We have not identified evidence that suggests this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.

We have not identified evidence suggesting that this activity was caused by the compromised credentials of current or former Snowflake personnel.

This appears to be a targeted campaign aimed at users with single-factor authentication;

As part of this campaign, threat actors have leveraged credentials previously purchased or acquired by infostealing malware. And

We found evidence that the threat actor obtained and accessed personal credentials from the demo accounts of former Snowflake employees. It did not contain sensitive data. Demo accounts are not connected to Snowflake production or corporate systems. Access was possible because the demo account was not behind Okta or Multi-factor Authentication (MFA), unlike Snowflake’s corporate and production systems.

Source link