Snowflake detected unusual activity and cut off affected environments, indicating active data exfiltration. This mirrors a broader pattern: attackers targeting SaaS and data-layer providers (e.g., Snowflake, Salesforce ecosystems) to achieve multi-tenant access at scale. ShinyHunters has repeatedly used social engineering to gain initial footholds, then pivot via tokens and session access.