Personal credentials of the demo account of a former employee were obtained and used by the threat actors, specifically, because the account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems, according to Jones.

“The incident playing out at Snowflake is due to the same issue we’re seeing across the market, companies are not incorporating the security of their SaaS applications into their security architectures,” said Brian Soby, chief technology officer and co-founder at AppOmni. “In this case, an attacker simply bought stolen credentials and used them to log in directly to Snowflake’s ServiceNow instance, as it was misconfigured to allow Single Sign On (SSO) to be optional instead of mandatory.”

Threat group ShinyHunters, who recently claimed responsibility for Santander and Ticketmaster breaches, allegedly claimed they stole data from cloud storage company Snowflake after hacking into an employee’s account.