As an update to our ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts, our latest findings (see June 2 post below), supported by cyber experts CrowdStrike and Mandiant, remain unchanged.
We continue to work closely with our customers as they tighten their security measures to reduce cyber threats to their businesses. We are also developing a plan to require our customers to implement advanced security controls, such as multi-factor authentication (MFA) or network policies, especially for Snowflake premium customer accounts. As we do this, we continue to engage aggressively with our customers to help guide them to enabling MFA and other security controls as a critical step in protecting their businesses.
Joint Statement Regarding Preliminary Findings in Snowflake's Cybersecurity Investigations
Snowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, provide a joint statement regarding our ongoing investigation involving a targeted threat campaign against certain Snowflake customer accounts.
Our key preliminary findings so far:
We have not identified any evidence to suggest that this activity was due to a security vulnerability, misconfiguration, or breach of the Snowflake platform; We found no evidence to suggest that this activity was caused by a compromise of the credentials of current or former Snowflake employees; This appears to be a targeted campaign directed at users with one-factor authentication; As part of this campaign, threat actors leveraged credentials previously purchased or obtained through malware to steal information; We found evidence that the threat actor obtained personal credentials and accessed test accounts belonging to a former Snowflake employee. It did not contain sensitive data. Demo accounts are not tied to Snowflake production or company systems. Access was possible because the demo account did not support Okta or multi-factor authentication (MFA), unlike Snowflake's corporate and production systems.
Throughout the investigation, Snowflake promptly notified the limited number of Snowflake customers it believed may have been affected. Mandiant has also been involved in outreach to potentially affected organizations.
We recommend that organizations take the following steps immediately:
Enforce multi-factor authentication on all accounts; Set up network policy rules to allow only authorized users or only allow traffic from trusted locations (VPN, cloud workload NAT, etc.); Affected organizations must reset and rotate their Snowflake credentials.
Additionally, please review Snowflake's Investigation and Assurance Guidelines for recommended actions to assist in investigating potential threat activity within Snowflake customer accounts. This investigation is ongoing. We also coordinate with law enforcement and other government authorities.
