Snowflake's security concerns are, to put it better, snowballing due to the recent surge in customer data theft.
After Ticketmaster was the first company to link its recent data breach to cloud data company Snowflake, loan comparison site LendingTree has now confirmed that its QuoteWizard subsidiary had data stolen from Snowflake.
“We use Snowflake to run our business and can confirm that our subsidiary QuoteWizard has been notified that their data may have been impacted by this incident,” Megan Greuling, a spokesperson for LendingTree, told TechCrunch.
“We take this matter seriously and began an internal investigation as soon as we heard from (Snowflake),” the spokesperson said. “At this time, it does not appear that consumer financial account information or information from our parent company, LendingTree, has been affected,” the spokesperson added, declining further comment, citing the ongoing investigation.
As more affected customers came forward, Snowflake issued a brief statement on its website saying there had been no data breach on its systems, but rather that its customers had not used multi-factor authentication (MFA). Snowflake does not force or require activation on customers by default. Snowflake seized on the incident itself, saying the former employee's “demo” account was compromised because it was only protected by a username and password.
In a statement Friday, Snowflake responded strongly, saying “nothing has changed” about its position thus far. Brad Jones, Snowflake's chief information security officer, cited an earlier statement on Sunday that said this was a “targeted campaign targeting users who use single-factor authentication” and that stolen credentials may be used or stolen in information-stealing malware. It said it used credentials obtained from a previous data breach.
The lack of MFA appears to be due to cybercriminals downloading massive amounts of data from Snowflake customer environments that were not protected by additional layers of security.
Earlier this week, TechCrunch discovered that hundreds of Snowflake customer credentials had been stolen online due to password-stealing malware that infected the computers of employees with access to their employer's Snowflake environment. The sheer number of credentials indicates that there is still risk for Snowflake customers who have not yet changed their passwords or enabled MFA.
Throughout the week, TechCrunch sent more than a dozen questions to Snowflake about ongoing events affecting customers, and we continued to report the stories. Snowflake declined to answer our questions on at least six occasions.
Here are some questions we ask and why.
It's not yet known how many Snowflake customers are affected or if Snowflake even knows yet.
Snowflake said it has by now notified a “limited number of Snowflake customers” that the company believes may have been affected. On its website, Snowflake says it has more than 9,800 customers, including technology companies, telecommunications companies and healthcare providers.
Snowflake spokeswoman Danica Stanczak declined to say whether the number of affected customers was dozens, dozens, hundreds or more.
Despite a small number of customer breaches reported this week, we are probably only in the early stages of understanding the scale of this incident.
It may not even be clear to Snowflake how many customers are still affected, as the company must rely on its own data, such as logs, or find out directly from affected customers.
It is not known how quickly Snowflake learned of the breach of customer accounts. A statement from Snowflake said it was aware of “threat activity” accessing customer accounts and downloading content on May 23, but later discovered evidence of intrusions dating back to an unspecified time period beyond mid-April. You have data you can rely on.
But this leaves open questions about why Snowflake failed to detect large amounts of customer data being exfiltrated from its servers by the end of May, and if it did, why Snowflake didn't publicly warn customers sooner.
Mandiant, the incident response company that Snowflake called on to help support its customers, told Bleeping Computer in late May that the company had already been helping affected organizations for “several weeks.”
We don't yet know what was in the former Snowflake employee's demo account or whether it had anything to do with the customer data breach.
Here are the highlights from Snowflake's statement: “We found evidence that threat actors obtained personal credentials and accessed demo accounts of former Snowflake employees. No sensitive data included.”
According to a review by TechCrunch, some of the stolen customer credentials linked to the information-stealing malware also included those of Snowflake employees at the time.
As previously mentioned, TechCrunch is not naming the employee because it's unclear what he did wrong. The fact that Snowflake lacked MFA enforcement, allowing cybercriminals to download data from a then-employee's “demo” account using only a username and password, highlights a fundamental problem with Snowflake's security model.
However, it is still unclear what role these demo accounts play in customer data theft. That's because we don't yet know what data is stored there, or if it includes data from Snowflake's other customers.
Snowflake declined to reveal what role demo accounts of then-Snowflake employees played in the recent customer breach. Snowflake has reiterated that the demo account “does not contain any sensitive data,” but has repeatedly denied specifying how the company defines what it considers “sensitive data.”
We asked whether Snowflake considers individuals' personally identifiable information to be sensitive data. Snowflake declined to comment.
It's unclear why Snowflake didn't proactively reset passwords or require and enforce the use of MFA on customer accounts.
It is not uncommon for businesses to force customers to reset their passwords after a data breach. But if you ask Snowflake, there was no violation. While this may be true in the sense that the central infrastructure was not visibly compromised, Snowflake's customers are experiencing many of the breaches.
What Snowflake advises customers is to reset and replace their Snowflake credentials and enforce MFA on all accounts. Snowflake previously told TechCrunch that its customers are facing security issues of their own. “Under Snowflake’s shared responsibility model, customers are responsible for enforcing MFA along with their users.”
However, since these thefts of Snowflake customer data have been linked to the use of stolen usernames and passwords on accounts that are not MFA-protected, it is unusual that Snowflake has not intervened on behalf of its customers to secure their accounts through password resets or forced MFA.
This is not unprecedented. Last year, cybercriminals scraped 6.9 million user and genetic records from 23andMe accounts that were not MFA-protected. 23andMe carefully reset user passwords to prevent further scraping attacks and required all user accounts to use MFA thereafter.
We asked Snowflake if the company plans to reset passwords for customer accounts to prevent further intrusions. Snowflake declined to comment.
According to tech news site Runtime, Snowflake appears to be moving toward launching MFA by default. Here's a quote from Snowflake CEO Sridhar Ramaswamy in an interview this week: This was later confirmed by Snowflake's CISO Jones in an update on Friday.
“We are developing plans to require customers to implement advanced security controls, such as multi-factor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts,” Jones said.
No time frame was given for the plans.
Do you know more about Snowflake account breaches? Please contact us. To contact this reporter, call +1 646-755-8849 or email on Signal and WhatsApp. You can also send files and documents via SecureDrop.
