Snowflake Data Breach - May 2024

In May 2024, Snowflake, a major cloud data warehousing platform, disclosed a significant cybersecurity incident affecting over 165 customers, including prominent companies like AT&T, Advance Auto Parts, LendingTree, Ticketmaster, and Santander Bank. The breach, orchestrated by a financially motivated threat group known as UNC5537, began in mid-April 2024 and involved systematic compromises of customer instances using stolen credentials. The attack's severity escalated significantly when AT&T revealed in July 2024 that data from "nearly all" of its 242 million wireless customers was compromised through their Snowflake-hosted database. The exposed AT&T data included phone numbers, call durations, and cell site details from 2022. Key aspects of the breach: - Root Cause: The breach didn't stem from Snowflake's platform vulnerability but from stolen customer credentials, primarily obtained through infostealer malware (including Lumma, MetaStealer, Raccoon, RedLine, RisePro, and Vidar) dating back to 2020. - Attack Method: UNC5537 used a custom reconnaissance tool called FROSTBITE (aka "rapeflake") to access and exfiltrate data from customer instances. The group primarily targeted accounts without multi-factor authentication (MFA) and proper network access controls. - Threat Actor: UNC5537, believed to comprise members based in North America with a collaborator in Turkey, has been actively selling stolen data on cybercrime forums and attempting to extort victims. Contributing factors to the breach's success: 1. Lack of mandatory MFA on customer accounts 2. Unrotated credentials, some dating back to 2020 3. Absence of network allow-listing to restrict access to trusted locations 4. Compromised contractor systems used for both business and personal activities In response, Snowflake has engaged cybersecurity firms CrowdStrike and Mandiant for investigation, coordinated with law enforcement, and is developing plans to require customers to implement advanced security controls, including mandatory MFA and network policies. The incident highlights the growing threats from information-stealing malware and the critical importance of basic security measures like MFA, regular credential rotation, and network access controls in cloud environments.

Official Statement

"Snowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, are providing a joint statement related to our ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts. Our key preliminary findings identified to date: - We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform; - We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel; - This appears to be a targeted campaign directed at users with single-factor authentication; - As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware; and - We did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or - corporate systems. The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems. - Throughout the course of the investigation, Snowflake has promptly informed the limited number of Snowflake customers who it believes may have been affected. Mandiant has also engaged in outreach to potentially affected organizations. We recommend organizations immediately take the following steps: - Enforce Multi-Factor Authentication on all accounts; - Set up Network Policy Rules to only allow authorized users or only allow traffic from trusted locations (VPN, Cloud workload NAT, etc.); and - Impacted organizations should reset and rotate Snowflake credentials. In addition, please review Snowflake’s investigative and hardening guidelines for recommended actions to assist investigating potential threat activity within Snowflake customer accounts. This investigation is ongoing. We are also coordinating with law enforcement and other government authorities. Update (6-10-24) As part of our commitment to transparency around our ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts, cybersecurity expert Mandiant shared this blog post today detailing their findings to date. As we shared on June 6, we continue to work closely with our customers as they harden their security measures to reduce cyber threats to their businesses, and we are developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies. Update (6-7-2024) As an update to our ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts, our most recent findings (see June 2 post below), supported by cyber experts CrowdStrike and Mandiant, remain unchanged. We continue to work closely with our customers as they harden their security measures to reduce cyber threats to their business. We are also developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts. While we do so, we are continuing to strongly engage with our customers to help guide them to enable MFA and other security controls as a critical step in protecting their business."

Read full statement →

Breach Report for

May 2024 Snowflake Breach

Official Statement

Related News

Breach Summary