Snowflake Cloud Accounts Felled by Rampant Credential Issues

A threat actor has accessed data belonging to at least 165 organizations using valid credentials to their Snowflake accounts, thanks to no MFA and poor password hygiene.

A Mandiant investigation of recent account compromises at Snowflake, a data warehousing platform, has confirmed that all of them resulted from a failure by customers to implement
multifactor authentication (MFA)
and proper access control to their accounts.
According to
Mandiant
, part of Google Cloud, a financially motivated threat actor that it is tracking as UNC5537 appears to have systematically accessed accounts belonging to at least 165 Snowflake customers, using valid account credentials obtained from elsewhere.
The attacker has stolen data from the accounts and has either attempted to extort victims with it or has made the data available for sale on cybercrime forums. Though Mandiant has not named any victims, other security vendors have identified
Ticketmaster and Santander Bank
as being among the many victims of the massive campaign.
Mandiants investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflakes enterprise environment, the security vendor said. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.
Mandiant has assessed that UNC5537 aggregated credentials for Snowflake accounts from multiple previous information stealer campaigns. In several incidents that Mandiant investigated, the credentials that the threat actor used to access Snowflake customer accounts were obtained from
spy Trojans
installed on contractor systems. Such credentials are often available for sale and for free on the Dark Web and multiple other sources, Mandiant said.
Significantly, many of the credentials that UNC5537 used to access Snowflake accounts havent been rotated in at least a couple of years. In one instance, the threat actor leveraged a credential from a November 2020 information stealer campaign to access the associated Snowflake account, meaning the victim had not updated that credential for the past four years at least.
UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique, or procedure, Mandiant stressed. The affected customer instances did not require MFA, and in many cases, the credentials had not been rotated for as long as four years. Network allow lists were also not used to limit access to trusted locations.
Mandiants findings are another reminder of the
enormous and growing exposure
to organization from credential theft, and the
booming market for information stealers
. In recent years, the trend has heightened calls from security experts about the need for organizations to implement MFA and best practices like using
zero-trust models
and limited allow lists to control access to data in the cloud.
Mandiant assesses MFA would have prevented compromise of Snowflake accounts in this campaign, says Austin Larsen, senior threat analyst at Mandiant. Mandiant has not identified evidence of the actor being able to bypass MFA in any of the observed incidents.
Larsen says Snowflakes status as a multicloud data warehousing platform that organizations use to store and analyze large amounts of structured and unstructured data, likely made it a good target for the attackers. Often these databases contain valuable and sensitive information, which is an attractive target for financially motivated actors, he says. This increases the likelihood of the threat actor monetizing this data via extortion and/or sale through underground forums.
Interestingly, while the compromise of Snowflake accounts has received a lot of attention, Mandiant has identified non-Snowflake customers as well that UNC5537 has targeted going back at least six months, Larsen adds.
Jason Soroko, senior vice president of product at Sectigo, says that while Mandiants Snowflake findings should be on billboards, the message itself has been repeated a countless number of times, continuing to fall on deaf ears.
We must implement stronger forms of authentication than passwords and move past even needing MFA, he says. We have already learned these lessons many times. We have also heard the excuses why doing this is so difficult. Nothing will change until the will to do the right thing exists.
Julianna Lamb, chief technology officer and co-founder of Stytch, says companies that continue using passwords as a form of authentication need to ensure proper controls over their use. This means not permitting password reuse and by making it was easy as possible for users to generate string passwords.
She also recommends that organizations monitor sites such as HaveIBeenPwned’s database to ensure that users aren’t using a breached password. It’s also important to invest in multiple layers of protection beyond passwords, such as bot prevention measures to identify when bots are on-site and being used for credential stuffing, and implementing two-factor authentication.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Snowflake Cloud Accounts Felled by Rampant Credential Issues