A major data breach has affected Snowflake, a prominent cloud data storage company. Mandiant, a well-known incident response firm, reported that financially motivated hackers have stolen a substantial amount of data from hundreds of Snowflake’s customers.
Scope of the Breach
Mandiant, collaborating with Snowflake, revealed that approximately 165 customers have been notified about potential data theft. This marks the first official disclosure of the number of affected customers since the breaches began in April. Snowflake, which serves over 9,800 corporate clients, had previously downplayed the extent of the attack, indicating that only a “limited number” of its customers were impacted.
Among the affected companies, Ticketmaster and LendingTree have confirmed data thefts. Other organizations are currently investigating potential breaches in their Snowflake environments. The ongoing nature of the threat campaign suggests that more companies may report data thefts in the future.
The Attackers and Their Methods
Mandiant attributes the breaches to UNC5537, a cybercriminal gang believed to be motivated by financial gain. The group, comprising members in North America and at least one member in Turkey, uses stolen credentials to access Snowflake accounts and exfiltrate valuable data. The stolen credentials primarily originated from historical infostealer infections, some dating back to 2020.
The attacks were first identified on April 14, when Mandiant detected unauthorized access to an unnamed Snowflake customer’s environment. The security firm alerted Snowflake about these intrusions on May 22. Notably, the breaches did not result from a direct hack of Snowflake’s systems but rather from compromised customer accounts lacking multi-factor authentication (MFA).
Current Response and Future Measures
TechCrunch recently discovered hundreds of Snowflake customer credentials circulating online, obtained through malware infections on employees’ computers. This situation underscores the ongoing risk to customers who have yet to change their passwords or enable MFA.
Despite the severity of the breaches, Snowflake has not mandated the use of MFA for its customers. In a brief update last week, the company stated it is “developing a plan” to enforce MFA but did not provide a timeline. Snowflake spokesperson Danica Stanczak did not comment on why the company hasn’t reset customer passwords or enforced MFA in the interim.
Implications and Expert Commentary
From my point of view, the Snowflake data breaches highlight a critical vulnerability in cloud data security. The reliance on single-factor authentication and the failure to enforce stronger security measures have left many companies exposed to cyberattacks. As cybercriminals continue to evolve their methods, organizations must prioritize robust security practices, including MFA and regular credential updates.
The ongoing investigation by Mandiant and Snowflake is crucial for understanding the full extent of the breaches and preventing future attacks. However, the delayed response and lack of immediate action to enforce MFA raise concerns about the company’s commitment to protecting its customers’ data.
In conclusion, the Snowflake data breaches serve as a stark reminder of the importance of cybersecurity in today’s digital landscape. Companies must adopt proactive measures to safeguard their data and stay ahead of cyber threats. The collaboration between Mandiant and Snowflake will be essential in addressing the current breaches and enhancing security protocols to prevent similar incidents in the future.
