Cloud data analytics platform Snowflake announced that it will enforce multi-factor authentication following what might be one of the largest data breaches on record.
This decision was prompted by a breach noticed last month by Hudson Rock analysts, involving a massive data theft from Ticketmaster, Spanish bank Santander, and potentially hundreds of millions of files from Advance Auto Parts—all of whom are Snowflake clients.
Snowflake, a platform that hosts massive datasets for corporations, revealed that hackers had been using stolen credentials to try to infiltrate its customer accounts.
Despite Snowflake launching legal actions against Hudson Rock, forcing them to withdraw their report, the company acknowledged that it was investigating “a targeted threat campaign against some Snowflake customer accounts.” At the same time, TechCrunch reported the discovery of a trove of Snowflake customer passwords online, available to hackers. Snowflake had at first signaled that only a “limited” number of customer accounts were compromised.
However, the news outlet reported that LendingTree’s subsidiary, QuoteWizard, also suffered a data breach at Snowflake. “We can confirm that we use Snowflake for our business operations, and that we were notified by them that our subsidiary, QuoteWizard, may have had data impacted by this incident,” a spokesperson stated.
Data breach reported on BreachForums
Much of the drama involving Snowflake has unfolded on BreachForums, a well-known cybercrime marketplace. This site was shut down by the FBI in mid-May, only to be replaced by a new version. This iteration is allegedly managed by the hacker group ShinyHunters, who claim they are trading 560 million records from Ticketmaster and 30 million from Santander.
Both organizations have acknowledged these data breaches. Ticketmaster has specifically attributed its breach to Snowflake, whereas Santander has reported unauthorized access to a database managed by a third-party provider, without confirming the extent of the breach.
Recently, a BreachForums group with the username Sp1d3r has spotted two additional companies affected by the Snowflake incident. According to Sp1d3r, they have 3TB worth of data for 380 million customers from Advance Auto Parts and information in regards to 190 million customers from financial services firm LendingTree and its subsidiary QuoteWizard. BleepingComputer has verified the customer data related to Advance Auto Parts.
🚨UPDATE: Sp1d3r claims to have stolen 3TB of data from @ AdvanceAutoParts via Snowflake breach. Allegedly includes 380M customer profiles, 140M order records, and more. Data is up for sale for $1.5M.https://t.co/asHVxtHFyZ #DataBreach #CyberSecurity #Snowflake pic.twitter.com/DeSqRPnBTP
— SOCRadar® (@socradar) June 6, 2024
The LendingTree spokesperson said, “We take these matters seriously, and immediately after hearing from [Snowflake] launched an internal investigation.” They added, “As of this time, it does not appear that consumer financial account information was impacted, nor information of the parent entity, LendingTree.”
Snowflake reveals details about threat actors
After acknowledging that accounts had been targeted, Snowflake provided further information about the incident. Brad Jones, the chief information security officer at Snowflake, explained in a post that threat actors used login details that had been “purchased or obtained through infostealing malware,” which is designed to pull usernames and passwords from devices that have been compromised. He described the incident as a “targeted campaign directed at users with single-factor authentication.”
In the same post, Jones mentioned that Snowflake, with the help of cybersecurity firms CrowdStrike and Mandiant, found no evidence that the attack was “caused by compromised credentials of current or former Snowflake personnel.” However, he noted that a former employee’s demo accounts were accessed but maintained that they “did not contain sensitive data.”
In a separate blog post by Mandiant, the company reiterated: “Mandiant’s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake’s enterprise environment.” However, it added that every incident it had responded to associated with the campaign “was traced back to compromised customer credentials.” ReadWrite reached out to Snowflake, however, the company directed us to Jones’ post for more information.
In addition, the US Cybersecurity and Infrastructure Security Agency has issued an alert concerning the Snowflake incident. Similarly, Australia’s Cyber Security Center has admitted being “aware of successful compromises of several companies utilizing Snowflake environments.”
ReadWrite has reached out to Snowflake and Live Nation for comment.
Featured image: Ideogram