Security researchers say they believe financially motivated cybercriminals have stolen a “significant amount of data” from hundreds of customers who host their massive databanks with cloud storage giant Snowflake.
Incident response firm Mandiant, which is working with Snowflake to investigate the recent spate of data thefts, said in a blog post on Monday that the two companies have notified about 165 customers that their data may have been stolen.
It’s the first time the number of affected Snowflake customers has been revealed since the account hacks began in April. Snowflake has said little so far about the attacks, only that a “limited number” of its customers are affected. The cloud data giant has more than 9,800 enterprise customers, including healthcare organizations, retail giants and some of the world’s largest technology companies, who use Snowflake for data analysis.
So far, only Ticketmaster and LendingTree have confirmed data thefts where their stolen data was hosted on Snowflake. Several other Snowflake customers say they are currently investigating possible data theft from their Snowflake environments.
Mandiant said the threat campaign is “ongoing,” suggesting that the number of Snowflake enterprise customers reporting data theft may increase.
In his blog post, Mandiant attributed the account breaches to UNC5537, an as-yet-unclassified cybercriminal gang that the security firm says is motivated by making money. The gang, which Mandiant says includes members in North America and at least one member in Turkey, tries to extort its victims into paying to get their files back or to prevent their customers’ data from being made public.
Mandiant confirmed that the attacks — which rely on the use of “stolen credentials to access the customer’s Snowflake instance and ultimately extract valuable data” — date back to at least April 14, when its researchers first identified evidence of improper access to the environment of a Snowflake client. . Mandiant said it notified Snowflake of hacks on its customer account on May 22.
The security firm said the majority of the stolen credentials used by UNC5537 were “available from historical infections by information thieves,” with some dating back to 2020. Mandiant’s findings confirm Snowflake’s limited disclosurewhich said there was no direct breach of Snowflake’s systems, but blamed its customer accounts for not using multi-factor authentication (MFA).
Last week, TechCrunch found circulating online hundreds of Snowflake customer credentials stolen by malware that infected the computers of employees accessing their employer’s Snowflake environment. The number of credentials available online and connected to Snowflake environments suggests an ongoing risk to customers who have not yet changed their passwords or enabled MFA.
Mandiant said it has also seen “hundreds of customers’ Snowflake credentials exposed via infostealers.”
For its part, Snowflake does not require its customers to use the security feature by default or enforce the use of it. In a briefing on Friday, Snowflake said it is “developing a plan” to enforce the use of MFA on its customers’ accounts, but has yet to provide a timeline.
Snowflake spokeswoman Danica Stanczak declined to say why the company hasn’t reset customer passwords or enforced MFA. Snowflake did not immediately comment on Mandiant’s blog post on Monday.
Do you know more about Snowflake account hacks? Getting in touch. To contact this reporter, contact on Signal and WhatsApp at +1 646-755-8849 or via email. You can also send files and documents via SecureDrop.
