In mid-2025, cybersecurity researchers uncovered a large-scale breach involving Snowflake, one of the most widely used cloud data storage providers in the world.

Attackers reportedly stole massive amounts of customer data — not by exploiting Snowflake's systems directly, but by abusing compromised credentials and bypassing multi-factor authentication in many cases.

If your business uses Snowflake — or relies on third-party vendors who do — you need to understand the risks, what’s happening, and how to protect yourself quickly.

What Happened in the Snowflake Data Breach?

According to initial reports, threat actors accessed multiple customer accounts by:

• Using previously stolen usernames and passwords (credential stuffing)

• Hijacking active browser sessions (token theft)

• Exploiting weak security policies on customer tenants

Importantly, Snowflake's core platform was not breached at the infrastructure level. The breach occurred at the customer account level, where clients managed their own authentication and security settings.

Some of the data reportedly exposed includes:

• Personal identifiable information (PII)

• Financial records

• Internal business documents

• Payment processing data

At least one ransomware group is suspected of trying to monetise the stolen data.

How Attackers Are Bypassing MFA

Investigations suggest that attackers used stolen session cookies — very similar to techniques seen in Cookie-Bite-style attacks — to impersonate legitimate users without needing a fresh login.

By hijacking an active session:

• MFA challenges are bypassed

• Login logs look “normal”

• No immediate alerts are triggered

This method allows cybercriminals to quietly access cloud environments, exfiltrate data, and even plant malware.

Learn more about session hijacking attacks and how they bypass passwords.

Who Is at Risk?

• Direct Snowflake customers with poorly secured accounts

• Vendors and suppliers storing client data in Snowflake instances

• Businesses downstream relying on third parties who were compromised

• Any organisation not enforcing modern session security and monitoring

Supply chain risks mean that even if your own systems aren’t directly connected to Snowflake, you may still be exposed through partners.

What Businesses Should Do Now

✅ Check if Your Data Is Hosted in Snowflake

Review your vendors and partners — ask direct questions about their use of Snowflake.

✅ Enforce Strong Authentication

If you control any Snowflake accounts, ensure proper MFA, device trust checks, and session monitoring are enabled.

✅ Hunt for Stolen Credentials

Use credential monitoring services to identify leaked or reused passwords associated with your domain.

✅ Monitor for Data Exposure

Consider setting up dark web and surface web monitoring to detect leaked client or internal data early.

✅ Strengthen Incident Response Plans

Prepare for potential breach notifications, client queries, or regulator involvement if you hold sensitive data. If you need support building or testing your incident response, we recommend a cyber incident exercising programme.

How STORM Guidance Can Help

✔ Threat intelligence monitoring for stolen credentials and data leaks

✔ Cyber incident response for suspected breaches

✔ Supply chain risk assessment and security reviews

✔ Threat actor engagement if extortion attempts occur

✔ Expert guidance on breach reporting and compliance

Stay Proactive to Limit the Fallout

Breaches like Snowflake show that even the biggest, best-secured platforms can't protect customer data if weak credentials, poor session management, and token theft are left unchecked.

Proactive security, layered defences, and clear incident response plans are critical for survival in today’s threat landscape.

For broader advice on cloud risk management and cyber resilience, explore Storm Guidance’s full cybersecurity services.