Snowflake Denies Breach, Attributes Data Theft to Poorly Secured Customer Accounts

Cyber Attack

Snowflake is disputing claims made by a threat actor who stole data belonging to Santander and Ticketmaster, asserting that the theft of customer data resulted from stolen customer login credentials.

"We are aware of recent reports related to a potential compromise of the Snowflake production environment," cloud company Snowflake stated in an update on Friday regarding identity-based attacks targeting its customers. "We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product."

On Friday, the company confirmed that some customer accounts had been accessed by attackers using previously compromised credentials. Snowflake notified the affected customers, shared indicators of compromise, and offered recommendations to help secure their accounts.

Mitiga researchers detailed how attackers breached accounts lacking two-factor authentication, accessed cloud-stored data, and used it to extort the affected organizations. Hudson Rock researchers also published a report echoing the threat actor’s claims of breaching Snowflake’s infrastructure by stealing an employee's login credentials. The blog post has since been deleted, but an archived version is available. Snowflake CISO Brad Jones refuted the threat actor’s claims, stating that the threat actor obtained personal credentials to access a demo account of a former Snowflake employee. He emphasized that the demo account did not contain sensitive data and was not connected to Snowflake’s production or corporate systems.

"The access was possible because the demo account was not behind Okta or MFA, unlike Snowflake’s corporate and production systems," Jones noted, adding that "there is no ‘master Application Programming Interface (API)’ or pathway for customers’ credentials to be accessed and exfiltrated from the Snowflake production environment."

The threat actor claimed they obtained data belonging to Santander Bank and Ticketmaster by breaching Snowflake’s servers. Santander confirmed attackers accessed one of its databases hosted by a third-party provider but did not name Snowflake. Live Nation Entertainment, Ticketmaster’s parent company, reported unauthorized activity within a third-party cloud database containing company data, primarily from Ticketmaster, and launched an investigation. A Ticketmaster spokesperson later confirmed to TechCrunch that the database was hosted on Snowflake.

Security researcher Kevin Beaumont reported that six major organizations are "running Snowflake cyber incidents."

UPDATE (June 2, 2024, 01:10 p.m. ET):

Snowflake has engaged Crowdstrike and Mandiant to assist in the cyber incident response. The three firms issued a joint statement on the preliminary findings, stating that they have not identified evidence suggesting the incident was caused by a vulnerability, misconfiguration, breach of Snowflake’s platform, or compromised credentials of current or former Snowflake personnel. They reiterated that the threat actor obtained personal credentials to access demo accounts of a former Snowflake employee, but that the accounts are not connected to the company’s production or corporate systems.

"Throughout the investigation, Snowflake has promptly informed the limited number of customers who may have been affected. Mandiant has also reached out to potentially affected organizations," they added.