On May 30, 2024, researchers published a report concerning activity by a threat actor dubbed UNC5537, involving abuse of stolen credentials to gain illicit access to Snowflake accounts unprotected by MFA by using a toolkit known as rapeflake.
On May 31, 2024, Snowflake published an advisory notifying of malicious activity they detected involving illicit access to customer accounts, dating as far back as mid-April 2024. The company stated that they estimate the common initial access vector to be compromised credentials for these accounts, and have also stated that they do not believe the root cause of this activity to be any sort of vulnerability, misconfiguration, or malicious activity within the Snowflake product itself.
On the same day, another group of researchers published a report (which has since been taken down) based on conversations with a person claiming to be behind this activity, in which the alleged cyber criminal stated that they gained access to Snowflake's customers by abusing prior access to a Snowflake employee. However, Snowflake has refuted these claims. The same report also links the activity described by Snowflake to recent breaches impacting Ticketmaster and several other companies, attributed to a group known as ShinyHunters, but this remains unvalidated.
