Snowflake Inc. Investigates Widespread Hacking Campaign
Snowflake Inc. is on the verge of concluding its investigation into a hacking campaign that compromised up to 165 customer accounts. The cloud data and analytics company has reported no unauthorized access since early last week. Chief Information Security Officer Brad Jones emphasized in an interview that hackers had used single-factor authentication weaknesses to target Snowflake users.
Extent of Data Theft Remains Unclear
The full extent of data theft among Snowflake customers is still uncertain. Cybersecurity firm Mandiant, a Google Cloud unit assisting with the probe, has notified 165 potentially vulnerable organizations. Confirmed affected customers include Live Nation Entertainment Inc., Pure Storage Inc., and Advanced Auto Parts, which have acknowledged issues related to Snowflake.
Method of Attack
Hackers leveraged stolen credentials, commonly found on cybercriminal forums, to infiltrate accounts that lacked multifactor authentication. Importantly, they did not breach a Snowflake login file; instead, they accessed accounts through reused usernames and passwords. Snowflake could not assess the amount of customer data stolen. However, the company has collaborated with law enforcement, alongside Mandiant and CrowdStrike Holdings Inc., to tackle the incident.
Reaction and Preventive Measures
The campaign highlights the need for basic cybersecurity practices like multifactor authentication. Jones underscored this, stating that many threats can be mitigated through fundamental security measures. Snowflake learned of the hacking attempts on May 22 and promptly blocked related IP addresses, even enlisting commercial VPN vendors for assistance. Mandiant's investigation began in April 2024 when leaked database records traced back to a Snowflake account.
Proactive Security Steps
Snowflake enforced protective actions, locking down accounts if users did not secure them promptly. The company plans to introduce tools to enhance multifactor authentication adoption later this month. This step aims to bolster overall security by requiring additional identity verification methods.
Hackers' Limitations
Jones assured that no significant resource consumption occurred due to these hacks. Hackers mainly retrieved data without imposing heavy computational loads, ultimately causing no substantial additional costs for customers.
Customer Reactions
Recently, Live Nation discovered unauthorized activities on a third-party cloud database hosted by Snowflake. Similarly, Advanced Auto Parts is investigating a reported security incident tied to Snowflake. However, the company declined to comment on specific customers.
Hacking Group Identification
Mandiant identified the responsible hacking group as UNC5537, which relied on readily available stolen credentials rather than sophisticated tools. Researchers believe most group members are based in North America.