API based credentials are just username + password in this context, nothing else seems to be restricting access to data. So if your Snowflake tenant isn't enforcing IP restriction to limit source auth attempts, those creds can be used to pull the data from any source IP.

Even then, you'll still have an HTTP 403 response layer filtering those auth attempts based on IP... where we can assume these failed to implement it.

So far between TechCrunch, Wired, and other reporting it seems most claim creds get owned, sold, then used against under-restrictive Snowflake tenants which are exposed by default.

i.e; https://epa06486.snowflakecomputing.com/console/login#/ here's someone's tenant, if you were able to go buy some creds for it, should walk right in.

[edit] I have a more detailed Snowflake comment with references that might fill in better gaps here; https://news.ycombinator.com/item?id=40554753

You can use oath or rsa keypair for service account auth

The data was stored in a cloud data warehouse called Snowflake, which had a major breach recently.