Security experts have disclosed that cybercriminals have stolen a substantial amount of data from numerous customers using Snowflake’s cloud storage services. Mandiant, an incident response firm, is collaborating with Snowflake to investigate these data breaches, which have affected around 165 customers.
This revelation marks the first public disclosure of the number of Snowflake customers impacted since the hacks began in April. Snowflake had previously stated that only a “limited number” of its clients were affected. Snowflake, a major cloud data provider, serves over 9,800 corporate customers, including healthcare organizations, retail giants, and leading tech companies that rely on its platform for data analytics.
To date, only Ticketmaster and LendingTree have confirmed data breaches involving information hosted on Snowflake. Several other customers are currently investigating potential data thefts from their Snowflake environments. Mandiant warned that the threat campaign is ongoing, implying that more companies might report data breaches in the future.
In a blog post, Mandiant attributed the hacks to UNC5537, a financially motivated cybercriminal group with members in North America and at least one in Turkey. The group aims to extort victims by demanding payment to return stolen files or to prevent the public release of sensitive data.
Mandiant confirmed that these attacks, which involve using stolen credentials to access Snowflake accounts and exfiltrate data, date back to at least April 14. On May 22, Mandiant alerted Snowflake about these customer account intrusions. The firm noted that most of the stolen credentials used by UNC5537 came from past infostealer infections, some dating back to 2020. This supports Snowflake’s earlier statement that there was no direct breach of its systems, and instead, the breaches were due to customer accounts not using multi-factor authentication (MFA).
Last week, numerous Snowflake customer credentials stolen by malware were found circulating online. These credentials were obtained through malware infections on computers of employees with access to Snowflake environments. The prevalence of these stolen credentials highlights the ongoing risk to customers who have not yet changed their passwords or enabled MFA.
Mandiant has observed hundreds of Snowflake customer credentials exposed via infostealers. Despite the risks, Snowflake does not currently mandate the use of MFA for its customers. In a recent update, Snowflake stated it is developing a plan to enforce MFA but did not provide a specific timeline.
Snowflake spokesperson Danica Stanczak did not comment on why the company has not reset customer passwords or enforced MFA. Snowflake also did not immediately respond to Mandiant’s blog post.
