In May and June 2024, a wave of breaches hit major companies with a common thread: all of them traced back to stolen credentials for Snowflake, the cloud data platform. Ticketmaster lost data on approximately 560 million customers. Santander Bank was breached. Advance Auto Parts, LendingTree, and dozens of other companies reported incidents linked to the same campaign.

The attackers did not break into Snowflake itself. They obtained valid login credentials for individual customer accounts — credentials harvested by infostealer malware from employee devices — and logged in. The Snowflake accounts at issue did not have multi-factor authentication enabled.

This is a category of attack that is increasingly common and increasingly effective. Cloud platforms are designed to be accessible from anywhere with valid credentials. When those credentials are stolen and there is no second factor to stop an unauthorized login, the platform’s openness becomes its vulnerability.

Snowflake subsequently made MFA enforcement easier and more prominent for customers. But the incident raises a harder question: in a world where employees install software on work devices that can silently exfiltrate browser-stored passwords, how confident can any organization be in the integrity of its cloud authentication?

The answer, for now, is that MFA is not optional. It is the minimum viable control.