Security researchers say they believe financially motivated cybercriminals stole “vast amounts of data” from hundreds of customers of cloud storage giant Snowflake, who host their vast data banks on the company.
Mandiant, an incident response firm that is working with Snowflake to investigate the recent spate of data thefts, said in a blog post on Monday that the two companies have notified about 165 customers that their data may have been stolen.
This is the first time Snowflake has publicly disclosed how many customers were affected since the account hacking began in April. Snowflake has said little about the attack so far, saying only that a “limited number” of customers were affected. The cloud data giant has more than 9,800 corporate customers, including healthcare organizations, major retailers and some of the world's largest technology companies, that use Snowflake for data analytics.
So far, only Ticketmaster and LendingTree have confirmed the data theft, with the stolen data being hosted on Snowflake. Several other Snowflake customers have said they are currently investigating the possible theft of data from their Snowflake environments.
Mandiant said the extortion campaign is “ongoing” and suggested the number of Snowflake's corporate customers reporting data theft may increase.
In a blog post, Mandiant attributed the account hacks to UNC5537, an unclassified cybercrime group that the company said is motivated by financial gain. Mandiant said the group has members in North America and at least one in Turkey, and has been trying to extort money from victims to get their files back or prevent the release of customer data.
Mandiant confirmed the attack dates back to at least April 14, when researchers identified evidence of unauthorized access to an anonymous Snowflake customer's environment for the first time, using “stolen credentials to access customer Snowflake instances and ultimately exfiltrate valuable data.” Mandiant said it notified Snowflake of the breach into customer accounts on May 22.
Security firm Mandiant said the majority of the stolen credentials used by UNC5537 were “obtainable from previous infostealer infections,” some of which date back to 2020. Mandiant's findings corroborate Snowflake's limited disclosures, which say there was no direct compromise of Snowflake's systems, but that the breach was due to customer accounts not using multi-factor authentication (MFA).
Last week, TechCrunch found Snowflake customer credentials circulating online that had been stolen by malware that infected the computer of a staff member with access to their employer's Snowflake environment. The number of credentials linked to Snowflake environments available online suggests a continued risk for customers who have not yet changed their passwords or enabled MFA.
Mandiant said it also confirmed that “hundreds of Snowflake customer credentials were compromised by an infostealer.”
Snowflake, meanwhile, is not mandating or forcing its customers to use the security feature by default. In a brief update on Friday, Snowflake said it is “developing plans” to enforce the use of MFA on customer accounts, but has not yet provided a timeline.
Snowflake spokeswoman Danica Stanczak declined to comment on why the company isn't resetting customers' passwords or enforcing MFA. Snowflake didn't immediately comment on Mandiant's blog post on Monday.
Do you know more about the Snowflake account breach? Let us know. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send us files and documents via SecureDrop.