Intensifying Pressure on Snowflake and Its Clientele as Assaults Increase
Snowflake, the data cloud company, is currently dealing with a series of identity-based attacks targeting its customers. The attacks, which have been linked to vulnerabilities in the use of Multi-Factor Authentication (MFA), have affected several major businesses.
According to Snowflake's Chief Information Security Officer (CISO), Brad Jones, MFA remains central to the attacks on Snowflake's customers. The ransomware group Scattered Spider is believed to have exploited weaknesses in MFA, particularly in the context of MFA fatigue or push bombing attacks. Scattered Spider bombarded users with repeated MFA verification requests until acceptance, allowing them access to Snowflake accounts and rapid exfiltration of large volumes of data.
In response to these attacks, Snowflake has announced stricter controls. Starting from August 2025, the company will block all single sign-on (SSO) access and enforce MFA for all password-enabled accounts. Snowflake strongly recommends that all users enable MFA, particularly those with account administrator privileges.
However, Snowflake does not enforce MFA by default and does not require its customers to use MFA, according to user documentation. Under Snowflake's shared responsibility model, customers are responsible for enforcing MFA with their users.
Snowflake is also suspending certain user accounts where there are strong indicators of malicious activity and incrementally blocking IP addresses that have a high confidence level of being associated with the cyber threat. The company is working closely with incident response firms such as CrowdStrike and Mandiant to investigate the attacks and inform impacted customers.
During Snowflake's Data Cloud Summit in San Francisco, the company did not address or publicly comment on the identity-based attacks targeting its customers. The ongoing event has been a platform for Snowflake to showcase its latest offerings and discuss the future of data cloud.
The exact number of customers impacted by these attacks remains unknown, with Snowflake declining to provide specific numbers. However, the company previously described the number as "limited."
While MFA is generally effective, attackers can abuse MFA gaps such as MFA fatigue to gain entry. Experts recommend enforcing phishing-resistant MFA methods and continuous monitoring to mitigate such intrusions. Snowflake is considering all options for MFA enablement, but has not finalized any plans at this time.
The attacks are part of a spree of identity-based intrusions that Snowflake first disclosed on Friday. Mandiant Consulting CTO Charles Carmakal stated that a threat actor likely obtained access to multiple organizations' Snowflake tenants by using credentials stolen by infostealing malware.
The joint statement from Snowflake and the incident response firms indicates that this is a targeted campaign. The statement was released on Sunday, and Snowflake is continuing its investigation into the attacks. The direct links between the victims and Snowflake's data warehouse environments remain unconfirmed.
In summary, Snowflake is dealing with a series of identity-based attacks targeting its customers. While MFA remains critical, it is not foolproof, and certain attack vectors can bypass or abuse MFA mechanisms, leading to confirmed identity-based intrusions on Snowflake customer databases. Enhancements to MFA policies and user training are required to defend against these sophisticated tactics.
- Snowflake's Chief Information Security Officer, Brad Jones, has suggested that ransomware group Scattered Spider has exploited weaknesses in Multi-Factor Authentication (MFA), particularly in the context of MFA fatigue or push bombing attacks, to access Snowflake accounts and exfiltrate large volumes of data.
- Starting from August 2025, Snowflake will block all single sign-on (SSO) access and enforce MFA for all password-enabled accounts, following the series of identity-based attacks on its customers.
- Experts recommend enforcing phishing-resistant MFA methods and continuous monitoring to mitigate intrusions, as MFA, while generally effective, can be abused by attackers who exploit MFA gaps such as MFA fatigue.
- The attacks are part of a spree of identity-based intrusions that Snowflake first disclosed on Friday, with a threat actor likely gaining access to multiple organizations' Snowflake tenants by using credentials stolen by infostealing malware.
