantifiable loss of marketing opportunities and cost Rockstar $1.5 million in external help alone, plus thousands of hours of employee time. In December 2023, Kurtaj was detained indefinitely in a secure hospital under the Mental Health Act after being found to have carried out multiple cyber offences.

Take-Two Interactive, Rockstar’s parent company, said after the 2022 leak that such attacks were taken very seriously and were "frustrating and upsetting" for the team. Two major incidents in less than four years suggest the concern is not only the amount of data exposed, but the persistence of a target that keeps drawing highly motivated young hackers back to the same prize.