\n<\/p>\n
Security researchers say they believe financially motivated cybercriminals have stolen a \u201csignificant volume of data\u201d from hundreds of customers hosting their vast banks of data with cloud storage giant Snowflake.<\/p>\n
Incident response firm Mandiant, which is working with Snowflake to investigate the recent spate of data thefts, said in a blog post Monday<\/a> that the two firms have notified around 165 customers that their data may have been stolen.<\/p>\n It\u2019s the first time that the number of affected Snowflake customers has been disclosed since the account hacks began in April. Snowflake has said little to date about the attacks, only that a \u201climited number\u201d of its customers are affected. The cloud data giant has more than 9,800 corporate customers, like healthcare organizations, retail giants and some of the world\u2019s largest tech companies, which use Snowflake for data analytics.<\/p>\n So far, only Ticketmaster<\/a> and LendingTree have confirmed<\/a> data thefts where their stolen data was hosted on Snowflake. Several other Snowflake customers say they are currently investigating possible data thefts from their Snowflake environments.<\/p>\n Mandiant said the threat campaign is \u201congoing,\u201d suggesting the number of Snowflake corporate customers reporting data thefts may rise.<\/p>\n In its blog post<\/a>, Mandiant attributed the account hacks to UNC5537, an as-yet-unclassified cybercriminal gang that the security firm says is motivated by making money. The gang, which Mandiant says includes members in North America and at least one member in Turkey, attempts to extort its victims into paying to get their files back or to prevent the public release of their customers\u2019 data.<\/p>\n Mandiant confirmed the attacks \u2014 which rely on the use of \u201cstolen credentials to access the customer\u2019s Snowflake instance and ultimately exfiltrate valuable data\u201d \u2014 date back to at least April 14, when its researchers first identified evidence of improper access to an unnamed Snowflake customer\u2019s environment. Mandiant said it notified Snowflake to its customer account intrusions on May 22.<\/p>\n The security firm said the majority of stolen credentials used by UNC5537 were \u201cavailable from historical infostealer infections,\u201d with some dating as far back as 2020. Mandiant\u2019s findings confirm Snowflake\u2019s limited disclosure<\/a>, which said there wasn\u2019t a direct breach of Snowflake\u2019s own systems but blamed its customer accounts for not using multi-factor authentication (MFA).\u00a0<\/p>\n Last week, TechCrunch found circulating online hundreds of Snowflake customer credentials stolen by malware<\/a> that infected the computers of staffers who have access to their employer\u2019s Snowflake environment. The number of credentials available online linked to Snowflake environments suggests an ongoing risk to customers who have not yet changed their passwords or enabled MFA.\u00a0<\/p>\n Mandiant said it has also seen \u201chundreds of customer Snowflake credentials exposed via infostealers.\u201d<\/p>\n For its part, Snowflake does not require its customers to use by default or enforce the security feature\u2019s use. In a brief update on Friday, Snowflake has said it\u2019s \u201cdeveloping a plan\u201d to enforce the use of MFA on its customers\u2019 accounts, but has not yet provided a timeline.<\/p>\n Snowflake spokesperson Danica Stanczak declined to say why the company hasn\u2019t reset customer passwords or enforced MFA. Snowflake did not immediately comment on Mandiant\u2019s blog post Monday.<\/p>\n Do you know more about the Snowflake account intrusions? Get in touch. To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email.<\/a> You can also send files and documents via SecureDrop<\/a>.<\/em><\/p>\n
\n