According to Mandiant, a financially motivated threat actor tracked as UNC5537 has compromised hundreds of Snowflake instances using customer credentials stolen via infostealer malware that infected non-Snowflake owned systems. The credentials used in the Snowflake campaign were stolen using malware such as Lumma, Meta, Racoon Stealer, Redline, Risepro, and Vidar. In some instances, contractor systems also used for personal activities were infected with infostealers. In addition to lacking MFA and using long-exposed credentials that had not been rotated, the compromised Snowflake instances also lacked network allow lists. Approximately 80% of the accounts had prior credential exposure.