Skip to content

Lack of MFA enforcement causes data breach; Over 500 Snowflake clients affected

  • by
  • 3 min read

Cloud data analysis company Snowflake, along with nearly 500 of its customers, including some of the world’s largest organisations, is now struggling to patch up a massive data theft. Snowflake claims that it is aware of “potentially unauthorised access” to a “limited number” of accounts.

The intrusion came to light after several companies, including Ticketmaster and Santander Bank, both Snowflake clients, suffered data breaches. Australian authorities also sounded the alarm after discovering several companies using Snowflake environments had been compromised. The Ticketmaster breach gained extra attention as it was posted on the recently resurrected BreachForums following the FBI’s crackdown on the cybercrime forum. Overall, the data breaches from Ticketmaster and Santander alone contain hundreds of millions of user records.

While Snowflake claims only a small number of accounts were affected, TechCrunch reports having more than 500 credentials containing employee credentials and the web addresses of the login pages for the corresponding Snowflake environments. Breached companies include Ticketmaster, Santander, at least two pharmaceutical companies, a food delivery service, and a public-run freshwater supplier, among others.

Despite the sensitive nature of the data that Snowflake stores in the cloud for its customers, the company doesn’t enforce the use of multi-factor authentication (MFA) for customer environments — letting customers manage the security of their cloud environments.

This non-enforcement seems to be at the core of the data breach, which Snowflake’s statement points out as a “targeted campaign directed at users with single-factor authentication,” adding that there’s no evidence of a direct breach of its systems. Instead, the company insists that the hackers either “previously purchased” credentials or obtained them via info-stealing malware.

It’s not clear when the credentials were stolen or how long they’ve been online. However, in some cases, there’s evidence to suggest that some of the employees at affected companies had their computers previously compromised by information-stealing malware.

Snowflake also admitted that a demo account that wasn’t protected by MFA was also hacked. It’s unclear at the moment whether any of its customer data was present in the demo account. That said, the company still hasn’t enforced the use of MFA on its users yet, instead stating that it’s “considering all options for MFA enablement,” but hasn’t finalised anything at the moment.

In the News: Apple set to unveil new Passwords app at WWDC on June 10th

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: