According to security researchers, a considerable amount of data has been stolen by financially driven cybercriminals from numerous customers who entrust their large collections of information to the popular cloud storage company, Snowflake.
“We have notified around 165 customers that their data may have been stolen”
– Incident response firm Mandiant
The disclosure of the number of affected Snowflake customers, which began with the hacks in April, has only recently been revealed. At the moment, very little has been disclosed by Snowflake regarding the attacks, except for the fact that a “limited number” of customers have been impacted. The cloud data giant is currently used by over 9,800 corporate customers ranging from healthcare institutions to retail behemoths and some of the biggest tech companies in the world, for their data analytics needs.
The only two companies that have confirmed data theft from their Snowflake-hosted data are Ticketmaster and LendingTree. Other Snowflake customers are currently investigating potential data thefts from their environments.
Mandiant has stated that the threat campaign is still ongoing, leaving room for the possibility of more of Snowflake’s corporate customers reporting data theft in the future.
The security firm has attributed the account hacks to a cybercriminal gang known as UNC5537, which they believe is solely motivated by financial gain. According to Mandiant, the gang has members in North America and at least one in Turkey. Their tactic is to extort victims by either demanding payment for the return of their files or threatening to publicly release their customers’ data.
Mandiant’s investigations have revealed that the attacks, which involve the use of stolen credentials to gain access to a customer’s Snowflake instance and ultimately extract valuable data, have been occurring since at least April 14. The security firm notified Snowflake of customer account intrusions on May 22.
Many of the stolen credentials used by the UNC5537 gang were reportedly obtained from historic infostealer infections, some dating back to 2020. This confirms Snowflake’s limited disclosure, which stated that there was no direct breach of their own systems, but attributed the hacks to their customers’ failure to use multi-factor authentication (MFA).
Last week, it was discovered that hundreds of Snowflake customer credentials were circulating online, stolen by malware infecting the computers of employees who have access to their employer’s Snowflake environment. This suggests an ongoing threat to customers who have yet to change their passwords or enable MFA.
Mandiant has also noted that hundreds of customer Snowflake credentials have been exposed through infostealers.
Snowflake, on the other hand, does not currently use or enforce MFA for its customers by default. In a recent update, the company stated that they are “developing a plan” to enforce MFA on their customers’ accounts, but have not provided a timeline for when this will be implemented.
Snowflake spokesperson Danica Stanczak declined to comment on why customer passwords have not been reset or MFA enforced. The company did not immediately respond to Mandiant’s blog post on Monday.
Do you have more information about the Snowflake account intrusions? Get in touch. To contact this reporter, reach out on Signal and WhatsApp at +1 646-755-8849, or via email. You can also securely send files and documents using SecureDrop.
