"In April 2024, Mandiant received threat intelligence on database records that were subsequently determined to have originated from a victim’s Snowflake instance. Mandiant notified the victim, who then engaged Mandiant to investigate suspected data theft involving their Snowflake instance. During this investigation, Mandiant determined that the organization’s Snowflake instance had been compromised by a threat actor using credentials previously stolen via infostealer malware. The threat actor used these stolen credentials to access the customer’s Snowflake instance and ultimately exfiltrate valuable data. At the time of the compromise, the account did not have multi-factor authentication (MFA) enabled."
"Snowflake has confirmed that a threat actor obtained credentials of a single former employee and accessed demo accounts they had access to. Snowflake asserts these accounts contained no “sensitive” data and were isolated from production and corporate systems. However, unlike Snowflake’s core systems, which are protected by Okta and Multi-Factor Authentication (MFA), these dormant demo accounts lacked such safeguards. "
https://cloud.google.com/blog/topics/threat-intelligence/unc...
"In April 2024, Mandiant received threat intelligence on database records that were subsequently determined to have originated from a victim’s Snowflake instance. Mandiant notified the victim, who then engaged Mandiant to investigate suspected data theft involving their Snowflake instance. During this investigation, Mandiant determined that the organization’s Snowflake instance had been compromised by a threat actor using credentials previously stolen via infostealer malware. The threat actor used these stolen credentials to access the customer’s Snowflake instance and ultimately exfiltrate valuable data. At the time of the compromise, the account did not have multi-factor authentication (MFA) enabled."
https://www.symmetry-systems.com/blog/what-we-know-so-far-ab...
"Snowflake has confirmed that a threat actor obtained credentials of a single former employee and accessed demo accounts they had access to. Snowflake asserts these accounts contained no “sensitive” data and were isolated from production and corporate systems. However, unlike Snowflake’s core systems, which are protected by Okta and Multi-Factor Authentication (MFA), these dormant demo accounts lacked such safeguards. "