Snowflake, a cloud-based data warehousing company, suffered a series of breaches in 2023 due to **browser-based credential phishing attacks** targeting its customers. Attackers exploited **Adversary-in-The-Middle (AiTM) phishing kits** to bypass multi-factor authentication (MFA) and harvest login credentials from employees of Snowflake’s client organizations. The stolen credentials were then used to access Snowflake customer accounts, exfiltrate sensitive data, and demand ransom payments under threat of public exposure. The breach impacted multiple high-profile Snowflake customers, including **ticketing platforms, financial institutions, and telecom companies**, leading to the theft of **millions of customer records**—such as personal identifiable information (PII), financial data, and proprietary business intelligence. While Snowflake’s core infrastructure remained uncompromised, the attack exposed critical gaps in **third-party identity security**, particularly around **session hijacking via stolen cookies** and **unmonitored OAuth integrations**. The incident underscored the rising threat of **browser-based attacks** as a primary vector for large-scale data exfiltration, with attackers leveraging **obfuscated phishing pages, malicious extensions, and social engineering** to bypass traditional email security controls. The financial and reputational fallout included **regulatory scrutiny, customer churn, and costly incident response efforts**, as affected organizations scrambled to contain the damage, rotate credentials, and implement stricter browser security measures. The breach also highlighted the broader industry challenge of securing **decentralized SaaS ecosystems**, where legacy authentication gaps and user behavior remain prime targets for cybercriminals.
Source: https://thehackernews.com/2025/09/6-browser-based-attacks-security-teams.html
TPRM report: https://www.rankiteo.com/company/snowflake-computing
"id": "sno3992739091525",
"linkid": "snowflake-computing",
"type": "Cyber Attack",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Data Cloud/Analytics',
'location': 'Global',
'name': 'Snowflake Customers',
'type': 'Enterprise'},
{'industry': 'CRM/Cloud Services',
'location': 'Global',
'name': 'Salesforce Customers',
'type': 'Enterprise'},
{'industry': 'Software Development/Project Management',
'location': 'Global',
'name': 'Jira Users (2024 Attacks)',
'type': 'Enterprise'},
{'industry': 'Cybersecurity',
'location': 'Global',
'name': 'Cyberhaven Extension Users (2024 Hack)',
'type': 'Enterprise/Individual'},
{'customers_affected': 'Millions (Across 100s of '
'Malicious Extensions)',
'industry': 'Cross-Industry',
'location': 'Global',
'name': 'Organizations Using Unmanaged Browser '
'Extensions',
'type': 'Enterprise/SMB'}],
'attack_vector': ['Multi-Channel Phishing (Email, SMS, Instant Messaging, '
'Social Media, Malvertising)',
'Malicious Links (Obfuscated, Hosted on Legitimate '
'SaaS/Cloud Services)',
'Fake CAPTCHA/Cloudflare Turnstile Lures (ClickFix)',
'OAuth App Authorization Tricks (Device Code Flow, '
'Salesforce Exploit)',
'Malicious Browser Extensions (Takeover or New '
'Installations)',
'Malicious File Downloads (HTA, SVG, Executables)',
'Stolen Credentials (From Phishing/Infostealers)',
'MFA Gaps (Ghost Logins, SSO Misconfigurations)'],
'customer_advisories': ['Users of Snowflake, Salesforce, Jira, and other SaaS '
'platforms should:',
'- Reset passwords and revoke OAuth app permissions.',
'- Enable MFA (preferably phishing-resistant).',
'- Audit browser extensions and remove unrecognized '
'ones.',
'- Monitor for unusual login activity (e.g., via SSO '
'logs).'],
'data_breach': {'data_exfiltration': 'Yes (Extortion, Dark Web Sales)',
'file_types_exposed': ['HTA, SVG, Executables (Malicious '
'Files)'],
'personally_identifiable_information': 'Yes (Via '
'Infostealers, Browser '
'Extensions)',
'sensitivity_of_data': 'High (Business-Critical SaaS Data, '
'PII)',
'type_of_data_compromised': ['Credentials (Snowflake, '
'Salesforce, Jira)',
'Session Tokens (Stolen via '
'Infostealers)',
'OAuth Tokens (High-Risk '
'Permissions)',
'PII (From Browser Caches, '
'Extensions)']},
'description': 'Attacks targeting users via web browsers have surged in '
'recent years, leveraging techniques like AITM '
'(Adversary-in-The-Middle) phishing, ClickFix (malicious '
'copy-paste), consent phishing (malicious OAuth integrations), '
'malicious browser extensions, and malicious file delivery. '
'These attacks exploit decentralized work environments, '
'third-party SaaS services (e.g., Snowflake, Salesforce), and '
'gaps in MFA to compromise business apps and data. Attackers '
'use multi-channel delivery (email, SMS, social media, ads) '
'and obfuscation techniques (dynamic code obfuscation, CAPTCHA '
'bypasses, legitimate SaaS hosting) to evade detection. The '
'browser has become the primary attack surface due to its role '
'as the gateway to cloud/SaaS apps, yet it remains a blind '
'spot for most security teams.',
'impact': {'brand_reputation_impact': 'High (Associated with Major Breaches '
'Like Snowflake, Salesforce)',
'data_compromised': ['Credentials (Usernames, Passwords, Session '
'Tokens)',
'Business App Data (Snowflake, Salesforce, '
'Jira)',
'PII (From Infostealers, Browser Cache)',
'OAuth Tokens (High-Risk Permissions)'],
'identity_theft_risk': 'High (Stolen Credentials, PII from '
'Infostealers)',
'operational_impact': ['Disruption of Business Workflows (SaaS '
'Access Loss)',
'Incident Response Overhead (Detection, '
'Containment)',
'Reputation Damage (Customer/Partner Trust '
'Erosion)'],
'systems_affected': ['Web Browsers (Chrome, Edge, Firefox, Safari)',
'SaaS/Cloud Apps (Salesforce, Snowflake, '
'Jira, Others)',
'Endpoints (Windows, macOS via Terminal '
'Commands)',
'Identity Providers (SSO, MFA Bypass)']},
'initial_access_broker': {'backdoors_established': ['Stolen Session Cookies '
'(Infostealers)',
'OAuth Tokens (Persistent '
'Access)',
'Browser Extensions '
'(Continuous Data '
'Exfiltration)'],
'data_sold_on_dark_web': 'Yes (Credentials, PII, '
'Corporate Data)',
'entry_point': ['Phishing Links (Email, SMS, Social '
'Media, Ads)',
'Malicious OAuth Apps (Device Code '
'Flow)',
'Compromised Browser Extensions',
'Fake CAPTCHA/Error Pages '
'(ClickFix)',
'Malvertising (Drive-by Downloads)'],
'high_value_targets': ['SaaS Admins (Snowflake, '
'Salesforce)',
'Finance/HR Teams (Access to '
'Sensitive Data)',
'Developers (Jira, GitHub, '
'CI/CD Tools)']},
'investigation_status': 'Ongoing (Salesforce, Other SaaS Attacks)',
'lessons_learned': ['Browsers Are the New Attack Surface: Traditional '
'email/endpoint security is insufficient for modern, '
'decentralized work environments.',
'Multi-Channel Threats Require Unified Visibility: '
'Attacks span email, SMS, social media, and in-app '
'messages, necessitating cross-channel detection.',
'OAuth Abuse is a Blind Spot: Malicious app integrations '
'bypass MFA and traditional authentication controls '
'(e.g., Salesforce device code flow).',
'Extensions Pose Significant Risk: Unvetted extensions '
'can silently exfiltrate credentials and session data '
'(e.g., Cyberhaven hack).',
'MFA Gaps Persist: Ghost logins and unmanaged SaaS apps '
'create backdoors for credential stuffing.',
'Browser-Native Defenses Are Critical: Real-time '
'monitoring of browser activity (logins, downloads, '
'extensions) is essential for early detection.'],
'motivation': ['Data Theft (Extortion, Dark Web Sales)',
'Financial Gain (Ransomware, Fraud)',
'Account Takeover (Business Email Compromise, SaaS Abuse)',
'Espionage (Corporate/Competitive Intelligence)'],
'post_incident_analysis': {'corrective_actions': ['Adopt Browser-Centric '
'Security: Tools like Push '
'Security to detect/block '
'in-browser threats.',
'Implement Zero Trust for '
'SaaS: Continuous '
'authentication and '
'least-privilege OAuth '
'permissions.',
'Enforce Extension '
'Policies: Whitelist '
'approved extensions and '
'block side-loading.',
'Monitor for Anomalous '
'Logins: Use browser/SSO '
'logs to detect ghost '
'logins and credential '
'abuse.',
'Collaborate with SaaS '
'Providers: Advocate for '
'better OAuth controls and '
'customer-side monitoring '
'APIs.'],
'root_causes': ['Over-Reliance on Perimeter '
'Security: Email/network controls '
'fail to stop browser-based '
'attacks.',
'Lack of Browser Visibility: '
'Security teams cannot detect '
'in-browser threats (phishing, '
'ClickFix, extensions).',
'Decentralized Identity '
'Management: Unmanaged SaaS apps '
'and ghost logins create MFA gaps.',
'User Trust Exploitation: '
'Attackers abuse legitimate '
'browser functions (OAuth, '
'copy-paste, extensions).',
'Obfuscation Techniques: Dynamic '
'code, CAPTCHA bypasses, and SaaS '
'hosting evade traditional '
'defenses.']},
'recommendations': [{'actions': ['Deploy Browser-Specific Security Tools '
'(e.g., Push Security) to monitor/log:',
'- Phishing/ClickFix lures (AITM, fake '
'CAPTCHA)',
'- OAuth app authorizations (risky '
'permissions)',
'- Extension installations/updates',
'- File downloads (HTA, SVG, executables)',
'- Login anomalies (MFA gaps, ghost logins)'],
'category': 'Detection & Prevention'},
{'actions': ['Enforce MFA Across All Apps: Eliminate '
'password-only logins and ghost accounts.',
'Audit OAuth Integrations: Restrict app '
'permissions and use Salesforce’s updated '
'authorization controls.',
'Centralize SaaS Management: Discover and '
'secure shadow IT (unmanaged apps).',
'Implement Phishing-Resistant MFA: '
'Prioritize passkeys/FIDO2 over SMS/OTP.'],
'category': 'Identity Hardening'},
{'actions': ['Train Employees on:',
'- Modern phishing tactics (multi-channel, '
'AITM, ClickFix)',
'- Risks of browser extensions (only install '
'approved ones)',
'- Safe file handling (HTA/SVG dangers, '
'endpoint scanning)',
'- OAuth consent prompts (verify app '
'legitimacy)'],
'category': 'User Awareness'},
{'actions': ['Block Known Malicious Domains/IPs: Use '
'threat intelligence feeds for '
'phishing/ClickFix pages.',
'Sandbox Suspicious Downloads: Inspect '
'HTA/SVG files before execution.',
'Restrict PowerShell/Terminal Commands: '
'Limit execution of pasted commands '
'(ClickFix mitigation).',
'Segment High-Risk Apps: Isolate SaaS '
'platforms (e.g., Snowflake) from general '
'browsing.'],
'category': 'Endpoint & Network'},
{'actions': ['Pressure SaaS Providers to:',
'- Improve OAuth security (e.g., '
'Salesforce’s planned updates)',
'- Offer granular permission controls for '
'integrations.',
'- Provide APIs for customer-side monitoring '
'(e.g., login events).',
'Participate in Extension Vetting: Report '
'malicious extensions to Chrome/Firefox web '
'stores.'],
'category': 'Vendor Collaboration'}],
'references': [{'source': 'Push Security - Browser-Based Attack Overview',
'url': 'https://www.pushsecurity.com/product-overview'},
{'source': 'Snowflake Customer Breaches (2023)'},
{'source': 'Salesforce OAuth Attacks (2024)'},
{'source': 'Cyberhaven Extension Hack (December 2024)'},
{'source': 'Jira Credential Stuffing Attacks (2024)'}],
'response': {'containment_measures': ['Browser-Based Detection/Response (Push '
'Security)',
'OAuth App Permission Audits '
'(Salesforce)',
'Extension Blacklisting/Removal',
'MFA Enforcement (Eliminating Ghost '
'Logins)'],
'enhanced_monitoring': ['Browser-Level Activity Logging (Push '
'Security)'],
'remediation_measures': ['SSO/MFA Coverage Expansion',
'Browser Extension Whitelisting',
'User Training (Phishing, ClickFix '
'Awareness)',
'Endpoint Monitoring (Malicious File '
'Downloads)'],
'third_party_assistance': ['Push Security (Browser Security '
'Platform)']},
'title': 'Rise of Browser-Based Attacks: Phishing, ClickFix, OAuth Abuse, and '
'Malicious Extensions',
'type': ['Browser-Based Attack',
'Phishing (AITM, Credential, Session)',
'Social Engineering (ClickFix, FileFix)',
'Malicious OAuth Integration (Consent Phishing)',
'Malware Delivery (Infostealers, HTA, SVG)',
'Browser Extension Hijacking',
'Credential Stuffing',
'Session Hijacking'],
'vulnerability_exploited': ['Lack of Browser-Specific Security Controls',
'Insufficient MFA Enforcement (Ghost Logins, SSO '
'Gaps)',
'Unmanaged OAuth App Permissions (Salesforce, '
'Other SaaS)',
'Unvetted Browser Extensions (Cyberhaven Hack, '
'35+ Extensions in 2024)',
'User Trust in Browser Prompts (Copy-Paste '
'Commands, Fake Error Messages)',
'Decentralized App Ecosystem (Shadow IT, '
'Unmanaged SaaS)',
'Legacy Authentication Methods (Password-Only '
'Logins)']}