Info-stealing malware connected to Snowflake customer passwords leaked online in staggering numbers

Snowflake: The Center of a Spate of Alleged Data Thefts

The world of cloud data analysis has been shaken by the recent revelations of alleged data thefts targeting customers of Snowflake, a Boston-based data giant. As corporate clients scramble to understand the implications of this security breach, Snowflake’s reputation is facing intense scrutiny.

Snowflake prides itself on providing its extensive list of corporate clients with sophisticated storage and data analysis solutions. Among its impressive clientele are banks, healthcare providers, and tech companies. These behemoths entrust their valuable data, including sensitive customer records, to Snowflake’s cloud-based systems.

Last week, the Australian government issued a warning in response to the discovery of “successful compromises” of several companies that rely on Snowflake’s services, although the companies themselves have not been named. Cybercriminals on a well-known forum have claimed responsibility for stealing hundreds of millions of customer records from two of Snowflake’s most prominent clients: Santander Bank and Ticketmaster.

Santander has acknowledged that their security breach was hosted by a third-party provider, but they refuse to reveal who that provider is. However, on Friday, Live Nation, the parent company of Ticketmaster, confirmed that their subsidiary had been hacked and the stolen database was hosted on Snowflake.

In response, Snowflake released a brief statement admitting that they are aware of “potentially unauthorized access” to a “limited number” of customer accounts, without specifying which ones. However, they maintain that there is no evidence of a direct breach in their systems. Instead, Snowflake claims that the breach was a “targeted campaign directed at users with single-factor authentication.” Hackers used “previously purchased or obtained through infostealing malware,” which extracts saved passwords from a user’s computer.

Interestingly, despite the sensitivity of the data that Snowflake holds, they do not enforce the use of multi-factor authentication (MFA) for their customers. This responsibility falls on the individual clients to manage the security of their environments. Some experts believe that this lack of MFA played a significant role in the successful breaches of Snowflake’s clients, as some of them did not implement additional security measures.

In another startling revelation, Snowflake admitted that one of their “demo” accounts was compromised due to a weak security setup. However, they were quick to assure that this account did not contain any sensitive data. It is unclear if this compromised demo account has any involvement in the recent data thefts.

Investigations by TechCrunch this week have uncovered hundreds of allegedly stolen Snowflake customer credentials that are readily available on the web. This discovery suggests that the scope of the breach is far more extensive than initially thought.

These credentials were obtained by infostealing malware, which infected the devices of employees who had access to their company’s Snowflake environment. These employees work as database engineers and data analysts, and references to Snowflake are visible on their LinkedIn profiles.

Snowflake has advised its customers to immediately enable MFA on their accounts to prevent any further data breaches. Until then, accounts that do not have MFA enabled are at risk of compromise through simple password theft and reuse.

How the Data Was Checked

A source with insider knowledge of cybercriminal operations directed TechCrunch to a website that offers access to lists of stolen credentials from various sources. These include infostealing malware and data breaches. (As a precaution, TechCrunch has not included the link to this site to prevent aiding malicious actors).

TechCrunch has seen more than 500 credentials that include employee usernames, passwords, and the unique web address for their company’s Snowflake environment. These credentials appear to belong to Snowflake’s clients, including Ticketmaster and Santander, among others. Additionally, a former Snowflake employee’s login credentials have also been compromised.

(TechCrunch is not identifying the former employee as there is no evidence of any wrongdoing on their part. Ultimately, the responsibility for implementing and enforcing security policies lies with both Snowflake and its clients).

TechCrunch has not tested the stolen credentials as doing so would violate the law. It is currently unknown if these credentials are actively in use or if they have led to further breaches. Instead, alternative methods were used to verify the authenticity of the stolen data. This includes checking the login pages of the affected Snowflake environments, which were found to be active at the time of writing.

Each login page has two options for signing in – one with Okta, a single sign-on provider, and the other with a Snowflake username and password. Snowflake’s customer documentation reveals that Okta passwords are used to login with MFA enabled, while Snowflake passwords are used for accounts without MFA. It is the latter set of credentials that were compromised by the infostealing malware.

The compromised credentials appear to belong to multiple companies, including Santander, Ticketmaster, pharmaceutical giants, a food delivery service, and a public freshwater supplier. TechCrunch also discovered email addresses and associated usernames and passwords of a former Snowflake employee.

Further evidence suggests that multiple employees who had access to their company’s Snowflake environments had previously had their devices infected with infostealing malware. A check on the breach notification service Have I Been Pwned revealed several corporate email addresses linked to a recent data leak of millions of stolen passwords from various Telegram channels.

Danica Stanczak, a spokesperson for Snowflake, declined to answer specific questions from TechCrunch. She also did not confirm if any of their clients’ data was present in the compromised demo account. In a statement, Snowflake stated that they are “suspending certain user accounts” that show signs of malicious activity.

The company added that, according to their “shared responsibility model,” customers are responsible for implementing MFA for their users. However, they also stated that they are considering all options for MFA enablement, although no plans have been finalized.

Kaitlyn Henrich, a spokesperson for Live Nation, did not provide any further comments on the matter via email.

Santander has not responded to requests for comments.

The Risk of Not Enforcing MFA

The response from Snowflake so far leaves several questions unanswered, revealing a startling number of companies that have not reaped the benefits of MFA security.

However, what is clear is that Snowflake must take some responsibility for not enforcing MFA for its users, which has resulted in the current crisis. Ultimately, Snowflake and their clients are both paying the price for this oversight.

Ticketmaster’s data breach allegedly involves more than 560 million customer records, according to statements from the cybercriminals responsible. (Live Nation has not confirmed the number of compromised records). If this number is accurate, it would make this breach the biggest in the U.S. so far this year and one of the most significant in recent times.

Unfortunately, Snowflake is not the only company guilty of not prioritizing MFA. Last year, cybercriminals stole about 6.9 million 23andMe customer records by exploiting the lack of MFA on their accounts. As a result, not only did 23andMe require users to enable MFA, but other genetic testing companies followed suit.

Earlier this year, medical tech giant Change Healthcare, owned by UnitedHealth, revealed that their systems had been breached, and vast amounts of sensitive health data were stolen from a system that did not have MFA enabled. The company has not disclosed how many individuals were affected, but it is likely to be a “substantial proportion of people in America.”