Snowflake, a cloud data company, is facing a growing security problem as more customer data thefts are being linked to the company. Ticketmaster was the first to attribute its data breach to Snowflake, and now loan comparison site LendingTree has confirmed that its subsidiary, QuoteWizard, had data stolen from Snowflake. While LendingTree stated that consumer financial account information and information of the parent entity were not impacted, the company launched an internal investigation.
Snowflake’s response to the incidents has been somewhat limited. The company maintains that there was no breach of its own systems but acknowledges that customers were not using multi-factor authentication (MFA), a security measure that Snowflake does not enforce or require. Snowflake itself was caught off guard when a former employee’s “demo” account was compromised because it only had a username and password for protection.
TechCrunch discovered that hundreds of Snowflake customer credentials were stolen by password-stealing malware, indicating that there is a risk to customers who have not changed their passwords or enabled MFA. When TechCrunch reached out to Snowflake for more information, the company declined to answer questions on multiple occasions.
The number of affected Snowflake customers is still unknown, and Snowflake has only notified a limited number of customers so far. The company has over 9,800 customers, including tech companies, telcos, and healthcare providers. It is likely that the full extent of the incident is not yet understood.
It remains unclear how soon Snowflake became aware of the intrusions into customer accounts and why the company did not detect the exfiltration of large amounts of customer data until later in May. Incident response firm Mandiant has been helping affected organizations for several weeks, indicating that Snowflake may have known about the issue earlier.
The role of a former employee’s demo account in the customer data breaches is also uncertain. Snowflake claims that the demo account did not contain sensitive data, but the company has not provided a definition of what it considers sensitive data. Snowflake has not proactively reset passwords or required and enforced the use of MFA on its customers’ accounts, which is unusual given the circumstances.
Snowflake is now reportedly moving towards implementing MFA by default and requiring customers to implement advanced security controls. However, no specific timeframe has been provided for this plan.
