Snowflake customer data and credentials for sale on dark web

Data breach affects over 165 customers, hundreds more likely

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

This is a special report on the ongoing Snowflake data breach, which now includes over 165 customers, according to a joint investigation by Mandiant and Snowflake.

Its origins and root cause are still disputed, and hundreds of customers may still be affected. Customer data is now for sale on the dark web with an asking price of millions of dollars.

165 customers and counting: Snowflake data breach turning into one of the largest ever

If you haven’t followed the news, data cloud provider Snowflake suffered a highly damaging breach originating in April. Now, hundreds of customer credentials and terabytes of data are for sale on the dark web.

The origin of the breach is in dispute; initial reports stated that info-stealing malware infected numerous employees’ computers. Hackers then leveraged the infected employee devices to breach the enterprise platform and gain access to customer account data.

Snowflake denied the breach and blamed customers affected, such as Santander and Ticketmaster, for poor security of their credentials. They have since changed the definition of “breach” according to their

Snowflake has vehemently denied that its enterprise network was breached and that customers were directly targeted with info-stealing malware to extract valid credentials without sophisticated identity hardening or multifactor authentication (MFA).

“We are aware of recent reports related to a potential compromise of the Snowflake production environment. We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product,” the company shared in a blog post.

The attack path diagram of UNC5537 leverages an info-stealer malware to infect targeted users. Hackers then login with the stolen Snowflake credentials, without MFA enforced, and exfiltrate the customer data.

The attack path diagram of UNC5537 leverages an info-stealer malware to infect targeted users. Hackers then login with the stolen Snowflake credentials, without MFA enforced, and exfiltrate the customer data. (source: Mandiant)

Cybersecurity firm Mandiant, now part of Google Cloud, continues investigating the incident with Snowflake. Mandiant has given the hacker group the name UNC5537. “UNC” represents an uncategorized group, which indicates that it is not an advanced persistent threat (APT) group.

“UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims,” Mandiant declared on its blog posting of the ongoing investigation.

The company’s blog and news section do not mention any cybersecurity incident. Snowflake social media only has two June posts denying internal breaches of Snowflake systems.

These are the only statements by Snowflake on X denying any breach of its systems:

Snowflake customer data for sale on BreachForums

Despite the FBI seizing the BreachForums domain and assets in May, the hackers responsible for operating the popular breach site cloned and started a new iteration on a new domain.

Hacker group ShinyHunters, which helps administer the site, quickly posted Snowflake customer's data and credentials, such as Santander, Ticketmaster, and Cylance, for sale.

Advance Auto Parts is among the customers listed, and hackers claim to have data on over 380 million of its customers. The asking price is $1.5 million for 3TB of data.

BreachForums user Sp1d3r is selling up to 2TB of data from LendingTree and QuoteWizard for $2 million. The authenticity of the listings and the legitimacy of the hackers posting the sale offers are unclear.

Snowflake customers urged to enforce MFA, still not required by default

CISA has posted an alert urging Snowflake customers to be aware and take preventative actions.

Snowflake urges all customers to enable and enforce MFA and harden their security access. Other Snowflake platform best practices are also recommended.

The company recommends that its customers review the IoCs, investigative queries, and preventive actions published in the Snowflake Community Security Bulletin.

At the time of this publication, Snowflake still does not require its customers to enable and use MFA–nearly two months after the originating customer data breaches.

TechCrunch reports a company spokesperson said they are “developing a plan” to require customers to do so in the future.

Snowflake stock ($SNOW) is down 22% in the last 30 days, losing over 37 million in market cap on the New York Stock Exchange.

Further reading on the Snowflake data breach

If you’d like to read more about this breach, I highly recommend the following cybersecurity professional and blogger independent analysis:

Today’s Cyber Wall of Shame

Snowflake is the gift that keeps on giving.

Until next time…

Rob Waters
The Breach Report + Cybersecurity Careers Blog

P.S. - Do you want to start a newsletter yourself?
You can with beehiiv. Create one today with a free trial.
Disclaimer: The Breach Report may contain affiliate links. Read our Advertising policy page.


or to participate.