Attackers who used stolen credentials to purloin the data of companies using the services of storage firm Snowflake are demanding between US$300,000 (A$454,040) and US$5 million from about 10 of the 165 companies compromised, a security firm says.
The Bloomberg news service quoted Mandiant senior threat analyst Austin Larsen as saying the attackers were expected to continue trying to extort the victims.
On 10 June, Mandiant published a blog post in which it said it had received the first indications of data theft from Snowflake in April.
It said it "received threat intelligence on database records that were subsequently determined to have originated from a victim’s Snowflake instance. Mandiant notified the victim, who then engaged Mandiant to investigate suspected data theft involving their Snowflake instance".
Snowflake has not updated its blog post about the incident, beyond a 10 June update which iTWire reported on 11 June.
Mandiant, which is owned by Google, has attributed the attack to a group is identifies as UNC5537, which it says has members based in the US and Turkey.
Three companies have come forward to acknowledge that they may have been breached as a result of the Snowflake credential theft, the Bloomberg report said.
Ticketmaster owner Live Nation Entertainment was one, saying it had found "unauthorised access" to a third-party cloud database which is claimed to have been hosted on Snowflake.
A second company that has reportedly been affected is Pure Storage which has said it found a Snowflake workspace breached.
And the third is Advanced Auto Parts which the report said was looking at reports that it have experienced Snowflake-related issues.
Mandiant has released threat hunting guidance and queries for detecting abnormal and malicious activity across Snowflake customer database instances.