Info of 2,3+ million individuals stolen in Advance Auto Parts data breach
Personal information of over 2,3 million individuals has been stolen by attackers as part of the massive data grab via compromised Snowflake accounts without MFA protection, Advance Auto Parts has confirmed by filing notices with the attorney general offices in several US states.
In May, the company has notified the US Securities and Exchange Commission of the compromise, without naming Snowflake – a cloud-based data storage and analytics company base in the US, as the third party hosting the data.
What kind of data was compromised?
The data breach notices sent out to affected Advance Auto Parts customers say that threat actor exfiltrated their personal information: name, Social Security number, driver’s license or other government issued identification number, and date of birth.
“This information was collected as part of the Advance Auto Parts job application process,” they explained, and offered affected persons redit monitoring and identity restoration services free of charge.
160+ organizations breached via Snowflake accounts without MFA protection
From the very beginning, Snowflake had maintained that customers’ accounts were compromised and their databases pilfered by leveraging compromised credentials for accounts that did not have multi-factor authentication (MFA) implemented.
Subsequent investigations by Mandiant and Crowdstrike have confirmed that the company’s systems haven’t been breached or accessed thanks to a vulnerability or misconfiguration, and that “most of the credentials used by the threat actor were available from historical infostealer infections.”
“The affected customer instances did not require multi-factor authentication and in many cases, the credentials had not been rotated for as long as four years. Network allow lists were also not used to limit access to trusted locations,” Mandiant’s analysts said.
Approximately 165 Snowflake customers have been affected in this attack, including TicketMaster, Santander Group, LendingTree, and Advance Auto Parts.
Lessons learned
While it was the customers’ duty to properly secure their accounts, security researcher Kevin Beaumont has pointed out that the company has not made it very easy to enable MFA (organization-wide), and that there is no policy to block users without MFA.
This incident has finally forced Snowflake to do something about it: Snowflake CISO Brad Jones and principal product manager Anoosh Saboori have announced on Tuesday that the company has introduced:
- A new authentication policy that allows enterprise admins to require MFA for all users in a Snowflake account
- Snowsight (the Snowflake web interface) prompting users to set up MFA on their accounts. “This dialog can be dismissed, but it will reappear in three days if MFA has not been configured for the user.”
- The capability for admins to monitor adherence to MFA policies via the Snowflake Trust Center
The Snowsight MFA prompt (Source: Snowflake)
“Soon, Snowflake will require MFA for all human users in newly created Snowflake accounts. We recommend that all customers start using MFA authentication policies and Trust Center now to prepare their environments, and watch for additional features in the coming months,” they added.