Since our founding in 2012, the security of our customers’ data has been our highest priority. That’s why the recent cyber security threat targeting some of our customers has been unsettling, especially given that we, and cybersecurity experts Mandiant (part of Google Cloud) and CrowdStrike, have found no evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment.
Mandiant released their investigative report on the threat on June 10th confirming our preliminary findings that we had begun sharing with our customers on May 24th.
Key Mandiant findings include:
▪ Every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.
▪ The impacted accounts were not configured with multi-factor authentication enabled, meaning successful authentication only required a valid username and password.
▪ Credentials identified in infostealer malware output were still valid, in some cases years after they were stolen, and had not been rotated or updated.
▪ The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations.
We operate under a shared responsibility security model with our customers – with them having the responsibility to follow best practices when configuring networks and enforcing secure authentication methods for access to their systems – and now we plan to strengthen this model by requiring more stringent protections.
In the coming weeks, we will be providing a feature for administrators of Snowflake accounts to make multi-factor authentication (MFA) mandatory for all users; ultimately moving to MFA by default. While we target to roll out the enhanced authentication policies by the end of June, we are going to do this in a controlled and staged way alongside close communication and enablement. By doing so, we’ll not only be helping our customers better protect themselves, but we’ll also be leading the industry to what we believe will become an industry standard.
We are also accelerating in-product capabilities, such as our Trust Center. This new active audit and monitoring capability is expected to be generally available by the end of June, with additional transparency specifically around MFA and network policies.
This is in addition to other actions we’ve already taken, like locking customer accounts where we saw cyber threat activity, working closely with affected customers to help them better protect themselves, and communicating with all of our customers to harden their security measures.
You have our commitment that the security of your data will always be our highest priority.