Snowflake
Company Details
Linkedin ID:
snowflake-computing
Website:
Employees number:
10,269
Number of followers:
1,170,239
NAICS:
5112
Industry Type:
Homepage:
snowflake.com
IP Addresses:
70
Company ID:
SNO_3051677
Scan Status:
Completed
Snowflake Company CyberSecurity Posture
snowflake.com
**Snowflake is proud to be the Official Data Collaboration Provider for LA28 and Team USA.** Snowflake delivers the AI Data Cloud — a global network where thousands of organizations mobilize data with near-unlimited scale, concurrency, and performance. Inside the AI Data Cloud, organizations unite their siloed data, easily discover and securely share governed data, and execute diverse analytic workloads. Wherever data or users live, Snowflake delivers a single and seamless experience across multiple public clouds. Snowflake’s platform is the engine that powers and provides access to the AI Data Cloud, creating a solution for data warehousing, data lakes, data engineering, data science, data application development, and data sharing. Join Snowflake customers, partners, and data providers already taking their businesses to new frontiers in the AI Data Cloud.
Snowflake A.I CyberSecurity Scoring
Snowflake Risk Score (AI oriented)Between 750 and 799
Snowflake
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Snowflake Global Score (TPRM)XXXX
Snowflake
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Snowflake Company CyberSecurity News & History
Past Incidents
3
Attack Types
2
Snowflake
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: For much of the summer, Snowflake, a cloud data storage provider, was targeted by a series of data breaches affecting over 165 customers, exposing hundreds of millions of records. These customers included large corporations such as AT&T, Santander, and Live Nation Entertainment. Despite the breach's extensive reach, Snowflake has since implemented mandatory multifactor authentication. The disruptions caused by these incidents highlight the importance of robust cybersecurity practices.
Snowflake
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Snowflake faced a supply chain breach involving theft of customer credentials by ShinyHunters via a third-party contractor's employee. Affected clients like Ticketmaster and Santander lacked multifactor authentication, comprising over 160 companies' data.
Snowflake
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence
Description: Snowflake, a cloud-based data warehousing company, suffered a series of breaches in 2023 due to **browser-based credential phishing attacks** targeting its customers. Attackers exploited **Adversary-in-The-Middle (AiTM) phishing kits** to bypass multi-factor authentication (MFA) and harvest login credentials from employees of Snowflake’s client organizations. The stolen credentials were then used to access Snowflake customer accounts, exfiltrate sensitive data, and demand ransom payments under threat of public exposure. The breach impacted multiple high-profile Snowflake customers, including **ticketing platforms, financial institutions, and telecom companies**, leading to the theft of **millions of customer records**—such as personal identifiable information (PII), financial data, and proprietary business intelligence. While Snowflake’s core infrastructure remained uncompromised, the attack exposed critical gaps in **third-party identity security**, particularly around **session hijacking via stolen cookies** and **unmonitored OAuth integrations**. The incident underscored the rising threat of **browser-based attacks** as a primary vector for large-scale data exfiltration, with attackers leveraging **obfuscated phishing pages, malicious extensions, and social engineering** to bypass traditional email security controls. The financial and reputational fallout included **regulatory scrutiny, customer churn, and costly incident response efforts**, as affected organizations scrambled to contain the damage, rotate credentials, and implement stricter browser security measures. The breach also highlighted the broader industry challenge of securing **decentralized SaaS ecosystems**, where legacy authentication gaps and user behavior remain prime targets for cybercriminals.
Snowflake Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Snowflake
Incidents vs Software Development Industry Average (This Year)
No incidents recorded for Snowflake in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Snowflake in 2025.
Incident Types Snowflake vs Software Development Industry Avg (This Year)
No incidents recorded for Snowflake in 2025.
Incident History — Snowflake (X = Date, Y = Severity)
Snowflake cyber incidents detection timeline including parent company and subsidiaries
Snowflake Company Subsidiaries
**Snowflake is proud to be the Official Data Collaboration Provider for LA28 and Team USA.** Snowflake delivers the AI Data Cloud — a global network where thousands of organizations mobilize data with near-unlimited scale, concurrency, and performance. Inside the AI Data Cloud, organizations unite their siloed data, easily discover and securely share governed data, and execute diverse analytic workloads. Wherever data or users live, Snowflake delivers a single and seamless experience across multiple public clouds. Snowflake’s platform is the engine that powers and provides access to the AI Data Cloud, creating a solution for data warehousing, data lakes, data engineering, data science, data application development, and data sharing. Join Snowflake customers, partners, and data providers already taking their businesses to new frontiers in the AI Data Cloud.
Loading...
Snowflake Similar Companies
Booking.com
A career at Booking.com is all about the journey, helping you explore new challenges in a place where you can be your best self. With plenty of exciting twists, turns and opportunities along the way. We’ve always been pioneers, on a mission to shape the future of travel through cutting edge techno
Sage
At Sage, we knock down barriers with information, insights, and tools to help your business flow. We provide businesses with software and services that are simple and easy to use, as we work with you to give you that feeling of confidence. Customers trust our Payroll, HR, and Finance software to m
Pitney Bowes is a technology-driven products and services company that provides SaaS shipping solutions, mailing innovation, and financial services to clients around the world – including more than 90 percent of the Fortune 500. Small businesses to large enterprises, and government entities rely on
More than one billion people around the world use Instagram, and we’re proud to be bringing them closer to the people and things they love. Instagram inspires people to see the world differently, discover new interests, and express themselves. Since launching in 2010, our community has grown at a r
The Facebook company is now Meta. Meta builds technologies that help people connect, find communities, and grow businesses. When Facebook launched in 2004, it changed the way people connect. Apps like Messenger, Instagram and WhatsApp further empowered billions around the world. Now, Meta is moving
Juniper Networks
Juniper Networks is leading the revolution in networking, making it one of the most exciting technology companies in Silicon Valley today. Since being founded by Pradeep Sindhu, Dennis Ferguson, and Bjorn Liencres nearly 20 years ago, Juniper’s sole mission has been to create innovative products and
Trimble Inc.
Trimble is a global technology company that connects the physical and digital worlds, transforming the ways work gets done. With relentless innovation in precise positioning, modeling and data analytics, Trimble enables essential industries including construction, geospatial and transportation. Whet
DiDi
DiDi Global Inc. is a leading mobility technology platform. It offers a wide range of app-based services across Asia Pacific, Latin America, and other global markets, including ride hailing, taxi hailing, designated driving, hitch and other forms of shared mobility as well as certain energy and vehi
PhonePe Group is India’s leading fintech company, proudly recognized as India’s #1 Trusted Digital Payments* Brand for three consecutive years. Our flagship product, the PhonePe app was launched in August 2016, has rapidly become the preferred consumer payments app in India. In just eight years, Pho
.png)
Snowflake CyberSecurity News
November 26, 2025 08:00 AM
Cybersecurity 2025 | Preparing for Tomorrow’s Threats, Challenges and Strategic Shifts
Read on to explore how our researchers and leaders see hot topics like AI, cloud, cybercrime, espionage, and ransomware unfolding in the year ahead.
October 31, 2025 07:00 AM
LendingTree Barred From Arbitrating Snowflake Data Breach Claims
LendingTree LLC can't avoid a proposed class lawsuit over its customers' data being compromised in the Snowflake cybersecurity incident,...
October 31, 2025 07:00 AM
How Instagram post featuring top exec forced American storage giant Snowflake to make SEC filing
Social News: Snowflake's Chief Revenue Officer inadvertently shared unauthorized financial projections on Instagram, prompting an SEC filing...
October 28, 2025 07:00 AM
Snowflake, Ticketmaster must face US lawsuits over sprawling data breach
A federal judge in Montana has allowed consumers to move forward with lawsuits alleging that cybersecurity failures enabled a massive data...
October 28, 2025 07:00 AM
What’s New in Security: Proactive Security for Data and AI, Enterprise-Grade Defense In Depth and More
Explore Snowflake's latest security innovations, including MFA, malicious IP protection and private connectivity, designed to build a...
October 02, 2025 07:00 AM
Securonix Named Data Security Data Cloud Product Partner of the Year by Snowflake
Securonix, Inc., a five-time Leader in the Gartner® Magic Quadrant™ for SIEM, and leader in autonomous security operations, announced it has...
September 03, 2025 07:00 AM
Siemens and Snowflake enable IT/OT convergence across edge and cloud for industrial customers
Siemens is collaborating with Snowflake, an AI data cloud company, to help manufacturers unlock new levels of operational efficiency, scale,...
August 29, 2025 07:00 AM
Snowflake completes Canadian Centre for Cyber Security Protected B assessment
Snowflake's Protected B assessment enables these organizations to protect sensitive data and collaborate securely while maintaining robust...
August 19, 2025 07:00 AM
Snowflake Completes Canadian Centre for Cyber Security Protected B Assessment, Empowering Canada’s Public Sector to Securely Mobilize Data
Snowflake Completes Canadian Centre for Cyber Security Protected B Assessment, Empowering Canada's Public Sector to Securely Mobilize Data...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Snowflake CyberSecurity History Information
Official Website of Snowflake
The official website of Snowflake is http://www.snowflake.com.
Snowflake’s AI-Generated Cybersecurity Score
According to Rankiteo, Snowflake’s AI-generated cybersecurity score is 758, reflecting their Fair security posture.
How many security badges does Snowflake’ have ?
According to Rankiteo, Snowflake currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Snowflake have SOC 2 Type 1 certification ?
According to Rankiteo, Snowflake is not certified under SOC 2 Type 1.
Does Snowflake have SOC 2 Type 2 certification ?
According to Rankiteo, Snowflake does not hold a SOC 2 Type 2 certification.
Does Snowflake comply with GDPR ?
According to Rankiteo, Snowflake is not listed as GDPR compliant.
Does Snowflake have PCI DSS certification ?
According to Rankiteo, Snowflake does not currently maintain PCI DSS compliance.
Does Snowflake comply with HIPAA ?
According to Rankiteo, Snowflake is not compliant with HIPAA regulations.
Does Snowflake have ISO 27001 certification ?
According to Rankiteo,Snowflake is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Snowflake
Snowflake operates primarily in the Software Development industry.
Number of Employees at Snowflake
Snowflake employs approximately 10,269 people worldwide.
Subsidiaries Owned by Snowflake
Snowflake presently has no subsidiaries across any sectors.
Snowflake’s LinkedIn Followers
Snowflake’s official LinkedIn profile has approximately 1,170,239 followers.
NAICS Classification of Snowflake
Snowflake is classified under the NAICS code 5112, which corresponds to Software Publishers.
Snowflake’s Presence on Crunchbase
No, Snowflake does not have a profile on Crunchbase.
Snowflake’s Presence on LinkedIn
Yes, Snowflake maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/snowflake-computing.
Cybersecurity Incidents Involving Snowflake
As of December 11, 2025, Rankiteo reports that Snowflake has experienced 3 cybersecurity incidents.
Number of Peer and Competitor Companies
Snowflake has an estimated 27,532 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Snowflake ?
Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack and Breach.
How does Snowflake detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with mandatory multifactor authentication, and third party assistance with push security (browser security platform), and containment measures with browser-based detection/response (push security), containment measures with oauth app permission audits (salesforce), containment measures with extension blacklisting/removal, containment measures with mfa enforcement (eliminating ghost logins), and remediation measures with sso/mfa coverage expansion, remediation measures with browser extension whitelisting, remediation measures with user training (phishing, clickfix awareness), remediation measures with endpoint monitoring (malicious file downloads), and enhanced monitoring with browser-level activity logging (push security)..
Incident Details
Can you provide details on each incident ?
Title: Supply Chain Breach at Snowflake
Description: Snowflake faced a supply chain breach involving theft of customer credentials by ShinyHunters via a third-party contractor's employee. Affected clients like Ticketmaster and Santander lacked multifactor authentication, comprising over 160 companies' data.
Type: Supply Chain Breach
Attack Vector: Third-party contractor's employee
Vulnerability Exploited: Lack of multifactor authentication
Threat Actor: ShinyHunters
Motivation: Theft of customer credentials
Title: Snowflake Data Breach
Description: Snowflake, a cloud data storage provider, was targeted by a series of data breaches affecting over 165 customers, exposing hundreds of millions of records. These customers included large corporations such as AT&T, Santander, and Live Nation Entertainment. Despite the breach's extensive reach, Snowflake has since implemented mandatory multifactor authentication. The disruptions caused by these incidents highlight the importance of robust cybersecurity practices.
Type: Data Breach
Title: Rise of Browser-Based Attacks: Phishing, ClickFix, OAuth Abuse, and Malicious Extensions
Description: Attacks targeting users via web browsers have surged in recent years, leveraging techniques like AITM (Adversary-in-The-Middle) phishing, ClickFix (malicious copy-paste), consent phishing (malicious OAuth integrations), malicious browser extensions, and malicious file delivery. These attacks exploit decentralized work environments, third-party SaaS services (e.g., Snowflake, Salesforce), and gaps in MFA to compromise business apps and data. Attackers use multi-channel delivery (email, SMS, social media, ads) and obfuscation techniques (dynamic code obfuscation, CAPTCHA bypasses, legitimate SaaS hosting) to evade detection. The browser has become the primary attack surface due to its role as the gateway to cloud/SaaS apps, yet it remains a blind spot for most security teams.
Type: Browser-Based Attack
Attack Vector: Multi-Channel Phishing (Email, SMS, Instant Messaging, Social Media, Malvertising)Malicious Links (Obfuscated, Hosted on Legitimate SaaS/Cloud Services)Fake CAPTCHA/Cloudflare Turnstile Lures (ClickFix)OAuth App Authorization Tricks (Device Code Flow, Salesforce Exploit)Malicious Browser Extensions (Takeover or New Installations)Malicious File Downloads (HTA, SVG, Executables)Stolen Credentials (From Phishing/Infostealers)MFA Gaps (Ghost Logins, SSO Misconfigurations)
Vulnerability Exploited: Lack of Browser-Specific Security ControlsInsufficient MFA Enforcement (Ghost Logins, SSO Gaps)Unmanaged OAuth App Permissions (Salesforce, Other SaaS)Unvetted Browser Extensions (Cyberhaven Hack, 35+ Extensions in 2024)User Trust in Browser Prompts (Copy-Paste Commands, Fake Error Messages)Decentralized App Ecosystem (Shadow IT, Unmanaged SaaS)Legacy Authentication Methods (Password-Only Logins)
Motivation: Data Theft (Extortion, Dark Web Sales)Financial Gain (Ransomware, Fraud)Account Takeover (Business Email Compromise, SaaS Abuse)Espionage (Corporate/Competitive Intelligence)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Third-party contractor's employee, Phishing Links (Email, SMS, Social Media and Ads)Malicious OAuth Apps (Device Code Flow)Compromised Browser ExtensionsFake CAPTCHA/Error Pages (ClickFix)Malvertising (Drive-by Downloads).
Impact of the Incidents
What was the impact of each incident ?
Incident : Supply Chain Breach SNO1019070724
Data Compromised: Customer credentials
Incident : Data Breach SNO000110624
Data Compromised: Hundreds of millions of records
Incident : Browser-Based Attack SNO3992739091525
Data Compromised: Credentials (usernames, passwords, session tokens), Business app data (snowflake, salesforce, jira), Pii (from infostealers, browser cache), Oauth tokens (high-risk permissions)
Systems Affected: Web Browsers (Chrome, Edge, Firefox, Safari)SaaS/Cloud Apps (Salesforce, Snowflake, Jira, Others)Endpoints (Windows, macOS via Terminal Commands)Identity Providers (SSO, MFA Bypass)
Operational Impact: Disruption of Business Workflows (SaaS Access Loss)Incident Response Overhead (Detection, Containment)Reputation Damage (Customer/Partner Trust Erosion)
Brand Reputation Impact: High (Associated with Major Breaches Like Snowflake, Salesforce)
Identity Theft Risk: High (Stolen Credentials, PII from Infostealers)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Customer credentials, Credentials (Snowflake, Salesforce, Jira), Session Tokens (Stolen Via Infostealers), Oauth Tokens (High-Risk Permissions), Pii (From Browser Caches, Extensions) and .
Which entities were affected by each incident ?
Incident : Supply Chain Breach SNO1019070724
Entity Name: Snowflake
Entity Type: Corporation
Industry: Technology
Customers Affected: Over 160 companies
Incident : Supply Chain Breach SNO1019070724
Entity Name: Ticketmaster
Entity Type: Corporation
Industry: Entertainment
Incident : Supply Chain Breach SNO1019070724
Entity Name: Santander
Entity Type: Corporation
Industry: Financial Services
Incident : Data Breach SNO000110624
Entity Name: Snowflake
Entity Type: Cloud Data Storage Provider
Industry: Technology
Size: Large
Customers Affected: 165
Incident : Data Breach SNO000110624
Entity Name: AT&T
Entity Type: Telecommunications
Industry: Telecommunications
Size: Large
Incident : Data Breach SNO000110624
Entity Name: Santander
Entity Type: Banking
Industry: Finance
Size: Large
Incident : Data Breach SNO000110624
Entity Name: Live Nation Entertainment
Entity Type: Entertainment
Industry: Entertainment
Size: Large
Incident : Browser-Based Attack SNO3992739091525
Entity Name: Snowflake Customers
Entity Type: Enterprise
Industry: Data Cloud/Analytics
Location: Global
Incident : Browser-Based Attack SNO3992739091525
Entity Name: Salesforce Customers
Entity Type: Enterprise
Industry: CRM/Cloud Services
Location: Global
Incident : Browser-Based Attack SNO3992739091525
Entity Name: Jira Users (2024 Attacks)
Entity Type: Enterprise
Industry: Software Development/Project Management
Location: Global
Incident : Browser-Based Attack SNO3992739091525
Entity Name: Cyberhaven Extension Users (2024 Hack)
Entity Type: Enterprise/Individual
Industry: Cybersecurity
Location: Global
Incident : Browser-Based Attack SNO3992739091525
Entity Name: Organizations Using Unmanaged Browser Extensions
Entity Type: Enterprise/SMB
Industry: Cross-Industry
Location: Global
Customers Affected: Millions (Across 100s of Malicious Extensions)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach SNO000110624
Remediation Measures: mandatory multifactor authentication
Incident : Browser-Based Attack SNO3992739091525
Third Party Assistance: Push Security (Browser Security Platform).
Containment Measures: Browser-Based Detection/Response (Push Security)OAuth App Permission Audits (Salesforce)Extension Blacklisting/RemovalMFA Enforcement (Eliminating Ghost Logins)
Remediation Measures: SSO/MFA Coverage ExpansionBrowser Extension WhitelistingUser Training (Phishing, ClickFix Awareness)Endpoint Monitoring (Malicious File Downloads)
Enhanced Monitoring: Browser-Level Activity Logging (Push Security)
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Push Security (Browser Security Platform), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Supply Chain Breach SNO1019070724
Type of Data Compromised: Customer credentials
Sensitivity of Data: High
Incident : Data Breach SNO000110624
Number of Records Exposed: hundreds of millions
Incident : Browser-Based Attack SNO3992739091525
Type of Data Compromised: Credentials (snowflake, salesforce, jira), Session tokens (stolen via infostealers), Oauth tokens (high-risk permissions), Pii (from browser caches, extensions)
Sensitivity of Data: High (Business-Critical SaaS Data, PII)
Data Exfiltration: Yes (Extortion, Dark Web Sales)
File Types Exposed: HTA, SVG, Executables (Malicious Files)
Personally Identifiable Information: Yes (Via Infostealers, Browser Extensions)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: mandatory multifactor authentication, , SSO/MFA Coverage Expansion, Browser Extension Whitelisting, User Training (Phishing, ClickFix Awareness), Endpoint Monitoring (Malicious File Downloads), .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by browser-based detection/response (push security), oauth app permission audits (salesforce), extension blacklisting/removal, mfa enforcement (eliminating ghost logins) and .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Browser-Based Attack SNO3992739091525
Lessons Learned: Browsers Are the New Attack Surface: Traditional email/endpoint security is insufficient for modern, decentralized work environments., Multi-Channel Threats Require Unified Visibility: Attacks span email, SMS, social media, and in-app messages, necessitating cross-channel detection., OAuth Abuse is a Blind Spot: Malicious app integrations bypass MFA and traditional authentication controls (e.g., Salesforce device code flow)., Extensions Pose Significant Risk: Unvetted extensions can silently exfiltrate credentials and session data (e.g., Cyberhaven hack)., MFA Gaps Persist: Ghost logins and unmanaged SaaS apps create backdoors for credential stuffing., Browser-Native Defenses Are Critical: Real-time monitoring of browser activity (logins, downloads, extensions) is essential for early detection.
What recommendations were made to prevent future incidents ?
Incident : Browser-Based Attack SNO3992739091525
Recommendations: Category: Vendor Collaboration, Actions: Pressure SaaS Providers to:, - Improve OAuth security (e.g., Salesforce’s planned updates), - Offer granular permission controls for integrations., - Provide APIs for customer-side monitoring (e.g., login events)., Participate in Extension Vetting: Report malicious extensions to Chrome/Firefox web stores., Category: Vendor Collaboration, Actions: Pressure SaaS Providers to:, - Improve OAuth security (e.g., Salesforce’s planned updates), - Offer granular permission controls for integrations., - Provide APIs for customer-side monitoring (e.g., login events)., Participate in Extension Vetting: Report malicious extensions to Chrome/Firefox web stores., Category: Vendor Collaboration, Actions: Pressure SaaS Providers to:, - Improve OAuth security (e.g., Salesforce’s planned updates), - Offer granular permission controls for integrations., - Provide APIs for customer-side monitoring (e.g., login events)., Participate in Extension Vetting: Report malicious extensions to Chrome/Firefox web stores., Category: Vendor Collaboration, Actions: Pressure SaaS Providers to:, - Improve OAuth security (e.g., Salesforce’s planned updates), - Offer granular permission controls for integrations., - Provide APIs for customer-side monitoring (e.g., login events)., Participate in Extension Vetting: Report malicious extensions to Chrome/Firefox web stores., Category: Vendor Collaboration, Actions: Pressure SaaS Providers to:, - Improve OAuth security (e.g., Salesforce’s planned updates), - Offer granular permission controls for integrations., - Provide APIs for customer-side monitoring (e.g., login events)., Participate in Extension Vetting: Report malicious extensions to Chrome/Firefox web stores..
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Browsers Are the New Attack Surface: Traditional email/endpoint security is insufficient for modern, decentralized work environments.,Multi-Channel Threats Require Unified Visibility: Attacks span email, SMS, social media, and in-app messages, necessitating cross-channel detection.,OAuth Abuse is a Blind Spot: Malicious app integrations bypass MFA and traditional authentication controls (e.g., Salesforce device code flow).,Extensions Pose Significant Risk: Unvetted extensions can silently exfiltrate credentials and session data (e.g., Cyberhaven hack).,MFA Gaps Persist: Ghost logins and unmanaged SaaS apps create backdoors for credential stuffing.,Browser-Native Defenses Are Critical: Real-time monitoring of browser activity (logins, downloads, extensions) is essential for early detection.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Category: User Awareness, , Category: Endpoint & Network, , Category: Identity Hardening, , Category: Vendor Collaboration, , Category: Detection & Prevention and .
References
Where can I find more information about each incident ?
Incident : Browser-Based Attack SNO3992739091525
Source: Push Security - Browser-Based Attack Overview
Incident : Browser-Based Attack SNO3992739091525
Source: Snowflake Customer Breaches (2023)
Incident : Browser-Based Attack SNO3992739091525
Source: Salesforce OAuth Attacks (2024)
Incident : Browser-Based Attack SNO3992739091525
Source: Cyberhaven Extension Hack (December 2024)
Incident : Browser-Based Attack SNO3992739091525
Source: Jira Credential Stuffing Attacks (2024)
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Push Security - Browser-Based Attack OverviewUrl: https://www.pushsecurity.com/product-overview, and Source: Snowflake Customer Breaches (2023), and Source: Salesforce OAuth Attacks (2024), and Source: Cyberhaven Extension Hack (December 2024), and Source: Jira Credential Stuffing Attacks (2024).
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Browser-Based Attack SNO3992739091525
Investigation Status: Ongoing (Salesforce, Other SaaS Attacks)
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Browser-Based Attack SNO3992739091525
Customer Advisories: Users of Snowflake, Salesforce, Jira, and other SaaS platforms should:- Reset passwords and revoke OAuth app permissions.- Enable MFA (preferably phishing-resistant).- Audit browser extensions and remove unrecognized ones.- Monitor for unusual login activity (e.g., via SSO logs).
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Users Of Snowflake, Salesforce, Jira, And Other Saas Platforms Should:, - Reset Passwords And Revoke Oauth App Permissions., - Enable Mfa (Preferably Phishing-Resistant)., - Audit Browser Extensions And Remove Unrecognized Ones., - Monitor For Unusual Login Activity (E.G., Via Sso Logs). and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Supply Chain Breach SNO1019070724
Entry Point: Third-party contractor's employee
Incident : Browser-Based Attack SNO3992739091525
Entry Point: Phishing Links (Email, Sms, Social Media, Ads), Malicious Oauth Apps (Device Code Flow), Compromised Browser Extensions, Fake Captcha/Error Pages (Clickfix), Malvertising (Drive-By Downloads),
Backdoors Established: ['Stolen Session Cookies (Infostealers)', 'OAuth Tokens (Persistent Access)', 'Browser Extensions (Continuous Data Exfiltration)']
High Value Targets: Saas Admins (Snowflake, Salesforce), Finance/Hr Teams (Access To Sensitive Data), Developers (Jira, Github, Ci/Cd Tools),
Data Sold on Dark Web: Saas Admins (Snowflake, Salesforce), Finance/Hr Teams (Access To Sensitive Data), Developers (Jira, Github, Ci/Cd Tools),
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Supply Chain Breach SNO1019070724
Root Causes: Lack of multifactor authentication
Incident : Browser-Based Attack SNO3992739091525
Root Causes: Over-Reliance On Perimeter Security: Email/Network Controls Fail To Stop Browser-Based Attacks., Lack Of Browser Visibility: Security Teams Cannot Detect In-Browser Threats (Phishing, Clickfix, Extensions)., Decentralized Identity Management: Unmanaged Saas Apps And Ghost Logins Create Mfa Gaps., User Trust Exploitation: Attackers Abuse Legitimate Browser Functions (Oauth, Copy-Paste, Extensions)., Obfuscation Techniques: Dynamic Code, Captcha Bypasses, And Saas Hosting Evade Traditional Defenses.,
Corrective Actions: Adopt Browser-Centric Security: Tools Like Push Security To Detect/Block In-Browser Threats., Implement Zero Trust For Saas: Continuous Authentication And Least-Privilege Oauth Permissions., Enforce Extension Policies: Whitelist Approved Extensions And Block Side-Loading., Monitor For Anomalous Logins: Use Browser/Sso Logs To Detect Ghost Logins And Credential Abuse., Collaborate With Saas Providers: Advocate For Better Oauth Controls And Customer-Side Monitoring Apis.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Push Security (Browser Security Platform), , Browser-Level Activity Logging (Push Security), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Adopt Browser-Centric Security: Tools Like Push Security To Detect/Block In-Browser Threats., Implement Zero Trust For Saas: Continuous Authentication And Least-Privilege Oauth Permissions., Enforce Extension Policies: Whitelist Approved Extensions And Block Side-Loading., Monitor For Anomalous Logins: Use Browser/Sso Logs To Detect Ghost Logins And Credential Abuse., Collaborate With Saas Providers: Advocate For Better Oauth Controls And Customer-Side Monitoring Apis., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident was an ShinyHunters.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Customer credentials, hundreds of millions of records, , Credentials (Usernames, Passwords, Session Tokens), Business App Data (Snowflake, Salesforce, Jira), PII (From Infostealers, Browser Cache), OAuth Tokens (High-Risk Permissions) and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were Web Browsers (Chrome, Edge, Firefox, Safari)SaaS/Cloud Apps (Salesforce, Snowflake, Jira, Others)Endpoints (Windows, macOS via Terminal Commands)Identity Providers (SSO, MFA Bypass).
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was push security (browser security platform), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Browser-Based Detection/Response (Push Security)OAuth App Permission Audits (Salesforce)Extension Blacklisting/RemovalMFA Enforcement (Eliminating Ghost Logins).
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were OAuth Tokens (High-Risk Permissions), Credentials (Usernames, Passwords, Session Tokens), PII (From Infostealers, Browser Cache), hundreds of millions of records, Business App Data (Snowflake, Salesforce, Jira) and Customer credentials.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 0.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Browser-Native Defenses Are Critical: Real-time monitoring of browser activity (logins, downloads, extensions) is essential for early detection.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Category: User Awareness, , Category: Endpoint & Network, , Category: Identity Hardening, , Category: Vendor Collaboration, , Category: Detection & Prevention and .
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Push Security - Browser-Based Attack Overview, Jira Credential Stuffing Attacks (2024), Cyberhaven Extension Hack (December 2024), Salesforce OAuth Attacks (2024) and Snowflake Customer Breaches (2023).
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.pushsecurity.com/product-overview .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (Salesforce, Other SaaS Attacks).
Stakeholder and Customer Advisories
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Users of Snowflake, Salesforce, Jira, and other SaaS platforms should:- Reset passwords and revoke OAuth app permissions.- Enable MFA (preferably phishing-resistant).- Audit browser extensions and remove unrecognized ones.- Monitor for unusual login activity (e.g. and via SSO logs).
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker was an Third-party contractor's employee.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Lack of multifactor authentication, Over-Reliance on Perimeter Security: Email/network controls fail to stop browser-based attacks.Lack of Browser Visibility: Security teams cannot detect in-browser threats (phishing, ClickFix, extensions).Decentralized Identity Management: Unmanaged SaaS apps and ghost logins create MFA gaps.User Trust Exploitation: Attackers abuse legitimate browser functions (OAuth, copy-paste, extensions).Obfuscation Techniques: Dynamic code, CAPTCHA bypasses, and SaaS hosting evade traditional defenses..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Adopt Browser-Centric Security: Tools like Push Security to detect/block in-browser threats.Implement Zero Trust for SaaS: Continuous authentication and least-privilege OAuth permissions.Enforce Extension Policies: Whitelist approved extensions and block side-loading.Monitor for Anomalous Logins: Use browser/SSO logs to detect ghost logins and credential abuse.Collaborate with SaaS Providers: Advocate for better OAuth controls and customer-side monitoring APIs..
.png)
Latest Global CVEs (Not Company-Specific)
Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password parameter). Depending on local configuration, this password could be the extension, voicemail, user manager, DPMA or EPM phone admin password. This issue is fixed in versions 16.0.96 and 17.0.10.
Risk Information
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.
Risk Information
cvss3
Base: 9.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Description
Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying, however, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE. As a result, an attacker who can influence the tool input (e.g., via prompt injection through a public agent endpoint) may write arbitrary files to the DB server if the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory). This issue is fixed in version 2.8.12.
Risk Information
cvss3
Base: 8.2
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Description
Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request’s response to influence another request’s response. This issue is fixed in version 20.0.1.
Risk Information
cvss3
Base: 8.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Description
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1.
Risk Information
cvss3
Base: 5.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=snowflake-computing' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
