Public Cloud Security Breaches Documenting their mistakes so you don't make them.


Incident Details

Victimized Company:Multiple Customers
Incident Dates:2024-05-20 to 2023-03-02
Disclosure Date:2023-03-01
Current Status:N/A

In the spring of 2024, a number of Snowflake customers suffered data breaches when cybercriminals announced they had data sets from high-profile customers like TicketMaster, LendingTree, Neiman Marcus, and Santander.

While Snowflake & Mandiant found no evidence their cloud offering was compromised, these incidents became a serious public relations issue.


Details of the Incident

The threat actor used infostealer tools to gain access to several companies’ Snowflake credentials. These accounts lacked MFA, even though they had access to millions of records of sensitive personal information. Mitiga identified an attack tool named “rapeflake,” which was then used to extract the data.

This first came to light when…

… one or more crooks going by the handle ShinyHunters was spotted putting what’s understood to be 1.3TB of data stolen from Ticketmaster up for sale on an underworld forum. That trove, yours for $500,000, is said to contain records on 560 million Ticketmaster customers: Their names, email addresses, phone numbers, physical addresses, transaction details, and partial payment card information. (The Register)


165 Victims have been identified and notified. The following notable organizations have confirmed breaches:


Date Event
Apr 14th, 2024 First activity identified by Mandiant
May 22th, 2024 Snowflake & Law Enforcement notified
May 27th, 2024 ShinyHunters offers up records on 560 million TicketMaster customers on BreachForums
May 31st, 2024 Hudson Rock publishes report on the incident, which Snowflake pressured to have taken down.
May 31st, 2024 Mitiga publishes the first report on issues with Snowflake breaches
June 10th, 2024 Mandiant releases report confirming no breach with Snowflake itself and attributing the attack to UNC5537.
July 9th, 2024 Snowflake finally allows customers to force MFA on all their users

Attribution / Perpetrator

It’s believed ShinyHunters is acting as a broker for the data, which was stolen by someone else. (The Register)

Mandiant is tracking this group as UNC5537, “a financially motivated threat actor” primarily based in North America.

Summary of Coverage

Cloud Security Lessons Learned

This was not a breach for which Snowflake was directly responsible.

Mandiant’s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake’s enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials. (Mandiant Report)

However, Snowflake, like all cloud providers, is responsible for ensuring its products are used safely.

Despite the sensitive data that Snowflake holds for its customers, Snowflake lets each customer manage the security of their environments and does not automatically enroll or require its customers to use multi-factor authentication, or MFA, according to Snowflake’s customer documentation. (src)

Specific to the customer side of Shared-Responsibility, Mandiant indicates that the victimized customers

did not require multi-factor authentication and in many cases, the credentials had not been rotated for as long as four years. Network allow lists were also not used to limit access to trusted locations.

Mandiant also calls out unmanaged contractor devices as the initial compromise point for several customers.

In several Snowflake related investigations, Mandiant observed that the initial compromise of infostealer malware occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software. Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector.