Lessons from Snowflake Breach: Why Non-Human Identities Are the Next Big Threat

Read full article here: https://www.token.security/blog/the-hidden-threats-of-non-human-identities-lessons-from-snowflakes-attack/?utm_source=nhimg

In May 2024, Snowflake faced a large-scale incident that became a case study in non-human identity (NHI) exposure. Threat actors used stolen service account credentials, originally compromised by infostealer malware, to infiltrate Snowflake environments. This wasn’t a result of a direct vulnerability or platform misconfiguration, rather, it revealed how unmonitored NHIs and long-lived credentials can silently undermine even the most secure infrastructures.

The attack impacted over 165 organizations, including Santander Bank, Ticketmaster, AT&T, and Neiman Marcus Group, compromising data of millions of users. What makes this incident alarming is that victims didn’t commit classic security mistakes like leaking tokens in public repositories or leaving open endpoints. Instead, they fell victim to invisible risks inherent in NHI mismanagement — stale credentials, lack of MFA enforcement, and poor lifecycle governance.

Key Lessons from the Snowflake Incident

1. Credential Rotation and Lifecycle Management Are Non-Negotiable - One of the most striking findings was that some compromised credentials were over four years old. Rotating access keys, tokens, and service account credentials at least every six months is crucial to reduce the blast radius of potential attacks.

2. MFA and Centralized Authentication Are Critical for All Access - Following the attack, Snowflake introduced MFA enforcement for all users and recommended IDP-based authentication. Centralizing authentication through an Identity Provider ensures better control, monitoring, and deprovisioning across both human and non-human identities.

3. Network Policies Minimize Exposure - Restricting platform access to specific IP ranges or corporate networks adds a vital layer of defense. For NHIs, network segmentation ensures service accounts can only operate within defined zones, reducing lateral movement opportunities for attackers.

4. Contractor and External Access Need Stronger Oversight - External contractors often operate under weaker policies than internal users. Quarterly audits, identity correlation, and policy alignment can close these blind spots before they become exploitable attack vectors.

The New Frontier: Service Accounts in Snowflake

Snowflake’s update introducing the “SERVICE” identity type was a step toward distinguishing between human and machine users. However, because existing users defaulted to NULL and adoption is optional, visibility gaps persist. Many organizations still run thousands of password-based service accounts without MFA, ownership, or context—each one a potential entry point for attackers.

Moreover, Snowflake’s recursive role-based permission structure adds another layer of complexity. Determining the full privilege chain for any identity, especially those nested within multiple role hierarchies, requires deep analysis to understand true exposure.

The Broader NHI Security Challenge

The Snowflake incident underscores the global identity management crisis around NHIs. As enterprises scale cloud usage, thousands of machine identities are created—API keys, bots, integrations, and service accounts—each with permissions, dependencies, and lifecycle issues that humans rarely track.

Key ongoing challenges include:

• Cross-system correlation — mapping NHIs across different platforms and identity stores.
• Offboarding failures — former employees’ created credentials remaining active.
• Misconfigured integrations — SAML and API-based connections spawning unmanaged accounts.
• Weak authentication — service accounts still using passwords instead of cryptographic keys.
• Ownership ambiguity — unclear accountability for maintenance or revocation of NHIs.

These problems collectively create an environment where attackers don’t need to exploit code, they exploit forgotten identities.

Moving Forward: Building an NHI Security Framework

To prevent future Snowflake-like attacks, organizations must adopt dedicated NHI security solutions that offer end-to-end visibility, governance, and automation.

Modern platforms such as Token Security enable organizations to:

• Discover and classify all human and non-human identities across environments.
• Differentiate service accounts from users, mapping ownership and authentication methods.
• Highlight risky configurations such as accounts without MFA, RSA key usage, or network restrictions.
• Automate lifecycle tasks, including credential rotation, orphaned identity deactivation, and permissions right-sizing.

By aligning NHI security with established identity best practices, organizations can eliminate shadow accounts, minimize lateral movement, and ensure continuous compliance.

Conclusion

The Snowflake breach serves as a wake-up call for identity security leaders: traditional IAM tools and human-focused controls aren’t enough. As NHIs continue to outnumber human identities across cloud ecosystems, visibility, classification, and lifecycle governance are the cornerstones of defense.

Organizations that fail to modernize their NHI posture risk being blindsided, not by complex exploits, but by simple, forgotten service accounts holding the keys to their kingdom.