Mandiant Reveals Extensive Data Breaches Impacting Hundreds of Snowflake Customers

A detailed account of the recent Snowflake data breaches revealed by Mandiant, affecting hundreds of customers.
TL;DR - Mandiant has uncovered significant data breaches involving Snowflake, affecting hundreds of customers due to compromised credentials and lack of MFA. The breaches are ongoing and highlight the critical need for robust security measures.

Recent investigations have unveiled a significant security incident involving Snowflake, a prominent cloud data platform. Security researchers from Mandiant have disclosed that financially motivated cybercriminals have stolen vast amounts of data from numerous Snowflake customers. This revelation underscores the critical need for robust security practices in cloud environments.

The Scope of the Breach

Mandiant has reported that around 165 Snowflake customers have been notified about potential data breaches. These customers span various industries, including healthcare, retail, and technology. The breaches were first detected in April, with the attackers continuing their activities to this day.

Details of the Attack

The cybercriminal group, UNC5537, has been identified as the perpetrators behind these breaches. They used stolen credentials to gain unauthorized access to Snowflake instances and exfiltrate valuable data. The lack of multi-factor authentication (MFA) on many customer accounts made these attacks possible. Tools such as "rapeflake" and "DBeaver Ultimate" were used to navigate and extract data from compromised accounts.

Impact on Customers

Two prominent companies, Ticketmaster and LendingTree, have confirmed data thefts involving their Snowflake environments. Many other organizations are still investigating potential breaches. The widespread use of Snowflake among major corporations highlights the far-reaching impact of this incident.

Mandiant’s Response

Mandiant began its investigation in April and notified Snowflake and the affected customers in May. The firm has been working closely with Snowflake and law enforcement agencies to mitigate the impact and prevent further breaches. Their ongoing efforts aim to contain the threat and protect sensitive data.

Snowflake’s Position

Snowflake has reiterated that their systems were not directly breached. Instead, they point to the compromised credentials of their customers as the root cause. Despite this, the lack of enforced MFA and delayed response has drawn criticism. Snowflake has since announced plans to implement mandatory MFA for all customer accounts.

Preventative Measures

To prevent similar incidents, Mandiant and Snowflake recommend the following measures:

  • Implement MFA: Enforce multi-factor authentication for all accounts.
  • Network Policies: Restrict access to trusted locations only.
  • Credential Rotation: Regularly update and rotate credentials to minimize risk.
  • Monitoring and Alerts: Establish systems to detect abnormal access patterns.

The Snowflake data breaches serve as a stark reminder of the vulnerabilities inherent in cloud environments. Proactive security measures, such as MFA and strict access controls, are essential to protect sensitive data. Companies must remain vigilant and adopt best practices to safeguard their digital assets.


What is the scope of the Snowflake breach?
The breach has affected approximately 165 customers across various industries, with the potential for more companies to be impacted.
How did the attackers gain access to Snowflake accounts?
Attackers used stolen credentials obtained through infostealer malware and targeted accounts that lacked multi-factor authentication (MFA).
What is UNC5537 and what are their motivations?
UNC5537 is a financially motivated cybercriminal group that uses stolen data to extort victims or sell it on cybercrime forums.
What has Snowflake done in response to these breaches?
Snowflake has been working with Mandiant and law enforcement to mitigate the breaches and has announced plans to enforce MFA for all customer accounts.
What can companies do to protect themselves from similar attacks?
Companies should implement MFA, restrict access to trusted networks, regularly update credentials, and monitor for abnormal access patterns to enhance their security posture.

Never miss an update.

Subscribe for spam-free updates and articles.
Thanks for subscribing!
Oops! Something went wrong while submitting the form.