With companies coming forward every day announcing impacts from their third-party cloud data storage vendor, the Snowflake data breach seems to be snowballing into one of the biggest data breaches of the digital age. Here's everything to know about the Snowflake breach; we'll update this page as new information becomes available.

Why the Snowflake Breach Matters

Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers. Its customer base includes major corporations like Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others. Snowflake holds approximately a 20% share of the data warehouse market and was recently ranked #1 on the Fortune Future 50 List, it an attractive target for cybercriminals. However, it is crucial to note that the breaches are not necessarily due to failures by Snowflake. The correlation does not imply causation, as emphasized by Snowflake’s Chief Information Security Officer Brad Jones. The company, along with its forensic partners, found no evidence of vulnerabilities or breaches within Snowflake’s platform.

Ongoing Investigation and Preliminary Results in Snowflake Breach

On May 31, Snowflake revealed that attackers accessed customer accounts using single-factor authentication. According to preliminary results, these attackers leveraged credentials obtained through infostealing malware.

Compromised Employee Account

Snowflake confirmed that a threat actor obtained credentials from a single former employee, accessing demo accounts that were isolated from production and corporate systems. Snowflake’s core systems are protected by Okta and Multi-Factor Authentication (MFA) but the demo accounts lacked such safeguards.

Test Environments Targeted

Demo accounts are often overlooked as security risks. Despite assurances that these accounts do not contain sensitive data, they remain attractive targets due to their perceived value. Cybercriminals exploit the perception gap, knowing that a claimed breach of a high-profile company like Snowflake can generate significant media attention.

Attack Path

The initial access point for the attackers was almost certainly compromised credentials obtained through infostealing malware. Mandiant, who helped Snowflake in its investigation, confirmed that the compromised credentials were from customer instances and were traced back to infostealer malware logs. Several variants of infostealer malware were used, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER.

Possible Reasons for the Breach

Mandiant confirmed that there was no breach of Snowflake’s enterprise environment. They identified that most credentials used by the attackers originated from historical infostealer infections. The lack of MFA and failure to rotate credentials for up to four years were significant factors. Network allow lists were also not used to restrict access to trusted locations.

Unconfirmed Threat Actor Claims

The threat actor also claimed to have logged into Snowflake’s ServiceNow using the same credentials. This claim has neither been confirmed nor explicitly refuted by Snowflake. Other unknowns include whether similar methods compromised other Snowflake employees, and the definition of "sensitive" data used for determining the impact on demo accounts. The investigation is ongoing, but Snowflake stands by its initial findings.

Affected Customers from Snowflake Breach

The data breaches began in April 2024, and the company claimed it had impacted a “limited” number of Snowflake customers. Snowflake initially did not disclose the exact number or the names of all affected customers. However, a comprehensive report from Mandiant two weeks after the initial disclosure revealed that 165 customers were impacted in the Snowflake data breach. While some victims have been identified through attackers’ offers to sell stolen data, others were revealed via mandatory public disclosures. Most companies have yet to confirm the impact. Following is a list of all companies know to have been impacted in the Snowflake data breach:

• Santander Group: The company confirmed a compromise without mentioning Snowflake.
• Impact: Santander Bank staff and 30 million customers’ data has allegedly been breached.

• TicketMaster (Live Nation Entertainment subsidiary): Confirmed via an SEC 8-K report, with Snowflake identified as the third party involved.
• Impact: 560 Million TicketMaster user details and card info potentially at risk.

• LendingTree: Notified by Snowflake about a potential data impact involving QuoteWizard.
• Impact: On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes and other information.

• Advance Auto Parts: Unconfirmed by the company, but a dark web listing claimed significant data theft.
• Impact: Same actor as LendingTree claimed leak of 380 million customers and 358,000 former and current employees.

• Pure Storage: The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number.
• Impact: The same threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of 3 terabytes of data from the company’s Snowflake cloud storage that was reportedly being sold for $1.5 million.

Tech Crunch discovered over 500 login credentials and web addresses for Snowflake environments on a website used by attackers to search for stolen credentials. These included corporate email addresses found in a recent data dump from various Telegram channels.

Security Measures and Customer Support

Snowflake Chief Information Security Officer Brad Jones reiterated the company's findings, asserting that the breaches were not due to any vulnerabilities, misconfigurations, or breaches of Snowflake’s platform or personnel credentials. Snowflake is collaborating with customers to enhance security measures and plans to mandate advanced security controls such as multi-factor authentication (MFA) and network policies, especially for privileged accounts. The company acknowledges the friction in their MFA enrollment process and is working to streamline it. The shared responsibility model places MFA enforcement on customers, but Snowflake aims to make it a standard prerequisite due to the high sensitivity of the data stored in their cloud environments.

Key Recommendations for Snowflake Customers:

1. Enforce Multi-Factor Authentication: Make MFA mandatory for all accounts, particularly those with privileged access.
2. Regularly Rotate Credentials: Ensure that all credentials are regularly updated to prevent long-term exposure from previous leaks.
3. Implement Network Allow Lists: Restrict access to trusted IP addresses to minimize unauthorized access.
4. Enhance Logging and Monitoring: Improve logging and monitoring capabilities to detect and respond to suspicious activities promptly.

Snowflake has also published indicators of compromise and steps for detecting and preventing unauthorized user access here. Cloud security firm Permiso has developed an open-source tool dubbed "YetiHunter" to detect and hunt for suspicious activity in Snowflake environments based on the IoCs shared by Snowflake, Mandiant, DataDog, and its own intelligence. Editor's Note: This blog will be updated as additional breach information from Snowflake and its customers becomes available or is claimed by threat actors on underground forums for sale. Links and data to any additional IoCs related to the Snowflake breach will be published here too.

Pure Storage, a provider of cloud storage systems and services, has confirmed and addressed a security incident involving unauthorized access to one of its Snowflake data analytics workspaces. This workspace contained telemetry information used by Pure Storage to provide proactive customer support services. The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number. Importantly, no sensitive information like credentials for array access or any other data stored on customer systems was compromised. "Such information is never and can never be communicated outside of the array itself, and is not part of any telemetry information. Telemetry information cannot be used to gain unauthorized access to customer systems," stated Pure Storage in an official statement.

Pure Storage Data Breach: Investigation Ongoing

Upon knowing about the cybersecurity incident, Pure Storage took immediate action to block any further unauthorized access to the workspace. The company emphasized that no unusual activity has been detected on other elements of its infrastructure. “We see no evidence of unusual activity on other elements of the Pure infrastructure. Pure is monitoring our customers’ systems and has not found any unusual activity. We are currently in contact with customers who similarly have not detected unusual activity targeting their Pure systems,” reads the official statement. Preliminary findings from a cybersecurity firm engaged by Pure Storage support the company's conclusions about the nature of the exposed information. Pure Storage simplifies data storage with a cloud experience that empowers organizations to maximize their data while reducing the complexity and cost of managing the infrastructure behind it. Thousands of customers, including high-profile companies like Meta, Ford, JP Morgan, NASA, NTT, AutoNation, Equinix, and Comcast, use Pure Storage's data storage platform.

Context of Recent Snowflake Cybersecurity Incidents

Before the Pure Storage data breach, Advance Auto Parts, Inc., a significant provider of automobile aftermarket components, allegedly suffered a massive data breach. A threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of three terabytes of data from the company’s Snowflake cloud storage, which is reportedly being sold for $1.5 million. Live Nation, the parent company of Ticketmaster, also confirmed "unauthorized activity" on its database hosted by Snowflake, a Boston-based cloud storage and analytics company. In a joint advisory with Mandiant and CrowdStrike, Snowflake revealed that attackers used stolen customer credentials to target accounts lacking multi-factor authentication protection. Mandiant linked these attacks to a financially motivated threat actor tracked as UNC5537 since May 2024. This malicious actor gains access to Snowflake customer accounts using credentials stolen in historical infostealer malware infections dating back to 2020. These cyberattacks have targeted hundreds of organizations worldwide, extorting victims for financial gain. So far, the cybersecurity firm has identified hundreds of customer Snowflake credentials exposed in Vidar, RisePro, Redline, Racoon Stealer, Lumm, and Metastealer malware attacks. Snowflake and Mandiant have notified around 165 organizations potentially exposed to these ongoing cyberattacks.