New research claims that the number of organizations that have had sensitive data stolen following the recent Snowflake breach is likely in the hundreds.
a report from Mandiant, which is currently investigating the breach, says the two companies have notified 165 organizations – but as the attack continues, the total number of victims is likely to rise further.
Mandiant attributed the attack to UNC5537, which, since this is a brand new name, means this is either a brand new threat actor or someone whose actual identity had not yet been confirmed.
Financially motivated attack
The researchers said the group was financially motivated, meaning this was not the work of a nation state. Finally, most members apparently live in North America, with at least one additional member located in Turkey.
“Mandiant’s investigation did not find any evidence to suggest that unauthorized access to Snowflake customer accounts resulted from a breach of Snowflake’s operating environment,” Mandiant said in its findings. “Instead, every incident Mandiant responded to in connection with this campaign was traced back to compromised customer data.”
It added that it believes the group is trying to extort money from its victims in exchange for keeping the data safe.
Snowflake is a large cloud storage company with nearly 10,000 enterprise customers. News of a security incident at the company first emerged in late May 2024, when Ticketmaster reported that sensitive information on more than 500 million people had been lost.
Snowflake denied that the breach stemmed from its infrastructure and instead claimed that the incident was the result of a successful credential stuffing attack. In a credential stuffing attack, the threat actor “populates” the platform with numerous login combinations obtained elsewhere (usually purchased on the black market) until it finds one that works.
Ticketmaster isn’t the only company to come forward with news of a breach and data theft. Advance Auto Parts also confirmed there was an attack, with news reports claiming hundreds of millions of customers were compromised, as well as hundreds of thousands of employees. LendingTree, an online lending marketplace, also fell prey to the attack.