Snowflake: No evidence of platform breach

Snowflake denied reports that its platform had been breached following a series of attacks against its customers that were disclosed last week.

On Thursday, cloud security vendor Mitiga said a threat actor tracked as UNC5537 was using stolen credentials to target database customers of cloud storage and analytics giant Snowflake. Mitiga said the threat actor used a custom attack tool to primarily target Snowflake environments that did not have MFA enabled.

Snowflake published a security advisory on Friday confirming that certain customer accounts were being targeted and that the company did not believe threat activity was caused by any vulnerability, misconfiguration or malicious activity within Snowflake's product. Moreover, the company said it became aware of unauthorized account access on May 23 and that its investigation had found threat activity dating back to mid-April.

An updated statement, published jointly on Saturday with third-party investigators CrowdStrike and Google Cloud's Mandiant, said Snowflake has not identified evidence suggesting that activity was caused by a vulnerability, misconfiguration or breach of the Snowflake platform. Similarly, the companies said they have not identified evidence suggesting activity was "caused by compromised credentials of current or former Snowflake personnel."

The activity, the statement read, appeared to be a targeted campaign against Snowflake customers with single-factor authentication using credentials obtained via illicit purchase or info-stealing malware. Snowflake and Mandiant reached out to "the limited number of customers" affected by the attacks. Snowflake urged all customers to enforce MFA and to set up network policy rules that allow only authorized users and trusted traffic sources to access Snowflake databases.

However, the new advisory disclosed that a threat actor "obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee," though the vendor said the demo accounts did not contain sensitive data.

"Demo accounts are not connected to Snowflake's production or corporate systems. The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake's corporate and production systems," Snowflake CISO Brad Jones wrote in the advisory.

A Snowflake spokesperson shared the following statement with TechTarget Editorial Sunday that echoed the top bullet point in the new advisory: "We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake's platform."

Snowflake's updated statement is a response to a blog post published May 31 by threat intelligence vendor Hudson Rock, which claimed Snowflake suffered a "massive breach" that enabled threat actors to steal sensitive data from customers including Ticketmaster and Santander Bank.

In an 8-K filing with the U.S. Securities and Exchange Commission on May 31, Ticketmaster parent company Live Nation confirmed it has been breached. The company said it identified "unauthorized activity within a third-party cloud database environment containing Company data" and launched an investigation into the incident. Santander confirmed last month that a database hosted by a third-party provider had been compromised.

Hudson Rock also reported it was in contact with the threat actor via Telegram, who claimed "they were able to sign into a Snowflake employee's ServiceNow account using stolen credentials". The blog post said the threat actor claimed they were able to generate session tokens and "exfiltrate massive amounts of data from the company."

Hudson Rock's blog post has since been removed; an archived version is available on the Wayback Machine. On X, formerly known as Twitter, Snowflake posted a response June 1 to Hudson Rock's blog post.

"There have been a number of news stories based on an inaccurate Hudson Rock blog post that has since been taken down, claiming Snowflake's systems have been breached," the post read. "In fact, our investigation to date shows Snowflake's product has not been breached."

TechTarget Editorial contacted Hudson Rock for comment but the company had not responded at press time.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.