Cloud Data Breaches: What the Snowflake Incident Reveals About the Third-Party Risk Gap Most SMBs Are Carrying

The Snowflake-related breaches of 2024 did not make headlines because a cloud platform failed. They made headlines because hundreds of millions of records walked out the door through unlocked accounts that customers – not the platform – were responsible for securing. If your business stores sensitive data in any cloud service, the same gap exists in your environment right now. Here is what it looks like, why it persists, and what it takes to close it.

1. What Actually Happened with Snowflake
2. The Shared-Responsibility Model Most SMBs Misunderstand
3. Why SMBs Are Disproportionately Exposed
4. What Attackers Are Actually Doing in 2025
5. What a Well-Run IT Environment Has in Place
6. Questions Every Business Owner Should Ask Right Now
7. The Quiet Reality of Cloud Security Done Right

What Actually Happened with Snowflake

Snowflake is a cloud-based data warehousing platform used by thousands of companies worldwide to store, analyze, and share large volumes of business data. In mid-2024, a series of high-profile cloud data breaches hit Snowflake customers including Ticketmaster, Santander Bank, and others. The combined impact affected hundreds of millions of records.

Here is the critical detail: Snowflake itself was not hacked. The platform’s infrastructure was not compromised. Attackers used stolen login credentials to access individual customer accounts that had no multi-factor authentication enabled. The door was unlocked because the customers had not turned the deadbolt – and the platform had no obligation to turn it for them.

Mandiant, the cybersecurity firm that investigated the incident, confirmed that the credentials had been harvested through information-stealing malware running on employees’ devices. The attackers then simply logged in. No sophisticated exploit. No nation-state intrusion technique. A username, a password, and an open door.

You can read more about the credential-theft tactics involved in the CISA advisory on credential-based cloud intrusions.

The Shared-Responsibility Model Most SMBs Misunderstand

Every major cloud platform operates on the same foundational principle: the platform provider secures the underlying infrastructure; the customer secures everything above that line – accounts, access controls, data configurations, and user behavior.

This is not fine print. Microsoft publishes it for Azure. Amazon publishes it for AWS. Google publishes it for Google Cloud. Snowflake publishes it for their platform. The contract you signed almost certainly reflects this division. What the platform will never do is stop someone from logging in with a valid username and password – even if that credential was stolen.

The gap that causes cloud data breaches is not a platform flaw. It is a widespread assumption that “the cloud is secure” – which is partially true and dangerously incomplete. The cloud provider secures the building. You are responsible for who holds keys to your apartment inside it.

Understanding this is the prerequisite for doing anything useful about it.

Why SMBs Are Disproportionately Exposed to Cloud Data Breaches

Large enterprises have dedicated security teams whose entire job is to manage cloud access policies, monitor for unusual login activity, and enforce authentication standards across every platform in use. Most small and mid-sized businesses do not have that. They have a general IT vendor, an internal person wearing multiple hats, or nothing at all.

The result is a predictable set of vulnerabilities that show up repeatedly across SMB cloud environments:

• Accounts with no multi-factor authentication – particularly on platforms treated as secondary or low-priority
• Shared login credentials used by multiple employees, making it impossible to trace which device was the source of a compromise
• Former employees whose accounts were never deprovisioned, leaving open access points no one monitors
• Cloud platform configurations left at default settings, which are built for ease of use, not security
• No visibility into login activity or alerts when accounts are accessed from unfamiliar locations or at unusual hours

None of these are exotic problems. They are the ordinary gaps that develop when cloud usage grows faster than security practices. The Snowflake customer list included companies with significant IT budgets. Size alone does not close these gaps.

What Attackers Are Actually Doing in 2025

The attack pattern behind the Snowflake cloud data breaches is not a one-off. It is a mature, repeatable criminal business model – and it is still running.

Attackers deploy information-stealing software through phishing emails, malicious downloads, or compromised websites. That software quietly harvests stored usernames and passwords from infected devices and transmits them to the attacker. The credentials are then used directly or sold in bulk on criminal marketplaces.

Buyers run automated scripts that test credential sets against hundreds of cloud platforms simultaneously. When a login works, they are in. If multi-factor authentication is not enabled, nothing stops them. The entire process is automated, scalable, and inexpensive to operate.

The CISA resource on information-stealing malware explains why this category has become the dominant entry point for cloud data breaches across industries. The business implication is direct: your data’s safety inside any cloud platform is only as strong as the weakest credential that has access to it.

What a Well-Run IT Environment Has in Place

The organizations that came through the Snowflake credential-theft wave without incident were not lucky. They had specific controls in place – none of them exotic, all of them consistent. A well-managed IT environment built for cloud security looks like this:

• Multi-factor authentication enforced on every cloud platform, without exception – including the ones that feel like low-priority tools
• A documented inventory of every cloud service in use, who holds access, and what permission level each user has
• An offboarding process that revokes access to every platform the day an employee leaves – not days or weeks later
• Endpoint protection on every device accessing company cloud accounts, specifically designed to detect and block information-stealing software before credentials can be transmitted
• Login monitoring and alerting configured to flag access from new devices, unfamiliar locations, or outside normal business hours
• Periodic reviews of cloud platform security settings – because defaults change and platform features evolve in ways that can silently introduce new exposure

This is not a heroic security posture. It is the baseline that any organization entrusting sensitive data to a cloud platform should maintain. The companies caught in the Snowflake incident were not operating at an unusually low security tier – they were missing these specific controls for specific platforms.

At Xact IT, our approach to cybersecurity is built around exactly this kind of systematic control coverage – across every platform a client uses, not just the obvious ones. Attackers do not distinguish between your “important” cloud tools and your “secondary” ones. They use whatever door is open.

We have maintained a zero-breach record across every client we have served since 2004. That is not an accident. It is the result of treating controls like multi-factor authentication and access monitoring as non-negotiable – on every platform, every time. Learn more about how our managed IT services keep your cloud environment protected end-to-end.

Understanding Your Full Cloud Exposure

One of the most underappreciated dimensions of cloud data breaches is sprawl. Most organizations significantly underestimate how many cloud services they actually use. A marketing team adopts an analytics tool. A finance team signs up for a cloud-based reporting platform. An operations manager starts using a project management service. Each of these accounts is an access point – and each one is subject to the same shared-responsibility rules as the company’s primary cloud infrastructure.

Informal cloud tool adoption without IT oversight is not a new challenge. But its security implications have grown sharply as credential-based attacks have become industrialized. Every unmanaged account is a potential entry point. Every unreviewed configuration is a potential gap. The inventory problem is not a technicality – it is one of the most direct drivers of cloud data breach exposure for businesses that have grown their cloud footprint organically over the past several years.

According to NIST’s Cybersecurity Framework, the “Identify” function – knowing what assets and access points exist – is the foundation on which every other security control depends. You cannot protect what you cannot see. For SMBs, a structured cloud access audit is often the single highest-value activity available before any other security investment is made.

Questions Every Business Owner Should Ask Right Now

You do not need to understand the technical mechanics of credential-based attacks to ask the right questions about your own environment. These are the ones worth raising with whoever manages your IT today:

• Do we have multi-factor authentication enabled on every cloud platform we use – including the ones we consider minor?
• Do we have a current list of every cloud service our company has accounts with, and does someone review that list regularly?
• When an employee leaves, what is the documented process for revoking their access to every platform, and how quickly does it happen?
• Are we receiving alerts when someone logs into our cloud accounts from an unusual location or device?
• Has anyone reviewed the security configuration settings on our cloud platforms in the past six months?

If the answers are unclear, incomplete, or uncomfortable, that is useful information. It tells you exactly where the work needs to happen – before a cloud data breach makes the decision for you.

If you want a direct conversation about where your environment stands, Book a Free Cybersecurity Strategy Call. No pressure, no obligation – just a clear look at what you have and what needs attention.

The Quiet Reality of Cloud Security Done Right

The Snowflake incident is not a story about a cloud platform failing its customers. It is a story about the shared-responsibility gap that every organization using cloud services carries – and what happens when that gap goes unmanaged. The attackers were not sophisticated. They were organized, automated, and patient. They found doors that were left unlocked and walked through them.

For most SMBs, the goal is not to build a security program sized for a Fortune 500 company. It is to make sure the well-understood controls are actually in place across every platform where your data lives. That is a manageable problem. It requires consistency, a complete inventory, and someone whose job it is to stay on top of it – not heroics.

The businesses that operate without drama, without breach disclosures, and without board-level surprises are not the ones with the largest IT budgets. They are the ones where the basics are done right, on every platform, without exception. That is the standard worth holding yourself to – and the one that makes cloud data breaches an avoidable outcome rather than an inevitable one.