Snowflake’s safety issues are – for need of a greater phrase – snowballing as a consequence of a latest spate of buyer knowledge thefts.
After Ticketmaster grew to become the primary firm to hyperlink a latest knowledge breach to cloud knowledge firm Snowflake, mortgage comparability web site LendingTree has now confirmed that knowledge from its subsidiary QuoteWizard was stolen from Snowflake.
“We will verify that we use Snowflake for enterprise operations they usually notified us that knowledge from our subsidiary QuoteWizard could have been impacted by the incident,” LendingTree spokesperson Megan Greuling instructed TechCrunch.
“We take these issues severely and can promptly [Snowflake] An inner investigation has been launched,” the spokesman mentioned. “As of now, client monetary account data and knowledge from mum or dad firm LendingTree don’t seem to have been affected,” the spokesperson added. However the spokesperson declined to remark additional, citing an ongoing investigation.
As extra affected prospects got here ahead, Snowflake mentioned little apart from a short assertion on its web site, reiterating that no knowledge breach occurred by itself programs however quite that its prospects weren’t utilizing multi-factor authentication (MFA), It is a safety measure that Snowflake doesn’t drive or require its prospects to allow by default. Snowflake itself was affected by the incident, saying {that a} former worker’s “dummy” account was compromised as a result of the account was protected solely by a username and password.
In an announcement on Friday, Snowflake has to this point stood by its powerful response, saying its place “stays unchanged.” Citing its assertion earlier Sunday, Snowflake Chief Info Safety Officer Brad Jones mentioned it was a “focused marketing campaign concentrating on customers with single-factor authentication” and used information-stealing malicious intent. Credentials stolen by software program or obtained from earlier knowledge breaches.
The dearth of MFA seems to be the rationale why cybercriminals obtain giant quantities of knowledge from Snowflake buyer environments that aren’t protected by further layers of safety.
TechCrunch found earlier this week that lots of of Snowflake buyer credentials had been stolen on-line by password-stealing malware that contaminated the computer systems of staff with entry to their employer’s Snowflake surroundings. The variety of credentials signifies that Snowflake prospects who haven’t modified their passwords or enabled MFA are nonetheless in danger.
All through the week, TechCrunch despatched Snowflake greater than a dozen questions in regards to the ongoing incident affecting its prospects, as we continued to report on the incident. Snowflake declined to reply our questions at the least six occasions.
These are a few of the questions we ask and why.
It is unclear what number of Snowflake prospects had been affected or whether or not Snowflake knew about it.
Snowflake mentioned it has to this point notified a “restricted variety of Snowflake prospects” that the corporate believes could have been affected. Snowflake says on its web site that it has greater than 9,800 prospects, together with know-how firms, telecommunications firms and well being care suppliers.
Snowflake spokesperson Danica Stanczak declined to say whether or not the variety of affected prospects was within the dozens, dozens, lots of or extra.
Whereas some buyer breaches had been reported this week, we’re doubtless solely within the early phases of understanding the size of this incident.
Even Snowflake could not know what number of prospects had been affected, as the corporate would both should rely by itself sources, equivalent to logs, or discover out instantly from affected prospects.
It is unclear how lengthy it took Snowflake to be taught that its buyer accounts had been compromised. Snowflake’s assertion mentioned it grew to become conscious of “menace exercise” – accessing buyer accounts and downloading their content material – on Might 23, however later found proof of the intrusion relationship again to a extra particular timeframe earlier than mid-April, suggesting The corporate does have some knowledge to depend on.
But it surely additionally leaves open the query of why Snowflake did not uncover till later in Might that a considerable amount of buyer knowledge had been leaked from its servers, or why it did not publicly alert prospects sooner if it did.
Snowflake employed incident response agency Mandiant to assist its prospects, and the corporate instructed Bleeping Pc in late Might that it had been aiding affected organizations for “a number of weeks.”
We nonetheless don’t know what was within the former Snowflake worker’s demo account, or whether or not it was associated to the client knowledge breach.
A key takeaway from Snowflake’s assertion is: “We did uncover proof that menace actors obtained the private credentials of a former Snowflake worker and gained entry to a demo account. It didn’t comprise delicate knowledge.”
In line with TechCrunch’s evaluate, a few of the stolen buyer credentials related to the infostealing malware included these of Snowflake staff on the time.
As we famous earlier than, TechCrunch just isn’t naming the worker as a result of it is unclear whether or not they did something unsuitable. The truth that Snowflake was slowed down by an absence of MFA enforcement that allowed cybercriminals to obtain knowledge from then-employee “demo” accounts utilizing solely their usernames and passwords highlights a basic downside in Snowflake’s safety mannequin.
But it surely’s unclear what position, if any, the demo account performed within the buyer knowledge theft, as a result of it is not clear what knowledge was saved in it or whether or not it contained knowledge from different Snowflake prospects.
Snowflake declined to say what position, if any, a then-Snowflake worker’s demo account performed within the latest buyer breach. Snowflake reiterated that demo accounts “comprise no delicate materials,” however repeatedly declined to say how the corporate defines “delicate materials.”
We requested Snowflake whether or not it thought-about a person’s personally identifiable data to be delicate knowledge. Snowflake declined to remark.
It is unclear why Snowflake did not proactively reset passwords or require and implement MFA on its buyer accounts.
It is not unusual for firms to drive buyer password resets after a knowledge breach. However for those who ask Snowflake, you will discover that no violations occurred. Whereas this can be true within the sense that its central infrastructure was not visibly compromised, Snowflake’s prospects had been severely disrupted.
Snowflake’s recommendation to prospects is to reset and rotate Snowflake credentials and implement MFA on all accounts. Snowflake beforehand instructed TechCrunch that its prospects have to take accountability for their very own safety: “Underneath Snowflake’s shared accountability mannequin, prospects are accountable for imposing MFA with their customers.”
However as a result of these Snowflake buyer knowledge thefts had been associated to the usage of stolen usernames and passwords for accounts that weren’t protected by MFA, it’s unlucky that Snowflake didn’t intervene on behalf of consumers to guard their accounts by way of password resets or drive MFA. odd.
This isn’t unprecedented. Final 12 months, cybercriminals stole 6.9 million person and genetic information from 23andMe accounts that weren’t protected by MFA. 23andMe reset person passwords out of an abundance of warning to forestall additional scraping assaults and subsequently requires MFA for all of its person accounts.
We requested Snowflake if the corporate plans to reset passwords on buyer accounts to forestall any potential additional breaches. Snowflake declined to remark.
Snowflake seems to be rolling out MFA by default, based on an interview this week by know-how information web site Runtime, which quoted Snowflake CEO Sridhar Ramaswamy as saying. Snowflake’s CISO Jones later confirmed this in an replace on Friday.
“We’re additionally creating a plan to require our prospects to implement superior safety controls equivalent to multi-factor authentication (MFA) or community insurance policies, notably for privileged Snowflake buyer accounts,” Jones mentioned.
No timetable was given for the plan.
Are you aware extra about Snowflake account compromise? be in contact. To contact this reporter, please contact +1 646-755-8849 through Sign and WhatsApp, or through e-mail. You may also ship recordsdata and paperwork through SecureDrop.
