Security researchers are reporting that a “significant volume of data” has been stolen from hundreds of Snowflake cloud storage customers via compromised login credentials, with the incident being linked to massive data breaches at Ticketmaster and Santander Bank.

Mandiant, a security firm investigating the data theft alongside Snowflake, announced on Monday that it had tracked the activity to a “financially motivated threat actor” it identified as UNC5537. The two companies have notified at least 165 Snowflake customer organizations that may have been compromised since the ongoing threat activity was discovered in April, with Mandiant saying its investigation hasn’t found “any evidence to suggest” that Snowflake’s enterprise environment was breached.

Recent data breaches at Ticketmaster, Santander Bank, and LendingTree subsidiary QuoteWizard have been linked to Snowflake cloud storage accounts used by the companies. Official details regarding how the accounts were compromised have been slim until this point, with an earlier third-party report being taken offline after Snowflake issued a statement claiming the platform itself isn’t at fault.

Following its investigation, Mandiant says the yet unidentified UNC5537 group is “systematically compromising” Snowflake customers using login credentials stolen via historical infostealer malware infections on non-Snowflake-owned systems. Some of these credentials date back as far as 2020 and enabled UNC5537 to steal data from Snowflake customer instances in an attempt to sell it on cybercriminal forums and extort the victims.

Mandiant says the UNC5537 campaign has resulted in “numerous successful compromises” because of poor security practices on impacted accounts, which did not update stolen login credentials or utilize multi-factor authentication (MFA) or network allow lists. The list of victims, while largely unidentified, is also expected to grow, according to Mandiant, having assessed that UNC5337 will likely target additional platforms “in the near future.”