Cloud data analytics company Snowflake is at the center of a recent surge in data theft allegations as enterprise customers scramble to determine if their cloud data stores have been compromised.
Snowflake helps some of the largest global enterprises, including banks, healthcare providers, and technology companies, store and analyze massive amounts of data, such as customer data, in the cloud.
Last week, Australian authorities warned that they were aware of “successful compromises by multiple companies leveraging the Snowflake environment,” without naming the companies. Hackers claimed on known cybercrime forums that they had stolen hundreds of millions of customer records from two of Snowflake's biggest customers, Santander Bank and Ticketmaster. Santander confirmed the breach of a database “hosted by a third-party provider” but did not name the provider in question. On Friday, Live Nation confirmed that its Ticketmaster subsidiary had been hacked and that the stolen database was hosted on Snowflake.
Snowflake acknowledged in a brief statement that it was aware of “potentially unauthorized access” to a “limited number” of customer accounts, without specifying which accounts, but that it had found no evidence of a direct breach of its systems. Rather, Snowflake called it a “targeted campaign targeting users using single-factor authentication,” with hackers using “previously purchased or obtained through information-stealing malware” designed to scrape passwords stored on users' computers. He said he did.
Despite the sensitive data Snowflake holds for its customers, Snowflake allows each customer to manage the security of their environment and does not require customers to automatically enroll or use multi-factor authentication (MFA), according to Snowflake's customer documentation. . Not enforcing the use of MFA appears to have allowed cybercriminals to acquire massive amounts of data from some Snowflake customers, some of whom set up their environments without additional security measures in place.
Snowflake acknowledged that one of its “demo” accounts was compromised because it was not protected beyond a username and password, but claimed the account “did not contain sensitive data.” It's unclear what role stolen demo accounts played in the recent breach.
TechCrunch this week identified hundreds of Snowflake customer credentials that cybercriminals could have used as part of a hacking campaign, suggesting the risk of Snowflake customer account compromises may be much more widespread than first realized.
Credentials were stolen by information-stealing malware that infected the computers of employees accessing their employer's Snowflake environment.
Some of the credentials seen by TechCrunch appear to belong to employees of companies known to be Snowflake customers, including Ticketmaster and Santander. Employees with Snowflake access include database engineers and data analysts, some of whom mention their experience using Snowflake on their LinkedIn pages.
Snowflake instructed customers to immediately enable MFA for their accounts. Until then, Snowflake accounts that do not log in using MFA are at risk of having their stored data compromised by simple attacks such as password theft and reuse.
How the data was verified
A source with knowledge of cybercrime activity told TechCrunch that potential attackers could search for lists of stolen credentials from a variety of sources, including malware that steals information from other people's computers or malware collected from previous data breaches. I told you about the site. (To avoid assisting malicious actors, TechCrunch does not link to sites that may use stolen credentials.)
In total, TechCrunch identified more than 500 credentials that included employee usernames and passwords, along with the web address of the login page for that Snowflake environment.
The exposed credentials appear to be associated with Snowflake environments belonging to Santander, Ticketmaster, at least two large pharmaceutical companies, a food delivery service, a publicly operated fresh water provider, and others. We also confirmed that usernames and passwords believed to belong to former Snowflake employees were exposed.
TechCrunch is not naming the former employee because there is no evidence he did anything wrong. (It is ultimately the responsibility of both Snowflake and its customers to implement and enforce security policies that prevent breaches resulting from employee credential theft.)
We have not tested for stolen usernames and passwords. Because doing so would violate the law. Therefore, it is unknown whether the credentials are currently in active use or have directly led to account compromise or data theft. Instead, we tried to verify the authenticity of the exposed credentials in other ways. This includes identifying individual login pages in Snowflake environments that have been exposed by information-stealing malware. This page was still active and online at the time of writing.
The credentials we see include employees' email addresses (or usernames), passwords, and unique web addresses for logging into the company's Snowflake environment. We checked the web addresses of Snowflake environments (often consisting of random letters and numbers) and discovered that the listed Snowflake customer login pages were publicly accessible, even though they were not searchable online.
TechCrunch has confirmed that the Snowflake environment corresponds to a company where employee logins were compromised. We were able to do this because each login page we checked had two separate options to log in.
One way to sign in is to use Okta, a single sign-on provider that allows Snowflake users to sign in with their company's corporate credentials using MFA. Our investigation revealed that these Snowflake login pages redirect to Live Nation (for Ticketmaster) and Santander login pages. We also discovered that the Okta login page was still redirecting to an internal Snowflake login page that no longer existed, a set of credentials for Snowflake employees.
Snowflake's other login options allow users to use only their Snowflake username and password, depending on whether enterprise customers enforce MFA on their accounts, as detailed in Snowflake's own support documentation. It is these credentials that appear to have been stolen by malware that steals information from employees' computers.
It's unclear when the employee's credentials were stolen or how long he was online.
There is some evidence to suggest that the computers of several employees with access to the company's Snowflake environment were previously compromised by information-stealing malware. An investigation by breach notification service Have I Been Pwned found that multiple corporate email addresses used as usernames to access Snowflake environments contained millions of stolen passwords scraped from various Telegram channels used to share stolen passwords. was discovered in a recent data dump.
Snowflake spokeswoman Danica Stanczak declined to answer specific questions from TechCrunch, including whether customer data was found in a Snowflake employee's demo account. “We are suspending certain user accounts where there are strong indications of malicious activity,” Snowflake said in her statement.
Snowflake added: “Under Snowflake’s shared responsibility model, customers are responsible for enforcing MFA along with their users.” A spokesperson said Snowflake is “considering all options for enabling MFA, but has not confirmed any plans at this time.”
When contacted by email, Live Nation spokeswoman Kaitlyn Henrich had no comment by press time.
Santander did not respond to a request for comment.
Missing MFA leads to massive breaches
Snowflake's response so far has left many questions unanswered and exposed countless companies that are not enjoying the benefits that MFA security offers.
What is clear is that Snowflake bears at least some responsibility for not requiring users to turn on security features, and it is now sharing that responsibility with its customers.
Ticketmaster's data breach reportedly involved more than 560 million customer records, according to cybercriminals who advertise data online. (Live Nation did not say how many customers were affected by the breach.) If proven, Ticketmaster would be the largest U.S. data breach of the year and one of the largest in recent history.
Snowflake is the latest company to suffer a string of high-profile security incidents and large-scale data breaches due to a lack of MFA.
Last year, cybercriminals scraped the records of about 6.9 million customers from unprotected 23andMe accounts without MFA, prompting the genetic testing company and its competitors to require users to enable MFA by default to prevent repeat attacks. .
And earlier this year, Change Healthcare, a health technology giant owned by UnitedHealth, admitted that hackers had broken into its systems and stolen massive amounts of sensitive health data from systems that were not protected by MFA. The healthcare giant has not yet revealed how many individuals' information has been compromised, but said it likely affects “a significant percentage of people in the United States.”
Do you know more about Snowflake account breaches? Please contact us. To contact this reporter, call +1 646-755-8849 or email on Signal and WhatsApp. You can also send files and documents via SecureDrop.
