In late May, 560 million records were stolen from Ticketmaster Entertainment and then appeared for sale on the Breach Forums hacking site. Shortly after this event, data from U.S. auto parts provider Advance Auto Parts Inc. was offered for sale on June 6.
Both companies had a common linkâthey were Snowflake customers.
The relentless wave of cyberattacks, reminiscent of the catastrophic MOVEit data leak, has targeted Snowflake customer environments over the past two months. At least 100 Snowflake customers have been confirmed as impacted by the hacking group UNC5537, responsible for this onslaught, with approximately 165 businesses potentially exposed, according to Mandiant, the cybersecurity firm assisting Snowflake with the ongoing investigation.
According to Mandiant's threat intelligence report published on June 10, the first signs of unauthorized access to Snowflake customer instances emerged on April 14. By April 19, Mandiant had begun investigating data theft from an unidentified database. The link to Snowflake was confirmed on May 14 when Mandiant discovered that two of its incident response clients had lost data from their Snowflake tenant.
Their method is systematic: they compromise Snowflake customer instances using stolen credentials, advertise victim data for sale on cybercrime forums, and attempt to extort victims. Hackers targeting Snowflake customers demand ransom payments between $300,000 and $5 million from up to 10 breached companies.
Several publicly recognized victims are Pure Storage, Cylance, Live Nation, QuoteWizard, and Cylance, who publicly acknowledge the breaches. Pure Storage was the first Snowflake customer to confirm publicly that it was affected by the attacks. In a June 11 security bulletin, Pure Storage disclosed that unauthorized individuals accessed its Snowflake workspace and stole telemetry data, which includes sensitive customer information. Cylance confirmed the exposure of some of its data but did not specify the extent or nature of the compromised information. The data, allegedly including 34 million customer and employee emails, is being sold on a crime forum by a hacker alias "Sp1d3r'' for $750,000. Other companies affected by the breach have yet to identify Snowflake as the third-party vendor involved publicly. Yet, multiple experts have linked corporate information theft attacks to Snowflake environments.
Looking at the possible causes, Mandiant researchers confirmed that the impacted accounts were not configured with multifactor authentication, meaning successful access only required valid usernames and passwords. Still, the investigation found no evidence indicating that Snowflake's environment had been breached; each incident was traced back to compromised customer credentials.
Snowflake has stated that the attacks were not due to any vulnerability, misconfiguration, or breach of its systems. Instead, the point of entry for the attacks was stolen credentials obtained from multiple infostealer malware infections on non-Snowflake-owned systems. Quite telling, the affected customer accounts were not configured with multifactor authentication, which could have prevented unauthorized access.
The implications of this breach are highly concerning. Even without direct access to critical systems, exposing sensitive customer data underscores significant vulnerabilities in third-party data management. Inevitably, the affected companies now face potential reputational damage, legal repercussions, and a loss of customer trust. From now on, the looming threat of continued supply chain attacks remains a stark reality. The full extent of the info stealer malware infections is still unknown, implying that the situation could deteriorate before it shows signs of improvement.