The fallout from the Snowflake credential-stuffing campaign has expanded to 165 confirmed victim companies, making it the largest cloud platform security incident in history, with stolen data from AT&T, Ticketmaster, Santander, and over 160 other organizations.
Attack Methodology
Mandiant's investigation revealed that attackers used credentials purchased from infostealer malware logs to access Snowflake customer environments that lacked multi-factor authentication.
- 165 companies confirmed affected (up from initial reports of 10)
- Combined data exposure estimated at 2.5 billion individual records
- Attackers used a single infostealer malware campaign targeting Snowflake admin credentials
- All victim accounts lacked MFA — Snowflake did not require it by default
Industry Response
Snowflake has since made MFA mandatory for all accounts and implemented IP allowlisting as default. The incident has accelerated enterprise adoption of SSPM (SaaS Security Posture Management) tools, with Gartner reporting a 200% increase in SSPM inquiries. Class-action lawsuits against both Snowflake and affected companies are pending in multiple jurisdictions.
