Integrator Breach Hits Snowflake Users

More than a dozen companies were hit after attackers stole authentication tokens from a software integration provider and used them to pull data from customer cloud accounts, with many of the thefts centered on Snowflake environments. Snowflake said the activity was tied to “a specific third-party integration” and not to a breach of Snowflake’s own systems. (bleepingcomputer.com) The suspected entry point was Anodot, a software company that connects into customer systems to watch for unusual business patterns like revenue spikes or usage drops. If a company like that holds live access into production databases, one break-in can turn one vendor into a master key for many customers at once. (bleepingcomputer.com) An authentication token is the digital wristband a service gets after it has already proved who it is. If an attacker steals that wristband, they often do not need the password again, and they may not need a fresh multi-factor authentication check either. (obsidiansecurity.com) That is why these attacks spread sideways instead of straight down. The criminals did not have to crack Snowflake itself if they could replay trusted tokens that already had permission to read customer data. (bleepingcomputer.com) This lands harder because Snowflake is where companies centralize huge piles of information for analytics, billing, customer support, and internal reporting. One working account inside a Snowflake instance can expose millions of records in minutes if its permissions are broad enough. (cloud.google.com) Snowflake has been here before in a different form. In June 2024, Google-owned Mandiant said the group it tracks as UNC5537 used stolen customer credentials to access Snowflake customer instances, and Mandiant and Snowflake notified about 165 potentially exposed organizations. (cloud.google.com) That earlier wave pushed Snowflake to tighten sign-ins. Snowflake’s documentation says it began enforcing multi-factor authentication by default for human users in new accounts created in October 2024, and it laid out a phased plan to deprecate single-factor password sign-ins more broadly. (snowflake.com, docs.snowflake.com) But token theft changes the shape of the problem. Multi-factor authentication helps at the front door, while stolen tokens let attackers walk around with a copied badge that the building already trusts. (obsidiansecurity.com) The ugly part of business-to-business cloud software is that customers often do exactly what vendors ask them to do: connect tools, grant permissions, and automate data flows. Every extra connector saves labor on a normal day and creates another blast radius on a bad one. (rhisac.org) So this story is not “Snowflake got hacked” so much as “trust got reused in the wrong place.” In modern software stacks, the company with the most dangerous access is often not the cloud platform storing the data, but the smaller partner quietly sitting between the platform and the customer. (bleepingcomputer.com, scworld.com)