Skip to main content
close search
site logo
Dive Brief

Snowflake customers caught in identity-based attack spree

Cyber authorities and researchers warn many major companies could be compromised by the targeted attacks against Snowflake customer environments.

Published June 3, 2024
Matt Kapko's headshot
Senior Reporter
Snowflake office building in San Mateo, CA.
Snowflake office building in San Mateo, CA. Permission granted by Snowflake

Dive Brief:

  • A spree of attacks is underway targeting Snowflake's enterprise customers, the cloud-based data warehouse vendor said Friday. CrowdStrike and Mandiant are assisting with the ongoing investigation into the attacks.
  • “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” Snowflake CISO Brad Jones said Saturday in an updated post on the company’s community forum. The company said it “became aware of potentially unauthorized access to certain customer accounts on May 23,” and it has since observed threat activity going back to mid-April.
  • Mandiant began helping organizations investigate compromises of their Snowflake databases several weeks ago, said Mandiant Consulting CTO Charles Carmakal. “Based on our investigations to date, a threat actor likely obtained access to multiple organizations’ Snowflake tenants by using credentials stolen by infostealing malware,” Carmakal said in a statement provided to Cybersecurity Dive.

Dive Insight:

The spree of attacks linked to Snowflake environments underscores the potential security pitfalls enterprises confront in the web of cloud services they rely on for business operations. 

The company declined to say how many customers are compromised but said it has “promptly informed the limited number of Snowflake customers who it believes may have been affected.” Snowflake’s Global Corporate Communications Lead Danica Stanczak declined to provide further comment.

Cyber authorities and researchers warn many major companies could be compromised by the targeted attacks against Snowflake customer environments. 

The Australian Signals Directorate issued a high-alert advisory about “increased cyberthreat activity relating to Snowflake customer environments” on Saturday. The Cybersecurity and Infrastructure Security Agency referred an inquiry to Snowflake.

Inadequate identity and access controls were at the root of compromised Snowflake customer databases.

“Many of the intrusions were the result of organizations configuring their Snowflake databases without requiring multi factor authentication,” Carmakal said. “Threat actors opportunistically search for corporate credentials stolen by infostealing malware and use them to compromise enterprises, steal data, deploy ransomware, and conduct multifaceted extortion.”

Snowflake said there’s no evidence the malicious activity was caused by compromised credentials of current or former employees.

A threat actor did obtain personal credentials to and accessed demo accounts belonging to a former Snowflake employee, Snowflake said. “It did not contain sensitive data,” the investigation found.

The demo account, which was not connected to Snowflake’s production or corporate systems, was not protected with Okta single sign-on or multifactor authentication, according to the investigation.

“This appears to be a targeted campaign directed at users with single-factor authentication,” Snowflake and incident response firms CrowdStrike and Mandiant said in the joint post on their preliminary findings.

“Any SaaS solution that is configured without multifactor authentication is susceptible to be mass exploited by threat actors,” Carmakal said. “We anticipate threat actors will replicate this campaign across other SaaS solutions that contain sensitive enterprise data."

The threat activity originated from commercial VPN IP addresses, and attackers directly extorted organizations and further pressured victims by publicly posting stolen data for sale on the dark web, researchers at threat detection and incident response firm Mitiga said in a Friday blog post.

Snowflake did not publish details about the attack on its blog but shared a link to the community forum post on the social platform X. The company advised organizations to immediately enforce multifactor authentication on all accounts and set up network policy rules to ensure authorized use and traffic from trusted locations.

“Impacted organizations should reset and rotate Snowflake credentials,” the company said.

Snowflake also provided indicators of compromise and additional recommended actions for companies to investigate potential threat activity within their Snowflake customer accounts.

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell