In recent conversations with prospective customers, one request keeps rising to the top: “Can you monitor Snowflake?” At first, it felt like a coincidence. But over multiple engagements, that urgency isn’t random – it reflects a deeper industry concern.
Security leaders are increasingly prioritizing Snowflake as a high-risk, high-value SaaS application. And they’re right to. The breach playbook has changed and Snowflake has already served as a proving ground for modern identity-driven attacks.
Snowflake was breached last year by UNC5537, a financially motivated threat group. According to Google Mandiant, this campaign affected roughly 165 customer instances, with attackers leveraging stolen credentials to exfiltrate sensitive data and demand ransom.
Around the same time, the group known as Scattered Spider (also tracked as UNC3944) became notorious for socially engineered help‑desk intrusions: impersonating insiders, gaining access to valid credentials and multifactor reset paths. They then used those credentials to log into SaaS platforms like Okta and AWS, moving freely and quietly, and exfiltrating data undetected.
A couple of months ago, Scattered Spider attacked major retailers in the UK and US. And most recently, that same playbook has expanded into the U.S. insurance sector, indicating this isn’t an isolated tactic, it’s the new mainstream.
These are not brute-force breaches. These are post-login campaigns. Once inside, the attackers encounter little resistance. Logging is inconsistent, behavioral monitoring is absent, and access to sensitive data is rarely flagged. The result? Highly scalable, nearly invisible data theft enabled not by technical exploits, but by gaps in post-authentication identity and SaaS monitoring.
This shift is hard-hitting, and it’s validated in the Google M-Trends 2025 report:
- 35% of cloud compromises relied on stolen credentials for the initial intrusion vector
- S𝘁𝗼𝗹𝗲𝗻 𝗰𝗿𝗲𝗱𝗲ntials surpassed phishing as an initial intrusion vector (for the first time)
- Median dwell time rose to 11 days – the first increase in over a decade.
These stats paint a stark reality: attackers aren’t rushing in with exploits, they’re walking through front doors.
Snowflake is a prime target because of the data it holds. It’s the engine behind analytics, finance, customer intelligence, and more. It’s federated through identity providers, widely accessible by technical teams, and often under-monitored once a user is authenticated. In other words, it’s an attacker’s dream…and a detection blind spot.
At Reveal Security, we’ve written extensively about this gap. In “Snowflake and the Continuing Identity Threat Detection Gap”, we laid out why perimeter-based defenses don’t work in SaaS, and why post-authentication behavior monitoring must become a security priority.
The reality is this: SaaS identity abuse is the new ransomware. It’s scalable, stealthy, and extremely difficult to detect using traditional tools. And as attackers increasingly use GenAI to impersonate users and automate social engineering, the problem will only get worse.
So what are top-tier security teams doing?
- Instrumenting Snowflake and key SaaS apps with post-login behavioral analytics.
- Treating identity as a continuous, observable activity and not just a one-time authentication event.
- Centralizing behavioral visibility across multi-SaaS and multi-cloud environments.
- Detecting anomalies that blend into normal user access but diverge in subtle, telltale ways.
Security leaders aren’t just worried about perimeter defenses anymore. They’re focused on identity-driven attacks in data-rich SaaS platforms and Snowflake ranks high on their watch list.
At Reveal, we’re helping security teams close the gap in Snowflake and other critical SaaS applications. If this is a growing area of concern for your organization, let’s talk.
– Kevin
