SaaS Wake-Up Call: Why Every Organization Should Care About the Snowflake Data Breach

In June 2024, headlines broke about widespread SaaS breaches affecting dozens of enterprises—with Snowflake at the center of the storm. Attackers exploited gaps in customer SaaS security, often targeting environments where Multi-Factor Authentication (MFA) and Single Sign-On (SSO) were not enforced. As Snowflake noted, these breaches resulted not from vulnerabilities in the Snowflake platform itself, but from customer-side misconfigurations and weak access controls—proving once again that the security of your SaaS environment is a shared responsibility.

The Snowflake breach is only the latest reminder that SaaS apps are prime targets. Attackers move fast to exploit any misconfiguration, unused account, or over-permissive access. Proactive SaaS security posture management is no longer a nice-to-have—it’s a must.

Understanding the Snowflake data breach: What happened?

Attack Vector 1: Stolen credentials, SSO/MFA not enforced

• Threat actors obtained credentials (passwords, tokens, session cookies) belonging to a Snowflake employee—then used these to bypass MFA and SSO where they were not properly enforced.
• They accessed the company’s ServiceNow environment directly, leveraging misconfigurations that allowed logins with local credentials instead of requiring SSO.
• Once inside, attackers generated new session tokens and exfiltrated customer data and support case information.
• Key issue: ServiceNow SSO was not set to “mandatory,” leaving a “side door” open for direct logins.

Attack Vector 2: Credential stuffing against lax accounts

• Another threat group used credential stuffing tools to identify Snowflake environments with demo or orphaned accounts where SSO and MFA were not enforced.
• Many of these accounts, belonging to former employees or demo users, remained active and unmonitored—despite having no business need.
• Continuous attempts targeted single-factor authentication logins, leading to ongoing data theft and extortion campaigns.

Proactive SaaS security: Step-by-step guidance

Enforce SSO and MFA everywhere, and make sure they can’t be bypassed

SSO enhances security by allowing users to access the instance with one set of credentials, managed by a centralized identity provider (IdP). This setup improves security through strong password policies and multi-factor authentication, reducing phishing risks. However, a secondary authentication path in SaaS apps like ServiceNow and Snowflake can bypass SSO, allowing logins with local credentials. If not disabled, this path can let malicious actors access the instance with any user’s local credentials.

While SSO aims to secure authentication, misconfigured settings can lead to SSO not being enforced. In such cases, if attackers obtain local credentials, they can gain unauthorized access to the instance.

A solution like AppOmni helps by providing continuous monitoring to identify and flag potential misconfigurations and hidden vulnerabilities, ensuring that security measures like SSO and MFA are correctly configured and enforced. This proactive monitoring prevents unauthorized access and secures your SaaS environment from threats.

Ensure IP restrictions are enabled and not overly permissive

Snowflake published its investigative and hardening guidelines, providing a list of suspicious IP addresses and malicious traffic from clients exhibiting specific characteristics. These can be detected with AppOmni’s Threat Detection and rule Indicator of Compromise (IoC) Detected from Snowflake Breach.

In general, configuring IP address ranges is a crucial activity measure for controlling access at the infrastructure level. Allowing overly permissive IP ranges increases the likelihood of unauthorized access. 

It’s best practice to restrict IP ranges as much as possible—configured to lock down access to your Snowflake and ServiceNow instance—without hindering legitimate user access.

AppOmni automatically detects and alerts on over permissive ServiceNow IP ranges.

Avoid uploading sensitive data to unsecured demo or sandbox accounts

Demo, test, and legacy accounts are often overlooked—but frequently targeted by attackers. Never store production data in these environments, and review them regularly for risky data uploads or misconfigurations.

Monitor threat detection alerts in real-time

SaaS apps each speak their own log language, making it hard to see threats across your environment. Centralize and normalize alerts to avoid alert fatigue and ensure no threat is missed.

Each SaaS application produces audit logs in its native language, continuously updates the product with new functionality, and introduces unique business risks based on stored data and solution implementation. As a result, many SOC teams lack visibility into SaaS activity across all platforms, waste countless hours on data engineering, do not have sufficient knowledge of the unique risks of each SaaS platform, or deal with excessive noise from generic detections that lead to alert fatigue. 

Nowadays, attackers are smart enough to use exit nodes that are close to the region where the stolen account user is in, but this is a good practice to monitor regardless. Other detection rules like Mass Download, Password Resets and Privilege Escalation happening for the same user are also potential indications of attacker behavior.

An AppOmni detection rule like “Impossible Time Travel” could potentially alert you to someone using stolen credentials to log into your SaaS tenants. In addition, AppOmni includes threat detection rules and alerts for the latest Snowflake IoC related to the attack. 

Disable accounts that are no longer active

Inactive or orphaned accounts are low-hanging fruit for attackers. Regularly review and disable unused accounts, especially those with elevated privileges.

AppOmni provides comprehensive visibility into user identities and activities across all monitored services, enabling customers to identify inactive accounts, including those with elevated permissions, and promptly disable them to minimize security risks and protect sensitive data.

Bring Zero Trust to SaaS with continuous controls

The lesson from the Snowflake breach is simple: It’s not enough to secure “access to” SaaS—security teams need visibility and control over what’s happening inside their SaaS apps. Attackers will always find the path of least resistance, whether it’s a forgotten test account, optional SSO, or a misconfigured permission.

AppOmni’s platform combines SaaS Security Posture Management (SSPM), Identity Threat Detection and Response (ITDR), and Zero Trust Posture Management (ZTPM) to give you the proactive, automated coverage you need to prevent breaches, simplify operations, and prove compliance.

Ready to secure your SaaS environment? The AppOmni team is ready to help. Request a complimentary SaaS risk assessment or custom demo.

Additional commentary on the Snowflake data breach

CPO Magazine
Brian Soby, CTO and co-founder at AppOmni, sees the data breach and associated attacks as yet another incident that makes the case for zero trust architecture.

InformationWeek
Brian Soby, CTO and co-founder of SaaS security firm AppOmni, says the source of the breach likely extends beyond the single instance of the former Snowflake employee’s credentials being used.

CSO Online
“The incident playing out at Snowflake is due to the same issue we’re seeing across the market, companies are not incorporating the security of their SaaS applications into their security architectures,” said Brian Soby, chief technology officer and co-founder at AppOmni. 

ChannelFutures
“… an attacker simply bought stolen credentials and used them to log in directly to Snowflake’s ServiceNow instance, as it was misconfigured to allow Single Sign On (SSO) to be optional instead of mandatory,” said Brian Soby, chief technology officer and co-founder at AppOmni.