165 Snowflake customers at risk from massive cyberattack

11 Jun 2024

Image: © Sunny_Smile/Stock.adobe.com

Cyberattackers are targeting vulnerable Snowflake customers – including Ticketmaster – with stolen credentials and it is unclear exactly how much data has been exposed from the campaign.

The cyberattack campaign on Snowflake customers is ramping up and will likely serve as a reminder on the importance of multifactor authentication.

Various high-profile breaches have occurred recently, including the massive Ticketmaster breach that saw the data of 560m accounts go up for sale on the dark web. The key entity connecting all of these breaches was Snowflake, a cloud company that has more than 9,800 customers globally.

Snowflake investigated the breaches with the support of cybersecurity companies – including Google-owned Mandiant. In a blogpost, Mandiant has shared details on the campaign targeting Snowflake customers for “data theft and extortion”.

Mandiant says a “financially motivated threat actor” is compromising Snowflake customers using stolen customer credentials. The two companies have notified “approximately 165 potentially exposed organisations” about the threat.

The cybersecurity company believes this threat actor – called UNC5537 – managed to breach Snowflake customers by using credentials “previously stolen via infostealer malware”. Mandiant noted that these customers did not have multifactor authentication enabled and that the criminals “only required a valid username and password”.

“Mandiant identified that the majority of the credentials used by UNC5537 were available from historical infostealer infections, some of which dated as far back as 2020,” Mandiant said in a blogpost. “Credentials identified in infostealer malware output were still valid, in some cases years after they were stolen, and had not been rotated or updated.”

Mandiant also said there is no evidence that the breaches of customer accounts was related to an issue with Snowflake’s security systems. “Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials,” Mandiant said.

The scale of the breach could be massive, as the breaches that have been linked to this campaign so far include the details of hundreds of millions of customers.

Cybersecurity company HudsonRock claimed it spoke to the threat actor responsible for one of these breaches, according to a blogpost. This blogpost was taken offline earlier this month due to legal pressure from Snowflake, The Register reports.

At the time, the threat actor speaking to HudsonRock claimed that 400 companies were impacted by the Snowflake breach and that the goal was to blackmail the cloud company into buying the data back for $20m.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com