Skip to main content
close search
site logo
Dive Brief

100 Snowflake customers attacked, data stolen for extortion

A financially motivated attacker used stolen credentials to systematically compromise customer accounts, steal a significant volume of data and extort victims, Mandiant said.

Published June 11, 2024
Matt Kapko's headshot
Senior Reporter
Snowflake office building in San Mateo, CA.
Snowflake office building in San Mateo, CA. Permission granted by Snowflake

First published on

Cybersecurity Dive
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • More than 100 Snowflake customers are caught in a widespread identity-based attack spree targeting the cloud-based data warehouse vendor’s customers, Mandiant said Monday in a threat intelligence report. The attacks were not caused by a breach of Snowflake’s systems, Mandiant said.
  • “Since at least April 2024, UNC5537 has leveraged stolen credentials to access over 100 Snowflake customer tenants,” Mandiant Consulting CTO Charles Carmakal said Monday in a prepared statement. “The threat actor systematically compromised customer tenants, downloaded data, extorted victims and advertised victim data for sale on cybercriminal forums.”
  • Snowflake first disclosed the attacks on May 30 and said it first became aware of the malicious activity on May 23. Snowflake was not immediately available to comment on Mandiant’s research. Mandiant and CrowdStrike are assisting Snowflake with an ongoing investigation.

Dive Insight:

Snowflake and the incident response firms maintain the attacks were not caused by a vulnerability or breach of Snowflake’s enterprise environment.

The financially-motivated attacker, UNC5537, used stolen credentials to access Snowflake customer databases and those credentials were primarily obtained from multiple infostealer malware infections on non-Snowflake owned systems, according to Mandiant. Some of the stolen credentials date back to November 2020.

Snowflake and Mandiant have notified approximately 165 potentially exposed customers to date, Mandiant said.

The attacks resulting in a significant volume of stolen customer data had three factors in common, Mandiant said: 

  • Impacted customer accounts were not configured with multifactor authentication;
  • Credentials obtained via infostealer malware were still valid; 
  • And impacted Snowflake customer instances did not have network policy rules in place to limit access to trusted locations.

The update from Mandiant comes as pressure mounts on Snowflake and its customers. The data warehouse and analytics vendor hasn’t independently confirmed how many customers are impacted.

In a Friday update on its community forum, Snowflake CISO Brad Jones said the company is developing a plan to require customers to implement advanced security controls such as MFA or network policies.

Details of the plan were scant however, including what exactly will be required of Snowflake customers and if MFA will be turned on by default across its platform. Snowflake did not respond to a request for additional information on its security improvement plan.

The company ended its most recent quarter on April 30 with 9,822 customers.

Filed Under: IT Strategy, Software

Editors' picks

Company Announcements

View all | Post a press release
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
Revenera Monetization Monitor 2025: Product Usage Insights Drive Better Roadmaps
From Revenera
November 25, 2024
Editors' picks
Latest in IT Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell