Snowflake, a cloud data analysis company based in Boston, has recently been at the center of alleged data theft incidents. The company’s corporate customers, including banks, healthcare providers, and tech companies, are scrambling to determine if their cloud data has been compromised.
Last week, Australian authorities issued a warning about successful compromises of several companies using Snowflake environments. Hackers claimed on a cybercrime forum that they had stolen hundreds of millions of customer records from Santander Bank and Ticketmaster, two major Snowflake customers. Santander confirmed a breach of a database hosted by a third-party provider, which was later revealed to be Snowflake. Live Nation also confirmed that its Ticketmaster subsidiary was hacked, with the stolen database hosted on Snowflake.
Snowflake acknowledged the potentially unauthorized access to a limited number of customer accounts. It attributed the breach to a targeted campaign directed at users with single-factor authentication. Hackers used previously purchased or obtained infostealing malware to scrape users’ saved passwords from their computers.
One critical issue highlighted by these breaches is that Snowflake does not enforce the use of multi-factor authentication (MFA) for its customers. Each customer manages the security of their environments. Some customers set up their environments without enabling MFA, making it easier for cybercriminals to obtain large amounts of data.
TechCrunch discovered hundreds of alleged Snowflake customer credentials available online for cybercriminals to exploit. These credentials were stolen by infostealing malware that infected employees’ computers with access to Snowflake environments. Some of these credentials belong to employees at well-known Snowflake customers, including Ticketmaster and Santander.
In response, Snowflake urged its customers to immediately enable MFA for their accounts. Accounts not enforcing MFA are at risk of compromise through password theft and reuse.
TechCrunch verified the authenticity of more than 500 exposed credentials linked to Snowflake environments belonging to various companies. These include Santander, Ticketmaster, pharmaceutical giants, a food delivery service, and a public freshwater supplier. TechCrunch also found exposed usernames and passwords allegedly belonging to a former Snowflake employee.
The credentials were checked by examining the listed Snowflake customer login pages. These pages were publicly accessible, even if not searchable online. Snowflake environments that relied on Okta for single sign-on redirected to Live Nation and Santander sign-in pages. Other environments allowed users to log in with just their Snowflake username and password, depending on whether MFA was enforced.
There is evidence to suggest that several employees with Snowflake access had their computers compromised by infostealing malware. Many corporate email addresses used as usernames for accessing Snowflake environments were found in a recent data dump containing millions of stolen passwords.
Snowflake’s response to the data breaches has left many questions unanswered. The company is partially responsible for not requiring its users to enable MFA, and it is now facing the consequences, along with its customers.
The Ticketmaster breach, allegedly involving over 560 million customer records, would be the largest data breach in the US this year if proven true. Snowflake joins a list of companies that have experienced significant security incidents and data breaches due to the lack of MFA. For example, genetic testing company 23andMe suffered a data breach last year, prompting them and their competitors to require users to enable MFA by default.
In another incident earlier this year, hackers broke into the systems of Change Healthcare, a health tech giant owned by UnitedHealth. The hackers stole large amounts of sensitive health data from a system without MFA. The company has not disclosed the exact number of individuals affected but stated that it is likely to impact a substantial proportion of people in America.
The recent breaches involving Snowflake highlight the importance of implementing robust security measures like MFA to protect sensitive data. It’s crucial for both Snowflake and its customers to prioritize security to prevent intrusions resulting from employee credential theft.
