Snowflake to Close Probe into Cyberattack Targeting Clients

By Charles Gorrivan and Brody Ford | June 14, 2024

Snowflake Inc. plans to close its own investigation this week into a hacking campaign that ensnared as many as 165 of its customers.

The cloud data and analytics company hasn’t detected any unauthorized access into customer accounts since early last week, Chief Information Security Officer Brad Jones, said in an interview with Bloomberg News. The company said on June 2 that hackers had launched a “targeted campaign” directed against Snowflake users that used single-factor authentication techniques.

The full scope of the data theft among Snowflake customers remains unclear. Cyber firm Mandiant, a unit of Google Cloud that’s helping Snowflake investigate the incident, said Monday that it had informed 165 “potentially exposed organizations” about their possible vulnerability. Only a handful of customers such as Live Nation Entertainment Inc., Pure Storage Inc. and Advanced Auto Parts so far have suggested that they experienced Snowflake-related issues.

Related: Snowflake Working to Beef up Security Controls as Firms Probe Breaches

The shares rose as much as 1.5% on the news before erasing the gains. The stock was down 2.2% to $127.44 at 1:05 p.m. in New York.

Hackers used stolen credentials that were available in places like cybercriminal forums to access customer accounts, which lacked security measures such as multifactor authentication, Jones said. The attackers didn’t access a file of Snowflake logins, but rather used stolen usernames and passwords to infiltrate the accounts, assuming that people reuse their credentials, he said.

Snowflake doesn’t have visibility into how much customer data was stolen, Jones said. The company has been working with law enforcement, in addition to Google’s Mandiant and CrowdStrike Holdings Inc., to look into the matter.

Jones said the hacking campaign underscores that many threats are preventable. “We have a broader challenge in the security community and enterprises that a lot of people aren’t nailing the basics,” he said in a reference to multifactor authentication.

Snowflake became aware of the hacking effort on May 22, Jones said. The company blocked IP addresses linked to the hackers, working with commercial virtual private network vendors to do so, he added. Mandiant’s investigation began in April 2024 when it learned about leaked database records that the cyber firm later determined originated from a Snowflake customer account.

If customers failed to take action to secure potentially impacted accounts, Jones said, Snowflake locked those accounts to prevent further authorized access.

The company plans to release tools later this month that help customers accelerate adoption of security measures such as multifactor authentication, which requires someone to verify their identity in two or more ways before gaining access to their account.

Snowflake charges customers based on much they use the product — also known as consumption. This includes when they remove data from the system. Jones said that “no significant consumption” occurred as a result of hackers gained unauthorized access to customer accounts.

“It’s not like they were doing heavy computation on the data, just retrieving it,” Jones said when explaining why the hackers didn’t cause any meaningful additional Snowflake costs for customers.

Last week, Ticketmaster owner Live Nation said it had discovered “unauthorized activity” on a third-party cloud database. A person familiar with the situation said the account was hosted on Snowflake. On Friday, Advanced Auto Parts also that it was investigating reports that that it was involved in a “security incident related to Snowflake.”

Snowflake declined to comment on any specific customers.

Mandiant determined that a hacking group called “UNC5537” was responsible for the attacks and that the gang hadn’t used “novel or sophisticated tools” to carry out the hack. Instead, the report said the hackers exploited the “large lists of stolen credentials” that “exist both for free and for purchase” on the dark web. Most suspected members of the gang are based in North America, researchers said.

Top photo: Computer code displayed on screens arranged in Danbury, U.K., on Monday, Jan. 4, 2021. In the spring, hackers managed to insert malicious code into a software product from an IT provider called SolarWinds Corp., whose client list includes 300,000 institutions. Photographer: Chris Ratcliffe/Bloomberg.

Was this article valuable?

Here are more articles you may enjoy.