Snowflake Breach

Not a Breach but an Incident Due to Compromised Passwords

Snowflakes has become the latest corporate victim in a successful cyberattack but how it is playing out is a little different than many breaches. It appears that Snowflake itself was not breached, but some of their customer accounts were breached because they were using compromised passwords and were not using MFA.

Every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.- Mandiant.

The incidents were first detected on April 14th, with Snowflake publicly acknowledging the incident on June 2nd through a statement issued in collaboration with two third-party cybersecurity firms. According to Snowflake, attackers exploited stolen username and password pairs, known as compromised credentials, to gain unauthorized access to Snowflake’s customer accounts.

“As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through info-stealing malware,” Snowflake said

Based in Bozeman, Montana, USA, Snowflake Inc. is a prominent cloud computing-based data cloud company established in July 2012. It offers global services in cloud-based data storage and analytics, widely used across various industries under the model of “data-as-a-service.”

Mandiant, Google’s incident response team, assisted Snowflake in investigating the breach, revealing that the criminal group responsible is utilizing stolen customer data for extortion and attempting to sell it on illicit online platforms. The breach has affected approximately 165 customer accounts.

“…systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims…” Mandiant

The attackers reportedly gained entry through SnowSight, Snowflake’s web-based user interface, gaining entry by simply using passwords that were already exposed, collected and traded online.

“Mandiant said it knows of up to 10 Snowflake customers who have received ransom demands of $300,000 to $5 million each from the attackers, a group it’s been tracking under the codename UNC5537, since first detecting the campaign in April.” reported Bloomberg.

Among the known impacted Snowflake customers are Advance Auto Parts, Santander, TicketMaster, Jollibee, and potentially Lending Tree.

Snowflake’s other customers include Adobe, Albertsons Companies, AT&T, Be The Match, Citi, Capital One, Deliveroo, Dropbox, Doordash, Exxon Mobil Adobe, HP, Instacart, JetBlue, KFC, Kraft Heinz, Mastercard, McKesson, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Pitney Bowes, Santander, Siemens, TicketMaster, University of Notre Dame, US Foods, Western Union, Yamaha, and many more.  It is unclear at this time which customers were using the SnowSight tool and which ones will be impacted.

As of January 31, 2024, Snowflake boasted over 9,400 customers, including 691 from the Forbes Global 2000 and nearly 30% of Fortune 500 companies. Notably, Adobe, Albertsons Companies, AT&T, and others are prominent clients, although the specific impact on each remains unclear.

When a B2B company that offers, manages, or secures IT systems or infrastructure for other organizations experiences a successful account takeover attack, it can have dire consequences in the security of the customer account.

So, what do you do as a business to protect your organization? 

It is imperative for businesses to implement multi-factor authentication (MFA) and regularly screen for compromised passwords to enhance the first factor of MFA. Failure to address compromised passwords exposes companies to heightened vulnerability, with 77% of web app compromises being executed through the use of stolen credentials according to Verizon DBIR. Therefore, proactive measures such as MFA paired with compromised password screening are essential safeguards for protecting sensitive systems and data.

It’s crucial not to overlook something as fundamental as compromised passwords, which can serve as an entry point for attackers into your systems. Tech, software, and cybersecurity firms must regularly screen all accounts—including those of users, administrators, employees, and anyone accessing sensitive systems—for compromised credentials. Implementing these straightforward measures can significantly reduce the risk of breaches.

By neglecting to address compromised passwords, your company becomes more vulnerable to potential attacks. Take proactive steps to enhance security and protect against unauthorized access.

AUTHOR

Kristen RH Wilson

Kristen is the co-founder and CEO of Enzoic. She is passionate about helping organizations protect their customers and employees from account takeover. She also works as an advisor to numerous startups. In her free time, she enjoys hiking, skiing, traveling, scuba diving, paddle boarding, and cooking. She lives in Boulder Colorado with her husband and pets.

*** This is a Security Bloggers Network syndicated blog from Blog | Enzoic authored by Enzoic. Read the original post at: https://www.enzoic.com/blog/snowflake-breach/