Snowflake’s security problems are, for lack of a better word, growing after recent customer data theft incidents.
Ticketmaster was the first company to link it Recent data breaches of cloud data company SnowflakeLoan comparison site LendingTree has now confirmed that data from its QuoteWizard subsidiary was stolen from Snowflake.
“We can confirm that we use Snowflake for our business operations, and we were notified by them that data from our subsidiary, QuoteWizard, may have been impacted by this incident,” LendingTree spokesperson Megan Gruling told TechCrunch.
“We take these matters seriously, and we will do so immediately upon hearing of the [Snowflake] “As of this time, it does not appear that consumer financial account information or parent entity LendingTree’s information has been impacted,” the spokesperson said. The spokesperson declined to comment further, citing their ongoing investigation.
As more affected customers emerge, Snowflake has said little Beyond a brief statement on your website They reiterated that the data breach did not occur in their own systems, but rather that their customers were not using multi-factor authentication, or MFA – a security measure that Snowflake does not enforce or require its customers to enable by default. Snowflake itself was also roiled by the incident, saying that a former employee’s “demo” account was compromised because it was only protected by a username and password.
In a statement Friday, Snowflake stood firm on its response so far, saying its position “remains unchanged.” Referring to its earlier statement on Sunday, Snowflake Chief Information Security Officer Brad Jones said it was a “targeted campaign that targeted users with single-factor authentication” and used credentials stolen from information-stealing malware or credentials obtained from previous data breaches.
It appears that the lack of MFA allowed cybercriminals to download massive amounts of data from Snowflake customers’ environments, which was not protected by an additional security layer.
TechCrunch found it online earlier this week Hundreds of Snowflake customers’ credentials stolen by password-stealing malware Which infected the computers of employees who have access to their employer’s Snowflake environment. The number of credentials compromised suggests that the risk remains for Snowflake customers who have not yet changed their passwords or enabled MFA.
Throughout the week, TechCrunch has sent Snowflake more than a dozen questions about the ongoing incident affecting its customers while we continue to report on this story. Snowflake declined to answer our questions on at least six occasions.
These are some of the questions we’re asking, and why.
It’s not yet known how many of Snowflake’s customers are affected, or if Snowflake is aware of it yet.
Snowflake said it has so far notified a “limited number of Snowflake customers” who the company believes may be affected. On its website, Snowflake says it has more than 9,800 customers, including tech companies, telecom companies and healthcare providers.
Snowflake spokeswoman Danica Stanczak declined to say whether the number of affected customers was in the tens, dozens, hundreds or more.
It’s likely that, despite some incidents of the breach being reported by customers this week, we’re still in the early stages of understanding the scale of the incident.
Snowflake also isn’t clear how many of its customers are still affected, as the company must either rely on its own data, such as logs, or obtain information directly from affected customers.
It is not known how soon Snowflake could have learned about the intrusion into its customers’ accounts. Snowflake’s statement said it became aware of the “threat activity” on May 23 – accessing customer accounts and downloading their content – but found evidence of the intrusion no later than mid-April, which suggests the company has some data to rely on.
But it also raises questions about why Snowflake didn’t discover the massive theft of customer data from its servers until much later in May, or, if it did, why Snowflake didn’t publicly alert its customers sooner.
Incident response firm Mandiant, which Snowflake called in to help reach its customers, told Bleeping Computer in late May The firm had already been helping affected organisations for “several weeks”.
We still don’t know what was in the former Snowflake employee’s demo account, or whether it’s related to customer data breaches.
A key line in Snowflake’s statement says: “We found evidence that a threat actor obtained the personal credentials of a former Snowflake employee and accessed a demo account. It did not contain sensitive data.”
According to a TechCrunch review, some of the stolen customer credentials associated with the information-stealing malware also included credentials belonging to a then-Snowflake employee.
As We have previously mentionedTechCrunch is not naming the employee because it’s not clear they did anything wrong. The fact that Snowflake was caught out by its lack of MFA enforcement, which allowed cybercriminals to download data from a then-employee’s “demo” account using only their username and password, highlights a fundamental problem in Snowflake’s security model.
But it’s still unclear what role, if any, this demo account played in the customer data theft, as it’s not yet known what data was stored on it, or whether it contained data from other Snowflake customers.
Snowflake declined to say what role, if any, Snowflake’s then-employee’s demo account played in the recent customer breaches. Snowflake reiterated that the demo account “did not contain sensitive data,” but repeatedly declined to explain how the company defines “sensitive data.”
We asked whether Snowflake believes individuals’ personally identifiable information is sensitive data. Snowflake declined to comment.
It’s unclear why Snowflake hasn’t proactively reset passwords, or mandated and enforced the use of MFA on its customers’ accounts.
Its It is not uncommon for companies to To Force resetting your customers’ passwords Data breach after data breach. But if you ask Snowflake, there has been no breach. And while that may be true in the sense that there has been no apparent compromise of its central infrastructure, there is a lot more breach happening to Snowflake’s customers.
Snowflake Advice to your customers Snowflake is resetting and rotating credentials and enforcing MFA on all accounts. Snowflake previously told TechCrunch that its customers are responsible for their own security: “Under Snowflake’s shared responsibility model, customers are responsible for enforcing MFA with their users.”
But because the Snowflake customer data thefts involved the use of stolen usernames and passwords for accounts that were not protected with MFA, it is unusual that Snowflake has not intervened on its customers’ behalf to secure their accounts with password resets or enforced MFA.
This is not an unprecedented event. Last year, cybercriminals stole 6.9 million user and genetic records from 23andMe accounts that were not protected by MFA. 23andMe Reset user passwords carefully to prevent further scraping attacksAnd later Mandated the use of MFA on all its users’ accounts,
We asked Snowflake if the company plans to reset passwords on its customers’ accounts to prevent any potential intrusions. Snowflake declined to comment.
According to Snowflake, it appears it is moving towards rolling out MFA by default. Tech News Site RuntimeSnowflake CEO Sridhar Ramaswami said this in an interview this week. Snowflake CISO Jones also confirmed this in a Friday update.
“We are also developing a plan to require our customers to implement advanced security controls such as multi-factor authentication (MFA) or network policies, particularly for privileged Snowflake customer accounts,” Jones said.
No timeframe was given for the plan.
Do you know more about the Snowflake account intrusion? Contact us. To contact this reporter, contact us on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop,
what-snowflake-isnt-saying-about-its-customer-data-breaches-techcrunch
