Hackers exploited poor password security to potentially target 165 organizations using Snowflake, a cloud storage provider, according to a report from Google’s Mandiant.
The cybercriminal group, “UNC5537,” targeted Snowflake customer accounts that relied solely on passwords rather than multi-factor authentication (MFA). The group used passwords sourced from infostealing malware strains such as Vidar and Raccoon Stealer, compromising credentials dating back to November 2020.
Mandiant highlighted that the attackers had been conducting a broad campaign to steal data, with hundreds of Snowflake credentials exposed. These stolen credentials were often resold on hacking forums, posing significant risks to affected companies.
A notable incident linked to these hacks was the breach at Ticketmaster, where data was found for sale on a Russian hacking forum, although it’s unclear if Ticketmaster used Snowflake.
While a representative of UNC5537 claimed to have breached Snowflake itself, Mandiant found no evidence of Snowflake’s internal systems being compromised. The report emphasizes the critical need for improved security practices, with Snowflake announcing plans to enforce advanced security measures, including MFA, to protect its customers.