LendingTree subsidiary QuoteWizard and automotive parts provider Advance Auto Parts have been revealed as victims of attackers who are trying to sell data stolen from Snowflake-hosted cloud databases.
Snowflake says that their investigation is still ongoing, but continues to stand by the preliminary results: the attackers accessed customer accounts secured with single-factor authentication by leveraging credentials “previously purchased or obtained through infostealing malware.”
Snowflake customers suffering data breaches
US-based Snowflake is a cloud data storage and analytics company with 9,800+ global customers, including Mastercard, Honeywell, Pfizer, Wolt, Adobe, and others.
Ten days ago, it was revealed that a threat actor has been stealing data from organizations that use the Snowflake cloud-based platform, and that the attacks began in April 2024.
According to Snowflake, a “limited” number of customers have been affected, due to compromised account credentials and lack of multi-factor authentication. (They did not say the exact number nor, understandably, name the affected customers.)
The names of some of the victims have been revealed when attackers posted offers to sell the stolen data:
- Santander Group (compromise confirmed by the company, without mentioning Snowflake)
- Live Nation Entertainment subsidiary TicketMaster (confirmed by the company via SEC 8-K report, Snowflake identified as the third party in question by a Ticketmaster spokesperson)
- LendingTree confirmed that they’ve been notified by Snowflake that QuoteWizard “may have had data impacted by this incident”
- Advance Auto Parts (data theft not officially confirmed by the company, but the dark web listing claims that a massive amount of customer and employee info has been stolen)
In the meantime, Tech Crunch has found over 500 login credentials and web addresses of login pages for Snowflake environments on “a website where would-be attackers can search through lists of credentials that have been stolen from various sources”.
They confirmed that the login pages are active and say that “several of the corporate email addresses used as usernames for accessing Snowflake environments were found in a recent data dump containing millions of stolen passwords scraped from various Telegram channels used for sharing stolen passwords.”
It seems that we’ll soon be hearing about many other companies that have had their data stolen from their Snowflake databases.
Snowflake to compel customers to use advanced security controls
On Friday, Snowflake CISO Brad Jones reiterated their (and Mandiant’s and Crowdstrike’s) preliminary findings and said that they “have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” nor “by compromised credentials of current or former Snowflake personnel”.
“We continue to work closely with our customers as they harden their security measures to reduce cyber threats to their business,” Jones said.
“We are also developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts.”
Hopefully, the company is also working on minimizing the apparent friction present in their MFA enrollment process.
The shared responsibility model makes MFA enforcement a responsibility of the customers, but it is unfortunate that the implementation of additional security controls wasn’t a prerequisite from the get-go, given that companies house massive amounts of sensitive data in their Snowflake cloud environments, and given how widespread info-stealer use is.