Detecting and Preventing Unauthorized User Access

Update (6–10–24)

As part of our commitment to transparency around our ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts, cybersecurity expert Mandiant shared this blog post today detailing their findings to date. As we shared on June 6, we continue to work closely with our customers as they harden their security measures to reduce cyber threats to their businesses, and we are developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies.

Update (6–7–2024)

As an update to our ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts, our most recent findings (see June 2 post below), supported by cyber experts CrowdStrike and Mandiant, remain unchanged.

We continue to work closely with our customers as they harden their security measures to reduce cyber threats to their business. We are also developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts. While we do so, we are continuing to strongly engage with our customers to help guide them to enable MFA and other security controls as a critical step in protecting their business.

Update (6–2–2024)

As an update to our ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts, our most recent findings (see June 2 post below), supported by cyber experts CrowdStrike and Mandiant, remain unchanged.

We continue to work closely with our customers as they harden their security measures to reduce cyber threats to their business. We are also developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts. While we do so, we are continuing to strongly engage with our customers to help guide them to enable MFA and other security controls as a critical step in protecting their business.

Joint Statement regarding Preliminary Findings in Snowflake Cybersecurity InvestigationSnowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, are providing a joint statement related to our ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts.

Our key preliminary findings identified to date:

• we have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform;
• we have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel;
• this appears to be a targeted campaign directed at users with single-factor authentication;
• as part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware; and
• we did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems.

Throughout the course of the investigation, Snowflake has promptly informed the limited number of Snowflake customers who it believes may have been affected. Mandiant has also engaged in outreach to potentially affected organizations.

We recommend organizations immediately take the following steps:

1. Enforce Multi-Factor Authentication on all accounts;
2. Set up Network Policy Rules to only allow authorized users or only allow traffic from trusted locations (VPN, Cloud workload NAT, etc.); and
3. Impacted organizations should reset and rotate Snowflake credentials.

In addition, please review Snowflake’s investigative and hardening guidelines for recommended actions to assist investigating potential threat activity within Snowflake customer accounts. This investigation is ongoing. We are also coordinating with law enforcement and other government authorities.

Update (5–30–2024)

We are aware of recent reports related to a potential compromise of the Snowflake production environment. As such, we are responding directly to some errant claims that have been made:

• We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product.
• Snowflake does not believe that it was the source of any of the leaked customer credentials.
• There is no “master Application Programming Interface (API)” or pathway for customers’ credentials to be accessed and exfiltrated from the Snowflake production environment.
• Snowflake is a cloud product and anyone can sign up for an account at any time. If a threat actor obtains customer credentials, they may be able to access the account. Snowflake employees are no different and can also create their own Snowflake “customer” accounts using personal credentials.
• We did find evidence that similar to impacted customer accounts, the threat actor obtained personal credentials to and accessed a demo account owned by a former Snowflake employee. It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or MFA, unlike Snowflake’s corporate and production systems.

Summary

Snowflake recently observed and is investigating an increase in cyber threat activity targeting some of our customers’ accounts. We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity. To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product. Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted.This post will assist with investigating any potential threat activity within Snowflake customer accounts and provide guidance in the “Recommended Actions” section below.

Background

We became aware of potentially unauthorized access to certain customer accounts on May 23, 2024. During our investigation, we observed increased threat activity beginning mid-April 2024 from a subset of IP addresses and suspicious clients we believe are related to unauthorized access. Snowflake shared the Indicators of Compromise (IoCs), investigative queries, and additional hardening recommendations to assist potentially affected customers in securing their accounts. In an effort to support the broader community, the IoCs and investigative queries have also been made publicly available through a Snowflake Community Security Bulletin. This bulletin will be updated with relevant information as our investigation continues.

In addition, we have notified all customers and encouraged them to review their account settings to ensure that they have implemented standard security measures, including multi-factor authentication (MFA), to secure their data.

Recommended Actions

Review IoCs, investigative queries, and preventive actions that have been published on a Snowflake Community Security Bulletin.

• Enable the Snowflake-delivered implementation of Snowflake Duo MFA for privileged human users. More details are outlined in the Identifying Non-MFA Users and Enabling MFA document.

As always, we recommend that you review your current security configurations and, where appropriate, align them to the Snowflake Security Best Practices. You can also use the Trust Center to evaluate and monitor your account for security risks.