On June 2, 2024, cloud computing and analytics company Snowflake said a number of customers have been singled out as part of a targeted cyber campaign.

Research indicates that these attacks were carried out using credentials that had been exposed due to unrelated cyber threats. The compromised Snowflake accounts did not have two-factor authentication enabled. There was no vulnerability, misconfiguration, or malicious activity within the Snowflake product itself that caused this incident.

Severity and Impact

Snowflake, in collaboration with CrowdStrike and Mandiant, has identified that threat actors are using stolen credentials to compromise customer accounts configured with single-factor authentication. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Australia's ACSC have issued advisories urging organizations to adopt multi-factor authentication (MFA) and monitor for unusual activity. Snowflake issued a recommendation for users to query for unusual activity and conduct further analysis to prevent unauthorized user access.

Users and administrators are encouraged to hunt for any malicious activity, report positive findings to CISA, and review the following Snowflake notice for additional information: Detecting and Preventing Unauthorized User Access: Instructions

Step 1: Determine if you are at risk

Follow the above guidance issued by Snowflake for detecting any unauthorized user access within your environment.
Assess whether your third parties are using Snowflake and if there is any associated impact, you can access the Snowflake Incident Questionnaire in the Whistic platform under our Questionnaire Standards Library by clicking here.

Step 2: Take steps to prevent further impact

Investigate—and report to CISA—any suspicious activity involving credentials potentially exposed to, or used to access Snowflake.

Does this impact Whistic?

As a result of our investigation, we have determined that this situation does not directly impact Whistic. Whistic does not use Snowflake products.