(Bloomberg) — Snowflake Inc. plans to wrap up its own investigation this week into a hacking campaign that netted up to 165 of its customers.
Bloomberg’s Most Read
The cloud data and analytics company has not detected any unauthorized access to customer accounts since the beginning of last week, Chief Information Security Officer Brad Jones said in an interview with Bloomberg News. The company said on June 2 that hackers launched a “targeted campaign” targeting Snowflake users who used single-factor authentication techniques.
The full scope of data theft among Snowflake customers remains unclear. Cyber firm Mandiant, a unit of Google Cloud that is helping Snowflake investigate the incident, said on Monday that it had informed 165 “potentially exposed organizations” about its potential vulnerability. So far, only a few customers, such as Live Nation Entertainment Inc., Pure Storage Inc. and Advanced Auto Parts, have suggested they have experienced Snowflake-related issues.
Shares rose as much as 1.5% on the news before erasing gains. Shares fell 2.2% to $127.44 at 1:05 p.m. in New York.
Hackers used stolen credentials that were available on places such as cybercriminal forums to access customer accounts, which lacked security measures such as multi-factor authentication, Jones said. The attackers didn’t access an archive of Snowflake logins, but rather used stolen usernames and passwords to infiltrate accounts, assuming people reused their credentials, he said.
Snowflake doesn’t have visibility into how much customer data was stolen, Jones said. The company has been working with authorities, as well as Google’s Mandiant and CrowdStrike Holdings Inc., to investigate the matter.
Jones said the hacking campaign highlights that many threats can be prevented. “We have a broader challenge in the security community and in enterprises that many people are not mastering the basics,” he said in reference to multi-factor authentication.
Snowflake became aware of the hacking effort on May 22, Jones said. The company blocked IP addresses linked to the hackers, working with commercial virtual private network providers to do so, he added. Mandiant’s investigation began in April 2024, when it learned of the leak of database records that the cyber company later determined originated from a Snowflake customer account.
If customers didn’t take steps to secure potentially affected accounts, Jones said, Snowflake would lock those accounts to prevent additional authorized access.
The company plans to launch tools later this month that help customers accelerate the adoption of security measures, such as multi-factor authentication, which requires someone to verify your identity in two or more ways before gaining access to your account.
Snowflake charges customers based on product usage – also known as consumption. This includes when they remove data from the system. Jones said “no significant consumption” occurred as a result of hackers gaining unauthorized access to customer accounts.
“It’s not like they’re doing heavy calculations on the data, just retrieving it,” Jones said in explaining why the hackers didn’t cause any significant additional Snowflake costs for customers.
Last week, Ticketmaster owner Live Nation said it discovered “unauthorized activity” in a third-party cloud database. A person familiar with the situation said the account was hosted on Snowflake. On Friday, Advanced Auto Parts also said it was investigating reports that it was involved in a “Snowflake-related safety incident.”
Snowflake declined to comment on specific customers.
Mandiant determined that a group of hackers called “UNC5537” was responsible for the attacks and that the gang did not use “novel or sophisticated tools” to carry out the hack. Instead, the report states that hackers exploited “large lists of stolen credentials” that “exist for free and for purchase” on the dark web. Most of the alleged gang members are based in North America, researchers said.
(Updates with share price in fourth paragraph.)
Bloomberg Businessweek Most Read
©2024 Bloomberg LP
/cdn.vox-cdn.com/uploads/chorus_asset/file/25508671/2158015570.jpg?w=300&resize=300,300&ssl=1)
