The 2024 Snowflake customer breaches: stolen credentials meet missing MFA
What happened
In mid-2024 a threat actor (tracked as UNC5537) accessed roughly 165 Snowflake customer environments and stole large volumes of data, affecting high-profile names. Investigations by Mandiant and Snowflake found no vulnerability in Snowflake itself. Instead, the attacker logged in with valid customer credentials, many harvested years earlier by infostealer malware on contractor and employee machines.
Root cause
The breached accounts shared three traits: credentials had been stolen and never rotated, the accounts had no multi-factor authentication, and there were no network policies restricting where logins could come from. With a username and password and nothing else in the way, access was trivial.
The identity lesson
This is the defining identity breach pattern of the era: the attacker does not break in, they log in. When single-factor accounts exist on a data platform, leaked credentials from unrelated breaches become a direct path to your data. The platform was secure; the identity configuration was not.
How to defend
- Enforce MFA everywhere, with no exceptions for service or legacy accounts. Snowflake later moved to make MFA mandatory.
- Add network allowlists so credentials alone cannot be used from arbitrary locations.
- Rotate credentials and move to short-lived, federated access instead of long-lived passwords.
- Monitor for impossible-travel and anomalous access (ITDR), and watch for your credentials in infostealer dumps.
Related
Guide: how to choose an MFA solution, phishing-resistant MFA. Glossary: credential stuffing, infostealer.