The number of known Snowflake customer data breaches is rising
LendingTree subsidiary QuoteWizard and automotive parts provider Advance Auto Parts have been revealed as victims of attackers who are trying to sell data stolen from Snowflake-hosted cloud databases.
Snowflake says that their investigation is still ongoing, but continues to stand by the preliminary results: the attackers accessed customer accounts secured with single-factor authentication by leveraging credentials “previously purchased or obtained through infostealing malware.”
Snowflake customers suffering data breaches
US-based Snowflake is a cloud data storage and analytics company with 9,800+ global customers, including Mastercard, Honeywell, Pfizer, Wolt, Adobe, and others.
Ten days ago, it was revealed that a threat actor has been stealing data from organizations that use the Snowflake cloud-based platform, and that the attacks began in April 2024.
According to Snowflake, a “limited” number of customers have been affected, due to compromised account credentials and lack of multi-factor authentication. (They did not say the exact number nor, understandably, name the affected customers.)
The names of some of the victims have been revealed when attackers posted offers to sell the stolen data:
- Santander Group (compromise confirmed by the company, without mentioning Snowflake)
- Live Nation Entertainment subsidiary TicketMaster (confirmed by the company via SEC 8-K report, Snowflake identified as the third party in question by a Ticketmaster spokesperson)
- LendingTree confirmed that they’ve been notified by Snowflake that QuoteWizard “may have had data impacted by this incident”
- Advance Auto Parts (data theft not officially confirmed by the company, but the dark web listing claims that a massive amount of customer and employee info has been stolen)
In the meantime, Tech Crunch has found over 500 login credentials and web addresses of login pages for Snowflake environments on “a website where would-be attackers can search through lists of credentials that have been stolen from various sources”.
They confirmed that the login pages are active and say that “several of the corporate email addresses used as usernames for accessing Snowflake environments were found in a recent data dump containing millions of stolen passwords scraped from various Telegram channels used for sharing stolen passwords.”
Snowflake to compel customers to use advanced security controls
On Friday, Snowflake CISO Brad Jones reiterated their (and Mandiant’s and Crowdstrike’s) preliminary findings and said that they “have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” nor “by compromised credentials of current or former Snowflake personnel”.
“We continue to work closely with our customers as they harden their security measures to reduce cyber threats to their business,” Jones said.
“We are also developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts.”
Hopefully, the company is also working on minimizing the apparent friction present in their MFA enrollment process.
The shared responsibility model makes MFA enforcement a responsibility of the customers, but it is unfortunate that the implementation of additional security controls wasn’t a prerequisite from the get-go, given that companies house massive amounts of sensitive data in their Snowflake cloud environments, and given how widespread info-stealer use is.
UPDATE (June 10, 2024, 09:30 a.m. ET):
Mandiant has published a rundown of its involvement in the investigation, and has confirmed that there is no evidence pointing to a breach of Snowflake’s enterprise environment.
They also said that they have notified approximately 165 potentially exposed organizations and that most of the credentials used by the threat actor were available from historical infostealer infections.
“UNC5537 was likely able to aggregate credentials for Snowflake victim instances by accessing a variety of different sources of infostealer logs. The underground infostealer economy is also extremely robust, and large lists of stolen credentials exist both for free and for purchase inside and outside of the dark web,” the analysts noted.
“The affected customer instances did not require multi-factor authentication and in many cases, the credentials had not been rotated for as long as four years. Network allow lists were also not used to limit access to trusted locations.”
UPDATE (June 11, 2024, 10:05 a.m. ET):
US-based Pure Storage has confirmed that they are among the victims of the attackers, who got ahold of telemetry information – company names, LDAP usernames, email addresses, Purity software release version number – that the company uses to provide customer support services.
“The [Snowflake] workspace did not include compromising information such as passwords for array access, or any of the data that is stored on the customer systems. Telemetry information cannot be used to gain unauthorized access to customer systems,” the company added.
“Pure Storage took immediate action to block any further unauthorized access to the workspace. Additionally, we see no evidence of unusual activity on other elements of the Pure infrastructure. Pure is monitoring our customers’ systems and has not found any unusual activity. We are currently in contact with customers who similarly have not detected unusual activity targeting their Pure systems.”