About 165 orgs may have been affected in Snowflake incident
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Shoshana Gordon/Axios
Google Cloud's Mandiant said Monday it had notified approximately 165 organizations that their data may have been exposed in a recent cyber incident involving cloud computing company Snowflake.
Why it matters: Mandiant's blog post is the first indication of just how widespread the incident has become — and underscores the potential for this to become one of the biggest data breaches to date.
Catch up quick: Hackers have been targeting Snowflake customers after stealing their legitimate login credentials.
- Advance Auto Parts and Ticketmaster have both confirmed that they're investigating potential breaches tied to their Snowflake accounts.
Zoom in: Mandiant — which has been working alongside CrowdStrike to help Snowflake investigate the incident — said in the blog post that a cybercriminal group known as UNC5537 is behind the intrusions.
- The hackers found legitimate login credentials belonging to Snowflake customers' accounts through past infostealer malware attacks, Mandiant said. Some of those attacks date back as far as 2020.
- Mandiant said it saw threat intelligence about the potential intrusions on April 19 and notified Snowflake shortly thereafter.
- Mandiant and Snowflake started notifying potential victims on May 22, according to the blog post.
Between the lines: Affected customers did not have multifactor authentication turned on for their Snowflake accounts, didn't update account passwords after previous breaches, and didn't place key limits on who can access these accounts, according to the blog post.
- Some affected organizations also were compromised through a contractor that allowed employees to work on personal devices.
What we're watching: Snowflake's CEO told the Runtime newsletter last week that the company will soon turn on multifactor authentication by default for all accounts.
