Snowflake
Company Details
Linkedin ID:
snowflake-computing
Website:
Employees number:
10,269
Number of followers:
1,170,239
NAICS:
5112
Industry Type:
Homepage:
snowflake.com
IP Addresses:
70
Company ID:
SNO_3051677
Scan Status:
Completed
Snowflake Company CyberSecurity Posture
snowflake.com
**Snowflake is proud to be the Official Data Collaboration Provider for LA28 and Team USA.** Snowflake delivers the AI Data Cloud — a global network where thousands of organizations mobilize data with near-unlimited scale, concurrency, and performance. Inside the AI Data Cloud, organizations unite their siloed data, easily discover and securely share governed data, and execute diverse analytic workloads. Wherever data or users live, Snowflake delivers a single and seamless experience across multiple public clouds. Snowflake’s platform is the engine that powers and provides access to the AI Data Cloud, creating a solution for data warehousing, data lakes, data engineering, data science, data application development, and data sharing. Join Snowflake customers, partners, and data providers already taking their businesses to new frontiers in the AI Data Cloud.
Snowflake A.I CyberSecurity Scoring
Snowflake Risk Score (AI oriented)Between 750 and 799
Snowflake
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Snowflake Global Score (TPRM)XXXX
Snowflake
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Snowflake Company CyberSecurity News & History
Past Incidents
3
Attack Types
2
Snowflake
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: For much of the summer, Snowflake, a cloud data storage provider, was targeted by a series of data breaches affecting over 165 customers, exposing hundreds of millions of records. These customers included large corporations such as AT&T, Santander, and Live Nation Entertainment. Despite the breach's extensive reach, Snowflake has since implemented mandatory multifactor authentication. The disruptions caused by these incidents highlight the importance of robust cybersecurity practices.
Snowflake
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Snowflake faced a supply chain breach involving theft of customer credentials by ShinyHunters via a third-party contractor's employee. Affected clients like Ticketmaster and Santander lacked multifactor authentication, comprising over 160 companies' data.
Snowflake
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence
Description: Snowflake, a cloud-based data warehousing company, suffered a series of breaches in 2023 due to **browser-based credential phishing attacks** targeting its customers. Attackers exploited **Adversary-in-The-Middle (AiTM) phishing kits** to bypass multi-factor authentication (MFA) and harvest login credentials from employees of Snowflake’s client organizations. The stolen credentials were then used to access Snowflake customer accounts, exfiltrate sensitive data, and demand ransom payments under threat of public exposure. The breach impacted multiple high-profile Snowflake customers, including **ticketing platforms, financial institutions, and telecom companies**, leading to the theft of **millions of customer records**—such as personal identifiable information (PII), financial data, and proprietary business intelligence. While Snowflake’s core infrastructure remained uncompromised, the attack exposed critical gaps in **third-party identity security**, particularly around **session hijacking via stolen cookies** and **unmonitored OAuth integrations**. The incident underscored the rising threat of **browser-based attacks** as a primary vector for large-scale data exfiltration, with attackers leveraging **obfuscated phishing pages, malicious extensions, and social engineering** to bypass traditional email security controls. The financial and reputational fallout included **regulatory scrutiny, customer churn, and costly incident response efforts**, as affected organizations scrambled to contain the damage, rotate credentials, and implement stricter browser security measures. The breach also highlighted the broader industry challenge of securing **decentralized SaaS ecosystems**, where legacy authentication gaps and user behavior remain prime targets for cybercriminals.
Snowflake Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Snowflake
Incidents vs Software Development Industry Average (This Year)
No incidents recorded for Snowflake in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Snowflake in 2025.
Incident Types Snowflake vs Software Development Industry Avg (This Year)
No incidents recorded for Snowflake in 2025.
Incident History — Snowflake (X = Date, Y = Severity)
Snowflake cyber incidents detection timeline including parent company and subsidiaries
Snowflake Company Subsidiaries
**Snowflake is proud to be the Official Data Collaboration Provider for LA28 and Team USA.** Snowflake delivers the AI Data Cloud — a global network where thousands of organizations mobilize data with near-unlimited scale, concurrency, and performance. Inside the AI Data Cloud, organizations unite their siloed data, easily discover and securely share governed data, and execute diverse analytic workloads. Wherever data or users live, Snowflake delivers a single and seamless experience across multiple public clouds. Snowflake’s platform is the engine that powers and provides access to the AI Data Cloud, creating a solution for data warehousing, data lakes, data engineering, data science, data application development, and data sharing. Join Snowflake customers, partners, and data providers already taking their businesses to new frontiers in the AI Data Cloud.
Loading...
Snowflake Similar Companies
Cadence
Cadence is a market leader in AI and digital twins, pioneering the application of computational software to accelerate innovation in the engineering design of silicon to systems. Our design solutions, based on Cadence’s Intelligent System Design™ strategy, are essential for the world’s leading semic
Catalyzing the era of pervasive intelligence, Synopsys delivers trusted and comprehensive silicon to systems design solutions, from electronic design automation to silicon IP and system verification and validation. We partner closely with semiconductor and systems customers across a wide range of
Instacart, the leading grocery technology company in North America, works with grocers and retailers to transform how people shop. The company partners with more than 1,500 national, regional, and local retail banners to facilitate online shopping, delivery and pickup services from more than 85,000
Thomson Reuters
Thomson Reuters is the world’s leading provider of news and information-based tools to professionals. Our worldwide network of journalists and specialist editors keep customers up to speed on global developments, with a particular focus on legal, regulatory and tax changes. Our customers operat
Amazon is guided by four principles: customer obsession rather than competitor focus, passion for invention, commitment to operational excellence, and long-term thinking. We are driven by the excitement of building technologies, inventing products, and providing services that change lives. We embrac
Lazada
About Lazada Group Founded in 2012, Lazada Group is the leading eCommerce platform in Southeast Asia. We are accelerating progress in Indonesia, Malaysia, the Philippines, Singapore, Thailand and Vietnam through commerce and technology. With the largest logistics and payments networks in the regio
Meta
Meta's mission is to build the future of human connection and the technology that makes it possible. Our technologies help people connect, find communities, and grow businesses. When Facebook launched in 2004, it changed the way people connect. Apps like Messenger, Instagram and WhatsApp further e
NetSuite
Founded in 1998, Oracle NetSuite is the world’s first cloud company. For more than 25 years, NetSuite has helped businesses gain the insight, control, and agility to build and grow a successful business. First focused on financials and ERP, we now provide an AI-powered unified business system that
Walmart Global Tech
Walmart has a long history of transforming retail and using technology to deliver innovations that improve how the world shops and empower our 2.1 million associates. It began with Sam Walton and continues today with Global Tech associates working together to power Walmart and lead the next retail d
.png)
Snowflake CyberSecurity News
October 31, 2025 07:00 AM
LendingTree Barred From Arbitrating Snowflake Data Breach Claims
LendingTree LLC can't avoid a proposed class lawsuit over its customers' data being compromised in the Snowflake cybersecurity incident,...
October 30, 2025 07:00 AM
Snowflake, Clients Can't Escape MDL Over Cloud Data Breach
Cloud storage provider Snowflake, along with its clients Ticketmaster and LendingTree, will continue to face sprawling multidistrict...
October 28, 2025 07:00 AM
Snowflake, Ticketmaster must face US lawsuits over sprawling data breach
A federal judge in Montana has allowed consumers to move forward with lawsuits alleging that cybersecurity failures enabled a massive data...
October 03, 2025 07:00 AM
Cybersecurity firm Oneleet bags $33m Series A
Cybersecurity firm Oneleet secures $33m Series A led by Dawn Capital. Discover how it aims to end compliance theatre—read more now.
October 02, 2025 07:00 AM
Securonix Named Data Security Data Cloud Product Partner of the Year by Snowflake
Securonix, Inc., a five-time Leader in the Gartner® Magic Quadrant™ for SIEM, and leader in autonomous security operations, announced it has...
September 08, 2025 07:00 AM
Cisco (CSCO) Introduces Splunk Federated Search for Snowflake In
Cisco (CSCO) has announced the launch of Splunk Federated Search for Snowflake, a significant integration within the Splunk Platform.
September 03, 2025 07:00 AM
Siemens and Snowflake enable IT/OT convergence across edge and cloud for industrial customers
Siemens is collaborating with Snowflake, an AI data cloud company, to help manufacturers unlock new levels of operational efficiency, scale,...
August 29, 2025 07:00 AM
Snowflake completes Canadian Centre for Cyber Security Protected B assessment
Snowflake's Protected B assessment enables these organizations to protect sensitive data and collaborate securely while maintaining robust...
August 20, 2025 07:00 AM
DeepTempo Assembles Elite Advisory Council Featuring Security Leaders from Google Chronicle, Snowflake, Vectra.AI and SentinelOne
Leaders from Google Chronicle, Snowflake, Vectra.AI, SentinelOne, and Roblox unite to shape the next generation of cyber defense.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Snowflake CyberSecurity History Information
Official Website of Snowflake
The official website of Snowflake is http://www.snowflake.com.
Snowflake’s AI-Generated Cybersecurity Score
According to Rankiteo, Snowflake’s AI-generated cybersecurity score is 761, reflecting their Fair security posture.
How many security badges does Snowflake’ have ?
According to Rankiteo, Snowflake currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Snowflake have SOC 2 Type 1 certification ?
According to Rankiteo, Snowflake is not certified under SOC 2 Type 1.
Does Snowflake have SOC 2 Type 2 certification ?
According to Rankiteo, Snowflake does not hold a SOC 2 Type 2 certification.
Does Snowflake comply with GDPR ?
According to Rankiteo, Snowflake is not listed as GDPR compliant.
Does Snowflake have PCI DSS certification ?
According to Rankiteo, Snowflake does not currently maintain PCI DSS compliance.
Does Snowflake comply with HIPAA ?
According to Rankiteo, Snowflake is not compliant with HIPAA regulations.
Does Snowflake have ISO 27001 certification ?
According to Rankiteo,Snowflake is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Snowflake
Snowflake operates primarily in the Software Development industry.
Number of Employees at Snowflake
Snowflake employs approximately 10,269 people worldwide.
Subsidiaries Owned by Snowflake
Snowflake presently has no subsidiaries across any sectors.
Snowflake’s LinkedIn Followers
Snowflake’s official LinkedIn profile has approximately 1,170,239 followers.
NAICS Classification of Snowflake
Snowflake is classified under the NAICS code 5112, which corresponds to Software Publishers.
Snowflake’s Presence on Crunchbase
No, Snowflake does not have a profile on Crunchbase.
Snowflake’s Presence on LinkedIn
Yes, Snowflake maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/snowflake-computing.
Cybersecurity Incidents Involving Snowflake
As of November 27, 2025, Rankiteo reports that Snowflake has experienced 3 cybersecurity incidents.
Number of Peer and Competitor Companies
Snowflake has an estimated 26,564 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Snowflake ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach and Cyber Attack.
How does Snowflake detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with mandatory multifactor authentication, and third party assistance with push security (browser security platform), and containment measures with browser-based detection/response (push security), containment measures with oauth app permission audits (salesforce), containment measures with extension blacklisting/removal, containment measures with mfa enforcement (eliminating ghost logins), and remediation measures with sso/mfa coverage expansion, remediation measures with browser extension whitelisting, remediation measures with user training (phishing, clickfix awareness), remediation measures with endpoint monitoring (malicious file downloads), and enhanced monitoring with browser-level activity logging (push security)..
Incident Details
Can you provide details on each incident ?
Title: Supply Chain Breach at Snowflake
Description: Snowflake faced a supply chain breach involving theft of customer credentials by ShinyHunters via a third-party contractor's employee. Affected clients like Ticketmaster and Santander lacked multifactor authentication, comprising over 160 companies' data.
Type: Supply Chain Breach
Attack Vector: Third-party contractor's employee
Vulnerability Exploited: Lack of multifactor authentication
Threat Actor: ShinyHunters
Motivation: Theft of customer credentials
Title: Snowflake Data Breach
Description: Snowflake, a cloud data storage provider, was targeted by a series of data breaches affecting over 165 customers, exposing hundreds of millions of records. These customers included large corporations such as AT&T, Santander, and Live Nation Entertainment. Despite the breach's extensive reach, Snowflake has since implemented mandatory multifactor authentication. The disruptions caused by these incidents highlight the importance of robust cybersecurity practices.
Type: Data Breach
Title: Rise of Browser-Based Attacks: Phishing, ClickFix, OAuth Abuse, and Malicious Extensions
Description: Attacks targeting users via web browsers have surged in recent years, leveraging techniques like AITM (Adversary-in-The-Middle) phishing, ClickFix (malicious copy-paste), consent phishing (malicious OAuth integrations), malicious browser extensions, and malicious file delivery. These attacks exploit decentralized work environments, third-party SaaS services (e.g., Snowflake, Salesforce), and gaps in MFA to compromise business apps and data. Attackers use multi-channel delivery (email, SMS, social media, ads) and obfuscation techniques (dynamic code obfuscation, CAPTCHA bypasses, legitimate SaaS hosting) to evade detection. The browser has become the primary attack surface due to its role as the gateway to cloud/SaaS apps, yet it remains a blind spot for most security teams.
Type: Browser-Based Attack
Attack Vector: Multi-Channel Phishing (Email, SMS, Instant Messaging, Social Media, Malvertising)Malicious Links (Obfuscated, Hosted on Legitimate SaaS/Cloud Services)Fake CAPTCHA/Cloudflare Turnstile Lures (ClickFix)OAuth App Authorization Tricks (Device Code Flow, Salesforce Exploit)Malicious Browser Extensions (Takeover or New Installations)Malicious File Downloads (HTA, SVG, Executables)Stolen Credentials (From Phishing/Infostealers)MFA Gaps (Ghost Logins, SSO Misconfigurations)
Vulnerability Exploited: Lack of Browser-Specific Security ControlsInsufficient MFA Enforcement (Ghost Logins, SSO Gaps)Unmanaged OAuth App Permissions (Salesforce, Other SaaS)Unvetted Browser Extensions (Cyberhaven Hack, 35+ Extensions in 2024)User Trust in Browser Prompts (Copy-Paste Commands, Fake Error Messages)Decentralized App Ecosystem (Shadow IT, Unmanaged SaaS)Legacy Authentication Methods (Password-Only Logins)
Motivation: Data Theft (Extortion, Dark Web Sales)Financial Gain (Ransomware, Fraud)Account Takeover (Business Email Compromise, SaaS Abuse)Espionage (Corporate/Competitive Intelligence)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Third-party contractor's employee, Phishing Links (Email, SMS, Social Media and Ads)Malicious OAuth Apps (Device Code Flow)Compromised Browser ExtensionsFake CAPTCHA/Error Pages (ClickFix)Malvertising (Drive-by Downloads).
Impact of the Incidents
What was the impact of each incident ?
Incident : Supply Chain Breach SNO1019070724
Data Compromised: Customer credentials
Incident : Data Breach SNO000110624
Data Compromised: Hundreds of millions of records
Incident : Browser-Based Attack SNO3992739091525
Data Compromised: Credentials (usernames, passwords, session tokens), Business app data (snowflake, salesforce, jira), Pii (from infostealers, browser cache), Oauth tokens (high-risk permissions)
Systems Affected: Web Browsers (Chrome, Edge, Firefox, Safari)SaaS/Cloud Apps (Salesforce, Snowflake, Jira, Others)Endpoints (Windows, macOS via Terminal Commands)Identity Providers (SSO, MFA Bypass)
Operational Impact: Disruption of Business Workflows (SaaS Access Loss)Incident Response Overhead (Detection, Containment)Reputation Damage (Customer/Partner Trust Erosion)
Brand Reputation Impact: High (Associated with Major Breaches Like Snowflake, Salesforce)
Identity Theft Risk: High (Stolen Credentials, PII from Infostealers)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Customer credentials, Credentials (Snowflake, Salesforce, Jira), Session Tokens (Stolen Via Infostealers), Oauth Tokens (High-Risk Permissions), Pii (From Browser Caches, Extensions) and .
Which entities were affected by each incident ?
Incident : Supply Chain Breach SNO1019070724
Entity Name: Snowflake
Entity Type: Corporation
Industry: Technology
Customers Affected: Over 160 companies
Incident : Supply Chain Breach SNO1019070724
Entity Name: Ticketmaster
Entity Type: Corporation
Industry: Entertainment
Incident : Supply Chain Breach SNO1019070724
Entity Name: Santander
Entity Type: Corporation
Industry: Financial Services
Incident : Data Breach SNO000110624
Entity Name: Snowflake
Entity Type: Cloud Data Storage Provider
Industry: Technology
Size: Large
Customers Affected: 165
Incident : Data Breach SNO000110624
Entity Name: AT&T
Entity Type: Telecommunications
Industry: Telecommunications
Size: Large
Incident : Data Breach SNO000110624
Entity Name: Santander
Entity Type: Banking
Industry: Finance
Size: Large
Incident : Data Breach SNO000110624
Entity Name: Live Nation Entertainment
Entity Type: Entertainment
Industry: Entertainment
Size: Large
Incident : Browser-Based Attack SNO3992739091525
Entity Name: Snowflake Customers
Entity Type: Enterprise
Industry: Data Cloud/Analytics
Location: Global
Incident : Browser-Based Attack SNO3992739091525
Entity Name: Salesforce Customers
Entity Type: Enterprise
Industry: CRM/Cloud Services
Location: Global
Incident : Browser-Based Attack SNO3992739091525
Entity Name: Jira Users (2024 Attacks)
Entity Type: Enterprise
Industry: Software Development/Project Management
Location: Global
Incident : Browser-Based Attack SNO3992739091525
Entity Name: Cyberhaven Extension Users (2024 Hack)
Entity Type: Enterprise/Individual
Industry: Cybersecurity
Location: Global
Incident : Browser-Based Attack SNO3992739091525
Entity Name: Organizations Using Unmanaged Browser Extensions
Entity Type: Enterprise/SMB
Industry: Cross-Industry
Location: Global
Customers Affected: Millions (Across 100s of Malicious Extensions)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach SNO000110624
Remediation Measures: mandatory multifactor authentication
Incident : Browser-Based Attack SNO3992739091525
Third Party Assistance: Push Security (Browser Security Platform).
Containment Measures: Browser-Based Detection/Response (Push Security)OAuth App Permission Audits (Salesforce)Extension Blacklisting/RemovalMFA Enforcement (Eliminating Ghost Logins)
Remediation Measures: SSO/MFA Coverage ExpansionBrowser Extension WhitelistingUser Training (Phishing, ClickFix Awareness)Endpoint Monitoring (Malicious File Downloads)
Enhanced Monitoring: Browser-Level Activity Logging (Push Security)
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Push Security (Browser Security Platform), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Supply Chain Breach SNO1019070724
Type of Data Compromised: Customer credentials
Sensitivity of Data: High
Incident : Data Breach SNO000110624
Number of Records Exposed: hundreds of millions
Incident : Browser-Based Attack SNO3992739091525
Type of Data Compromised: Credentials (snowflake, salesforce, jira), Session tokens (stolen via infostealers), Oauth tokens (high-risk permissions), Pii (from browser caches, extensions)
Sensitivity of Data: High (Business-Critical SaaS Data, PII)
Data Exfiltration: Yes (Extortion, Dark Web Sales)
File Types Exposed: HTA, SVG, Executables (Malicious Files)
Personally Identifiable Information: Yes (Via Infostealers, Browser Extensions)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: mandatory multifactor authentication, , SSO/MFA Coverage Expansion, Browser Extension Whitelisting, User Training (Phishing, ClickFix Awareness), Endpoint Monitoring (Malicious File Downloads), .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by browser-based detection/response (push security), oauth app permission audits (salesforce), extension blacklisting/removal, mfa enforcement (eliminating ghost logins) and .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Browser-Based Attack SNO3992739091525
Lessons Learned: Browsers Are the New Attack Surface: Traditional email/endpoint security is insufficient for modern, decentralized work environments., Multi-Channel Threats Require Unified Visibility: Attacks span email, SMS, social media, and in-app messages, necessitating cross-channel detection., OAuth Abuse is a Blind Spot: Malicious app integrations bypass MFA and traditional authentication controls (e.g., Salesforce device code flow)., Extensions Pose Significant Risk: Unvetted extensions can silently exfiltrate credentials and session data (e.g., Cyberhaven hack)., MFA Gaps Persist: Ghost logins and unmanaged SaaS apps create backdoors for credential stuffing., Browser-Native Defenses Are Critical: Real-time monitoring of browser activity (logins, downloads, extensions) is essential for early detection.
What recommendations were made to prevent future incidents ?
Incident : Browser-Based Attack SNO3992739091525
Recommendations: Category: Vendor Collaboration, Actions: Pressure SaaS Providers to:, - Improve OAuth security (e.g., Salesforce’s planned updates), - Offer granular permission controls for integrations., - Provide APIs for customer-side monitoring (e.g., login events)., Participate in Extension Vetting: Report malicious extensions to Chrome/Firefox web stores., Category: Vendor Collaboration, Actions: Pressure SaaS Providers to:, - Improve OAuth security (e.g., Salesforce’s planned updates), - Offer granular permission controls for integrations., - Provide APIs for customer-side monitoring (e.g., login events)., Participate in Extension Vetting: Report malicious extensions to Chrome/Firefox web stores., Category: Vendor Collaboration, Actions: Pressure SaaS Providers to:, - Improve OAuth security (e.g., Salesforce’s planned updates), - Offer granular permission controls for integrations., - Provide APIs for customer-side monitoring (e.g., login events)., Participate in Extension Vetting: Report malicious extensions to Chrome/Firefox web stores., Category: Vendor Collaboration, Actions: Pressure SaaS Providers to:, - Improve OAuth security (e.g., Salesforce’s planned updates), - Offer granular permission controls for integrations., - Provide APIs for customer-side monitoring (e.g., login events)., Participate in Extension Vetting: Report malicious extensions to Chrome/Firefox web stores., Category: Vendor Collaboration, Actions: Pressure SaaS Providers to:, - Improve OAuth security (e.g., Salesforce’s planned updates), - Offer granular permission controls for integrations., - Provide APIs for customer-side monitoring (e.g., login events)., Participate in Extension Vetting: Report malicious extensions to Chrome/Firefox web stores..
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Browsers Are the New Attack Surface: Traditional email/endpoint security is insufficient for modern, decentralized work environments.,Multi-Channel Threats Require Unified Visibility: Attacks span email, SMS, social media, and in-app messages, necessitating cross-channel detection.,OAuth Abuse is a Blind Spot: Malicious app integrations bypass MFA and traditional authentication controls (e.g., Salesforce device code flow).,Extensions Pose Significant Risk: Unvetted extensions can silently exfiltrate credentials and session data (e.g., Cyberhaven hack).,MFA Gaps Persist: Ghost logins and unmanaged SaaS apps create backdoors for credential stuffing.,Browser-Native Defenses Are Critical: Real-time monitoring of browser activity (logins, downloads, extensions) is essential for early detection.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Category: Endpoint & Network, , Category: Vendor Collaboration, , Category: User Awareness, , Category: Detection & Prevention, , Category: Identity Hardening and .
References
Where can I find more information about each incident ?
Incident : Browser-Based Attack SNO3992739091525
Source: Push Security - Browser-Based Attack Overview
Incident : Browser-Based Attack SNO3992739091525
Source: Snowflake Customer Breaches (2023)
Incident : Browser-Based Attack SNO3992739091525
Source: Salesforce OAuth Attacks (2024)
Incident : Browser-Based Attack SNO3992739091525
Source: Cyberhaven Extension Hack (December 2024)
Incident : Browser-Based Attack SNO3992739091525
Source: Jira Credential Stuffing Attacks (2024)
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Push Security - Browser-Based Attack OverviewUrl: https://www.pushsecurity.com/product-overview, and Source: Snowflake Customer Breaches (2023), and Source: Salesforce OAuth Attacks (2024), and Source: Cyberhaven Extension Hack (December 2024), and Source: Jira Credential Stuffing Attacks (2024).
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Browser-Based Attack SNO3992739091525
Investigation Status: Ongoing (Salesforce, Other SaaS Attacks)
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Browser-Based Attack SNO3992739091525
Customer Advisories: Users of Snowflake, Salesforce, Jira, and other SaaS platforms should:- Reset passwords and revoke OAuth app permissions.- Enable MFA (preferably phishing-resistant).- Audit browser extensions and remove unrecognized ones.- Monitor for unusual login activity (e.g., via SSO logs).
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Users Of Snowflake, Salesforce, Jira, And Other Saas Platforms Should:, - Reset Passwords And Revoke Oauth App Permissions., - Enable Mfa (Preferably Phishing-Resistant)., - Audit Browser Extensions And Remove Unrecognized Ones., - Monitor For Unusual Login Activity (E.G., Via Sso Logs). and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Supply Chain Breach SNO1019070724
Entry Point: Third-party contractor's employee
Incident : Browser-Based Attack SNO3992739091525
Entry Point: Phishing Links (Email, Sms, Social Media, Ads), Malicious Oauth Apps (Device Code Flow), Compromised Browser Extensions, Fake Captcha/Error Pages (Clickfix), Malvertising (Drive-By Downloads),
Backdoors Established: ['Stolen Session Cookies (Infostealers)', 'OAuth Tokens (Persistent Access)', 'Browser Extensions (Continuous Data Exfiltration)']
High Value Targets: Saas Admins (Snowflake, Salesforce), Finance/Hr Teams (Access To Sensitive Data), Developers (Jira, Github, Ci/Cd Tools),
Data Sold on Dark Web: Saas Admins (Snowflake, Salesforce), Finance/Hr Teams (Access To Sensitive Data), Developers (Jira, Github, Ci/Cd Tools),
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Supply Chain Breach SNO1019070724
Root Causes: Lack of multifactor authentication
Incident : Browser-Based Attack SNO3992739091525
Root Causes: Over-Reliance On Perimeter Security: Email/Network Controls Fail To Stop Browser-Based Attacks., Lack Of Browser Visibility: Security Teams Cannot Detect In-Browser Threats (Phishing, Clickfix, Extensions)., Decentralized Identity Management: Unmanaged Saas Apps And Ghost Logins Create Mfa Gaps., User Trust Exploitation: Attackers Abuse Legitimate Browser Functions (Oauth, Copy-Paste, Extensions)., Obfuscation Techniques: Dynamic Code, Captcha Bypasses, And Saas Hosting Evade Traditional Defenses.,
Corrective Actions: Adopt Browser-Centric Security: Tools Like Push Security To Detect/Block In-Browser Threats., Implement Zero Trust For Saas: Continuous Authentication And Least-Privilege Oauth Permissions., Enforce Extension Policies: Whitelist Approved Extensions And Block Side-Loading., Monitor For Anomalous Logins: Use Browser/Sso Logs To Detect Ghost Logins And Credential Abuse., Collaborate With Saas Providers: Advocate For Better Oauth Controls And Customer-Side Monitoring Apis.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Push Security (Browser Security Platform), , Browser-Level Activity Logging (Push Security), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Adopt Browser-Centric Security: Tools Like Push Security To Detect/Block In-Browser Threats., Implement Zero Trust For Saas: Continuous Authentication And Least-Privilege Oauth Permissions., Enforce Extension Policies: Whitelist Approved Extensions And Block Side-Loading., Monitor For Anomalous Logins: Use Browser/Sso Logs To Detect Ghost Logins And Credential Abuse., Collaborate With Saas Providers: Advocate For Better Oauth Controls And Customer-Side Monitoring Apis., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident was an ShinyHunters.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Customer credentials, hundreds of millions of records, , Credentials (Usernames, Passwords, Session Tokens), Business App Data (Snowflake, Salesforce, Jira), PII (From Infostealers, Browser Cache), OAuth Tokens (High-Risk Permissions) and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were Web Browsers (Chrome, Edge, Firefox, Safari)SaaS/Cloud Apps (Salesforce, Snowflake, Jira, Others)Endpoints (Windows, macOS via Terminal Commands)Identity Providers (SSO, MFA Bypass).
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was push security (browser security platform), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Browser-Based Detection/Response (Push Security)OAuth App Permission Audits (Salesforce)Extension Blacklisting/RemovalMFA Enforcement (Eliminating Ghost Logins).
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were OAuth Tokens (High-Risk Permissions), Credentials (Usernames, Passwords, Session Tokens), Business App Data (Snowflake, Salesforce, Jira), Customer credentials, hundreds of millions of records, PII (From Infostealers and Browser Cache).
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 0.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Browser-Native Defenses Are Critical: Real-time monitoring of browser activity (logins, downloads, extensions) is essential for early detection.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Category: Endpoint & Network, , Category: Vendor Collaboration, , Category: User Awareness, , Category: Detection & Prevention, , Category: Identity Hardening and .
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Cyberhaven Extension Hack (December 2024), Salesforce OAuth Attacks (2024), Jira Credential Stuffing Attacks (2024), Snowflake Customer Breaches (2023) and Push Security - Browser-Based Attack Overview.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.pushsecurity.com/product-overview .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (Salesforce, Other SaaS Attacks).
Stakeholder and Customer Advisories
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Users of Snowflake, Salesforce, Jira, and other SaaS platforms should:- Reset passwords and revoke OAuth app permissions.- Enable MFA (preferably phishing-resistant).- Audit browser extensions and remove unrecognized ones.- Monitor for unusual login activity (e.g. and via SSO logs).
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker was an Third-party contractor's employee.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Lack of multifactor authentication, Over-Reliance on Perimeter Security: Email/network controls fail to stop browser-based attacks.Lack of Browser Visibility: Security teams cannot detect in-browser threats (phishing, ClickFix, extensions).Decentralized Identity Management: Unmanaged SaaS apps and ghost logins create MFA gaps.User Trust Exploitation: Attackers abuse legitimate browser functions (OAuth, copy-paste, extensions).Obfuscation Techniques: Dynamic code, CAPTCHA bypasses, and SaaS hosting evade traditional defenses..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Adopt Browser-Centric Security: Tools like Push Security to detect/block in-browser threats.Implement Zero Trust for SaaS: Continuous authentication and least-privilege OAuth permissions.Enforce Extension Policies: Whitelist approved extensions and block side-loading.Monitor for Anomalous Logins: Use browser/SSO logs to detect ghost logins and credential abuse.Collaborate with SaaS Providers: Advocate for better OAuth controls and customer-side monitoring APIs..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Risk Information
cvss4
Base: 7.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
- https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
- https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
- https://github.com/angular/angular/releases/tag/19.2.16
- https://github.com/angular/angular/releases/tag/20.3.14
- https://github.com/angular/angular/releases/tag/21.0.1
- https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 6.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=snowflake-computing' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
