Hackers steal “significant volume” of data from hundreds of Snowflake customers

fake images

Up to 165 customers of cloud storage provider Snowflake have been compromised by a group that obtained login credentials through malware to steal information, researchers said Monday.

On Friday, Lending Tree subsidiary QuoteWizard confirmed that it was among the customers notified by Snowflake who were affected by the incident. Lending Tree spokesperson Megan Greuling said the company is in the process of determining whether data stored on Snowflake has been stolen.

“That investigation is ongoing,” he wrote in an email. “As of this time, it does not appear that the consumer’s financial account information has been affected, nor has the information of the parent entity, Lending Tree.”

Researchers at Mandiant, a Google-owned security firm that Snowflake hired to investigate the massive compromise, said Monday that the companies have so far identified 165 customers whose data may have been stolen in the wave of attacks. Live Nation confirmed 10 days ago that data its TicketMaster group stored on Snowflake had been stolen following a post offering to sell the full names, addresses, phone numbers and partial credit card numbers of 560 million Live Nation customers. Ticketmaster.

Santander, Spain’s largest bank, recently said that data belonging to some of its customers has also been stolen. The same group that advertised Ticketmaster data offered the sale of Santander data. Researchers at security firm Hudson Rock said the stolen data was also stored on Snowflake. Santander has neither confirmed nor denied the statement.

Mandiant’s Monday post said that all of the compromises it has tracked so far were the result of login credentials for Snowflake accounts being stolen by data-stealing malware and stored in large logs, sometimes for years. None of the affected accounts used multi-factor authentication, which requires users to provide a one-time password or additional means of authentication in addition to a password.

The group carrying out the attacks is financially motivated and its members are primarily located in North America. Mandiant is tracking it as UNC5537. The company’s researchers wrote:

Based on our investigations to date, UNC5537 gained access to Snowflake customer instances from multiple organizations via stolen customer credentials. These credentials were primarily obtained from multiple data-stealing malware campaigns that infected systems not owned by Snowflake. This allowed the threat actor to gain access to the affected customer accounts and led to the export of a significant volume of customer data from the respective Snowflake customer instances. Subsequently, the attacker began directly extorting many of the victims and is actively trying to sell stolen customer data on well-known cybercriminal forums.

Mandiant identified that the majority of credentials used by UNC5537 were available in historical data breach infections, some of which dated back to 2020.

The threat campaign conducted by UNC5537 has resulted in numerous successful compromises due to three main factors:

  1. The affected accounts were not configured with multi-factor authentication enabled, meaning that successful authentication only required a valid username and password.
  2. Credentials identified in the production of data-stealing malware were still valid, in some cases years after being stolen, and had not been rotated or updated.
  3. The affected Snowflake client instances did not have network allow lists to allow access only from trusted locations.
Attack Path UNC5537 has been used in attacks against up to 165 Snowflake customers.
Enlarge / Attack Path UNC5537 has been used in attacks against up to 165 Snowflake customers.


Initial access to affected Snowflake accounts often occurred using the company’s native SnowSight or SnowSQL, which are a web-based user interface and command-line interface, respectively. The threat actors also used a custom utility that appears as “rapeflake” in logs and is tracked by Mandiant as FrostBite.

Leave a Comment