In late May and early June 2024, a wave of data breaches hit organizations using Snowflake, the cloud data warehousing platform. Ticketmaster, Santander Bank, Advance Auto Parts, AT&T, and over 160 other organizations had sensitive data stolen from their Snowflake instances. The breaches were not caused by a vulnerability in Snowflake itself but by a targeted campaign that used credentials stolen from infostealer malware to access Snowflake accounts that lacked multi-factor authentication.
Mandiant, engaged by Snowflake to investigate, attributed the campaign to a financially motivated threat actor tracked as UNC5537. The investigation revealed a systemic exploitation of weak authentication practices that exposed hundreds of millions of records.
How the Attack Worked
The attack chain was straightforward and devastating:
Step 1: Credential harvesting. UNC5537 obtained Snowflake customer credentials from infostealer malware logs. Information-stealing malware like Vidar, RedLine, Raccoon, and Lumma had infected employee devices over the preceding months and years, capturing credentials stored in browsers, password managers, and configuration files. These credentials were available on dark web marketplaces and Telegram channels.
Step 2: Account access. The attackers used the stolen credentials to log directly into Snowflake customer accounts. The targeted accounts did not have MFA enabled, meaning the username and password were sufficient for access.
Step 3: Data exfiltration. Once inside, the attackers used Snowflake's built-in data export capabilities to extract large volumes of data. They created temporary stages, exported data to them, and then downloaded the results.
Step 4: Extortion. UNC5537 contacted victims and demanded ransom payments in exchange for not publishing the stolen data. When victims did not pay, data was listed for sale on cybercrime forums.
The Scale
Mandiant identified that approximately 165 Snowflake customer organizations were potentially affected. The confirmed breaches included some of the largest data exposures of 2024:
- Ticketmaster/Live Nation: Data on approximately 560 million customers, including names, addresses, phone numbers, email addresses, and partial payment card data
- Santander Bank: Data on approximately 30 million customers across multiple countries
- AT&T: Call and text message records for nearly all wireless customers over a six-month period, approximately 109 million accounts
- Advance Auto Parts: Employee data and other sensitive information
- LendingTree/QuoteWizard: Customer financial data
The total number of affected individuals across all 165 organizations is likely in the hundreds of millions.
What Snowflake Did (and Did Not Do)
Snowflake's position was that the breaches resulted from customers failing to enable MFA, not from any vulnerability in the Snowflake platform. This is technically accurate. Snowflake did offer MFA capabilities, and the customer accounts that were breached had not enabled it.
However, Snowflake faced criticism for not requiring MFA by default and for not proactively notifying customers when their accounts were accessed from unusual locations or IP addresses. Before the incident, Snowflake did not enforce MFA for any accounts. The platform allowed password-only authentication as the default, and many customers, particularly those who had been using the platform for years, never upgraded.
In response to the breaches, Snowflake announced several security improvements:
- All new Snowflake accounts would require MFA by default
- Existing accounts would receive enhanced prompts and guidance to enable MFA
- Snowflake would implement network policy controls to restrict access to known IP ranges
- Session token management would be improved to reduce the window of exposure
The Infostealer Economy
The Snowflake campaign highlighted the maturation of the infostealer economy. Information-stealing malware has become one of the most prevalent and impactful categories of cybercrime. The ecosystem works like this:
Malware operators distribute infostealers through phishing, malicious ads, pirated software, and compromised websites. The malware silently harvests credentials, cookies, tokens, and other sensitive data from infected machines.
Log brokers aggregate the harvested data into searchable databases and sell access on dark web marketplaces and Telegram channels. Buyers can search for credentials to specific domains (like snowflakecomputing.com) and purchase them for nominal amounts.
Access brokers and threat actors purchase credentials for specific targets and use them to access corporate systems, cloud platforms, and SaaS applications.
The Snowflake campaign demonstrated that this ecosystem has matured to the point where a single threat actor can systematically target hundreds of organizations using credentials purchased from dark web markets. The total investment in credentials is minimal compared to the value of the data they unlock.
Lessons for Cloud Data Platform Users
The Snowflake breaches drive home several critical points:
MFA is non-negotiable for cloud platforms. Any cloud service that stores or processes sensitive data must require MFA. "Offering" MFA is not enough; it must be enforced. If your cloud data warehouse provider does not require MFA, demand it, and enable it for every account in the meantime.
Credential monitoring is essential. Organizations should monitor dark web marketplaces and infostealer log databases for credentials associated with their domains. Services like Have I Been Pwned, SpyCloud, and Flare provide this capability.
Endpoint security prevents upstream credential theft. The credentials used in the Snowflake campaign were stolen from employee machines by infostealer malware. Strong endpoint protection, browser isolation, and restrictions on personal use of work devices reduce the risk of credential theft.
Network restrictions add a layer of defense. Configuring cloud platforms to only accept connections from known IP ranges or through VPN connections would have blocked the attackers even with valid credentials.
How Safeguard.sh Helps
Safeguard.sh supports organizations in managing the kind of systemic credential and access risk that the Snowflake campaign exploited. Our platform tracks your software supply chain and deployment infrastructure, helping you identify which components and services require credential access and whether those access points are properly secured. Policy gates can enforce security requirements like MFA enablement and network access restrictions across your cloud infrastructure, ensuring that gaps in authentication security are identified and remediated before they become breach vectors.