Hackers Breach Data of 100 'Snowflake' Clients, Using Stolen Info for Blackmail Attempts
Snowflake, the cloud-based data warehousing company, has been under pressure recently due to a series of identity-based attacks that have impacted its customers since at least April 2024. According to cybersecurity firm Mandiant, the UNC5537 threat actor group has been the culprit, primarily leveraging exposed credentials rather than exploiting platform vulnerabilities.
The attacks, which were first noticed by Snowflake on May 23, have seen the attacker systematically compromising customer tenants, downloading data, extorting victims, and advertising victim data for sale on cybercriminal forums. Mandiant has identified three common factors in these attacks: impacted customer accounts were not configured with multifactor authentication, credentials obtained via infostealer malware were still valid, and impacted Snowflake customer instances did not have network policy rules in place to limit access to trusted locations.
As a response, Snowflake is taking several steps to strengthen its security measures. Brad Jones, Snowflake's Chief Information Security Officer, announced a plan to require customers to implement advanced security controls such as multi-factor authentication (MFA) or network policies. However, the details of this plan are scant, including what exactly will be required of Snowflake customers and if MFA will be turned on by default across its platform.
In addition to these measures, Snowflake is also focusing on continuous monitoring to detect suspicious activities. The company is encouraging its customers to adopt industry best practices such as encryption, single sign-on (SSO), and rigorous credential management to mitigate account compromise risks.
Mandiant and CrowdStrike are assisting Snowflake with an ongoing investigation into the attacks. As of early August 2025, approximately 165 potentially exposed customers have been notified by Snowflake and Mandiant.
Snowflake ended its most recent quarter on April 30 with 9,822 customers. It's worth noting that the number of impacted customers could potentially increase as the investigation continues.
The latest updates reflect the current understanding of the UNC5537 attacks on Snowflake and underline the shift toward credential-based risk in cloud data warehouse environments. Mandiant Consulting CTO Charles Carmakal made a statement about the attacks on May 30, stating that the attacks are a reminder of the importance of strong security practices.
It's crucial for all parties involved to stay vigilant and take necessary steps to secure their data and accounts. Snowflake did not respond to a request for additional information on its security improvement plan.
- The cybersecurity firm Mandiant has linked the UNC5537 threat actor group to the series of identity-based attacks on Snowflake, a data-and-cloud-computing company, which have resulted in data extortion, data download, and sale of victim data on cybercriminal forums.
- The attacks, primarily leveraging exposed credentials rather than exploiting platform vulnerabilities, have impacted over 165 customers since at least April 2024, and the number could potentially increase as the investigation continues.
- In response to these attacks, Snowflake is implementing advanced security controls such as multi-factor authentication (MFA) or network policies, encouraging customers to adopt industry best practices like encryption, single sign-on (SSO), and rigorous credential management.
- Snowflake is also focusing on continuous monitoring to detect suspicious activities and strengthening its cybersecurity measures, but the details of the plan are not fully disclosed, including what exactly will be required of Snowflake customers and if MFA will be turned on by default across its platform.
- Crime-and-justice news outlets report that cybersecurity firms Mandiant and CrowdStrike are assisting Snowflake with an ongoing investigation into the attacks, and the general-news media are highlighting the importance of strong security practices in preventing such threats, particularly in the context of cloud data warehouse environments.
