Stolen Credential Campaign Affecting Snowflake Environments

Share :

On June 2, 2024, Snowflake published a joint statement with CrowdStrike and Mandiant detailing their initial findings while investigating a campaign involving unauthorized access to Snowflake accounts. The statement clarified the scope of the campaign in contrast to previous independent reporting on the matter. 

What Has Changed 

  • Based on currently available evidence, unauthorized access to demo accounts via an employee’s credentials is thought to be separate from the current stolen credential campaign impacting Snowflake customers. 
  • A separate infostealer campaign affecting Snowflake users directly appears to have targeted users without multi-factor authentication enabled. 
  • The primary source of claims around compromise of Snowflake silently removed their blog post on June 1, 2024 for unknown reasons. 
  • Snowflake found evidence that a threat actor obtained access to demo accounts belonging to a former Snowflake employee.
  • Demo accounts are not connected to Snowflake’s production or corporate systems. 

What Has Remained the Same 

  • Snowflake does not believe that they were the source of any compromised credentials in this campaign, nor do they have specific evidence of misconfiguration or vulnerabilities in their product leading to the compromise. 
  • Increased threat activity was observed around mid-April 2024 from a subset of IP addresses originating from providers of commercial VPN services. 
  • Snowflake has contacted the customers thought to be impacted by these activities.
    • Mandiant has also reached out to some of the impacted organizations. 


Enforce Multi-factor Authentication on all Snowflake Accounts 

This campaign appears to target user accounts with single-factor authentication. Enforcing multi-factor authentication (MFA) on all Snowflake accounts will significantly limit the impact of this campaign. 

To enable MFA and identify accounts that do not have MFA enabled, refer to Snowflake’s Knowledge Base Article here: 

If Impacted, Reset and Rotate Snowflake Credentials 

If you have been informed by Snowflake that your organization was potentially impacted by this campaign, we strongly recommend resetting and rotating all credentials associated with your Snowflake accounts. This campaign leverages credentials previously obtained via infostealing malware, if credentials are not rotated or reset, threat actors can leverage them to obtain access to your Snowflake accounts in the future. 

Note: Snowflake has provided specific guidance to ensure that unauthorized users are successfully disabled. See “Disabling Suspected Users” in the bulletin provided by Snowflake. 

Follow Snowflake’s Recommended Steps 

In their knowledge base article, Snowflake provided additional context on how to detect and prevent unauthorized user access. Highlights are listed below. For more details: 

Set up Network Policies 

  • Set up account-level and user-level Network Policies for highly credentialed users/service accounts. 

Review Account Parameters 

  • Review account parameters to restrict how data can be exported from your Snowflake Account. 
  • Customers will need to do due diligence on enabling these features and their impacts on existing account integrations. 

Review Account for Configuration Drift 

  • Monitor your Snowflake accounts for unauthorized privilege escalation or configuration changes. 

Review Service Account Authentication 

  • For service accounts, use key pair authentication or OAuth for machine-to-machine communication in lieu of static credentials. 


Picture of Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Subscribe to our Monthly Newsletter