Security researchers say they believe financially motivated cybercriminals have stolen a “significant volume of data” from hundreds of customers hosting their vast banks of data with cloud storage giant Snowflake.
Incident response firm Mandiant, which is working with Snowflake to investigate the recent spate of data thefts, said in a blog post Monday that the two firms have notified around 165 customers that their data may have been stolen.
It’s the first time that the number of affected Snowflake customers has been disclosed since the account hacks began in April. Snowflake has said little to date about the attacks, only that a “limited number” of its customers are affected. The cloud data giant has more than 9,800 corporate customers, like healthcare organizations, retail giants and some of the world’s largest tech companies, which use Snowflake for data analytics.
So far, only Ticketmaster and LendingTree have confirmed data thefts where their stolen data was hosted on Snowflake. Several other Snowflake customers say they are currently investigating possible data thefts from their Snowflake environments.
Mandiant said the threat campaign is “ongoing,” suggesting the number of Snowflake corporate customers reporting data thefts may rise.
In its blog post, Mandiant attributed the account hacks to UNC5537, an as-yet-unclassified cybercriminal gang that the security firm says is motivated by making money. The gang, which Mandiant says includes members in North America and at least one member in Turkey, attempts to extort its victims into paying to get their files back or to prevent the public release of their customers’ data.
Mandiant confirmed the attacks — which rely on the use of “stolen credentials to access the customer’s Snowflake instance and ultimately exfiltrate valuable data” — date back to at least April 14, when its researchers first identified evidence of improper access to an unnamed Snowflake customer’s environment. Mandiant said it notified Snowflake to its customer account intrusions on May 22.
The security firm said the majority of stolen credentials used by UNC5537 were “available from historical infostealer infections,” with some dating as far back as 2020. Mandiant’s findings confirm Snowflake’s limited disclosure, which said there wasn’t a direct breach of Snowflake’s own systems but blamed its customer accounts for not using multi-factor authentication (MFA).
Last week, TechCrunch found circulating online hundreds of Snowflake customer credentials stolen by malware that infected the computers of staffers who have access to their employer’s Snowflake environment. The number of credentials available online linked to Snowflake environments suggests an ongoing risk to customers who have not yet changed their passwords or enabled MFA.
Mandiant said it has also seen “hundreds of customer Snowflake credentials exposed via infostealers.”
For its part, Snowflake does not require its customers to use by default or enforce the security feature’s use. In a brief update on Friday, Snowflake has said it’s “developing a plan” to enforce the use of MFA on its customers’ accounts, but has not yet provided a timeline.
Snowflake spokesperson Danica Stanczak declined to say why the company hasn’t reset customer passwords or enforced MFA. Snowflake did not immediately comment on Mandiant’s blog post Monday.
Do you know more about the Snowflake account intrusions? Get in touch. To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.