We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform;
We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel;
This appears to be a targeted campaign directed at users with single-factor authentication;
As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware; and
We did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems.
Source link
