Snowflake’s safety issues following a current spate of buyer knowledge thefts are, for need of a greater phrase, snowballing.
After Ticketmaster was the primary firm to hyperlink its current knowledge breach to the cloud knowledge firm Snowflake, mortgage comparability web site LendingTree has now confirmed its QuoteWizard subsidiary had knowledge stolen from Snowflake.
“We are able to affirm that we use Snowflake for our enterprise operations, and that we had been notified by them that our subsidiary, QuoteWizard, might have had knowledge impacted by this incident,” Megan Greuling, a spokesperson for LendingTree, instructed TechCrunch.
“We take these issues significantly, and instantly after listening to from [Snowflake] launched an inner investigation,” the spokesperson mentioned. “As of this time, it doesn’t seem that client monetary account data was impacted, nor data of the mother or father entity, LendingTree,” the spokesperson added, declining to remark additional citing its ongoing investigation.
As extra affected prospects come ahead, Snowflake has mentioned little past a quick assertion on its web site reiterating that there wasn’t a knowledge breach of its personal techniques, reasonably its prospects weren’t utilizing multi-factor authentication, or MFA — a safety measure that Snowflake doesn’t implement or require its prospects to allow by default. Snowflake was itself caught out by the incident, saying a former worker’s “demo” account was compromised as a result of it was solely protected with a username and password.
In a press release Friday, Snowflake held sturdy on its response to this point, stating its place “stays unchanged.” Citing its earlier assertion on Sunday, Snowflake chief data safety officer Brad Jones mentioned that this was a “focused marketing campaign directed at customers with single-factor authentication” and utilizing credentials stolen from info-stealing malware or obtained from earlier knowledge breaches.
The shortage of MFA seems to be how cybercriminals downloaded big quantities of knowledge from Snowflake prospects’ environments, which weren’t protected by the extra safety layer.
TechCrunch earlier this week discovered on-line lots of of Snowflake buyer credentials stolen by password-stealing malware that contaminated the computer systems of staff who’ve entry to their employer’s Snowflake atmosphere. The variety of credentials suggests there stays a threat to Snowflake prospects who’ve but to alter their passwords or allow MFA.
All through the week, TechCrunch has despatched greater than a dozen inquiries to Snowflake concerning the ongoing incident affecting its prospects as we proceed to report on the story. Snowflake declined to reply our questions on at the least six events.
These are among the questions we’re asking, and why.
It’s not but identified what number of Snowflake prospects are affected, or if Snowflake is aware of but.
Snowflake mentioned it has thus far notified a “restricted variety of Snowflake prospects” who the corporate believes might have been affected. On its web site, Snowflake says it has greater than 9,800 prospects, together with tech firms, telcos, and healthcare suppliers.
Snowflake spokesperson Danica Stanczak declined to say if the variety of affected prospects was within the tens, dozens, lots of, or extra.
It’s seemingly that, regardless of the handful of reported buyer breaches this week, we’re solely within the early days of understanding the size of this incident.
It is probably not clear even to Snowflake what number of of its prospects are but affected, because the firm will both should rely by itself knowledge, resembling logs, or discovering out straight from an affected buyer.
It’s not identified how quickly Snowflake may have identified concerning the intrusions into its prospects’ accounts. Snowflake’s assertion mentioned it grew to become conscious on Could 23 of the “risk exercise” — the accessing of buyer accounts and downloading their contents — however subsequently discovered proof of intrusions courting again to a no-more-specific timeframe than mid-April, suggesting the corporate does have some knowledge to depend on.
However that additionally leaves open the query why Snowflake didn’t detect on the time the exfiltration of enormous quantities of shoppers’ knowledge from its servers till a lot later in Could, or if it did, why Snowflake didn’t publicly alert its prospects sooner.
Incident response agency Mandiant, which Snowflake referred to as in to assist with outreach to its prospects, instructed Bleeping Laptop on the finish of Could that the agency had already been serving to affected organizations for “a number of weeks.”
We nonetheless don’t know what was within the former Snowflake worker’s demo account, or whether it is related to the client knowledge breaches.
A key line from Snowflake’s assertion says: “We did discover proof {that a} risk actor obtained private credentials to and accessed demo accounts belonging to a former Snowflake worker. It didn’t comprise delicate knowledge.”
Among the stolen buyer credentials linked to info-stealing malware embody these belonging to a then-Snowflake worker, in keeping with a assessment by TechCrunch.
As we beforehand famous, TechCrunch is just not naming the worker because it’s not clear they did something fallacious. The truth that Snowflake was caught out by its personal lack of MFA enforcement permitting cybercriminals to obtain knowledge from a then-employee’s “demo” account utilizing solely their username and password highlights a basic drawback in Snowflake’s safety mannequin.
However it stays unclear what position, if any, that this demo account has on the client knowledge thefts as a result of it’s not but identified what knowledge was saved inside, or if it contained knowledge from Snowflake’s different prospects.
Snowflake declined to say what position, if any, the then-Snowflake worker’s demo account has on the current buyer breaches. Snowflake reiterated that the demo account “didn’t comprise delicate knowledge,” however repeatedly declined to say how the corporate defines what it considers “delicate knowledge.”
We requested if Snowflake believes that people’ personally identifiable data is delicate knowledge. Snowflake declined to remark.
It’s unclear why Snowflake hasn’t proactively reset passwords, or required and enforced the usage of MFA on its prospects’ accounts.
It’s common for firms to force-reset their prospects’ passwords following a knowledge breach. However should you ask Snowflake, there was no breach. And whereas which may be true within the sense that there was no obvious compromise of its central infrastructure, Snowflake’s prospects are very a lot getting breached.
Snowflake’s recommendation to its prospects is to reset and rotate Snowflake credentials and implement MFA on all accounts. Snowflake beforehand instructed TechCrunch that its prospects are on the hook for their very own safety: “Below Snowflake’s shared duty mannequin, prospects are liable for imposing MFA with their customers.”
However since these Snowflake buyer knowledge thefts are linked to the usage of stolen usernames and passwords of accounts that aren’t protected with MFA, it’s uncommon that Snowflake has not intervened on behalf of its prospects to guard their accounts with password resets or enforced MFA.
It’s not unprecedented. Final yr, cybercriminals scraped 6.9 million person and genetic data from 23andMe accounts that weren’t protected with MFA. 23andMe reset person passwords out of warning to forestall additional scraping assaults, and subsequently required the usage of MFA on all of its customers’ accounts.
We requested Snowflake if the corporate deliberate to reset the passwords of its prospects’ accounts to forestall any doable additional intrusions. Snowflake declined to remark.
Snowflake seems to be transferring in the direction of rolling out MFA by default, in keeping with tech information web site Runtime, quoting Snowflake CEO Sridhar Ramaswamy in an interview this week. This was later confirmed by Snowflake’s CISO Jones within the Friday replace.
“We’re additionally creating a plan to require our prospects to implement superior safety controls, like multi-factor authentication (MFA) or community insurance policies, particularly for privileged Snowflake buyer accounts,” mentioned Jones.
A timeframe for the plan was not given.
Have you learnt extra concerning the Snowflake account intrusions? Get in contact. To contact this reporter, get in contact on Sign and WhatsApp at +1 646-755-8849, or by e-mail. You can even ship information and paperwork by way of SecureDrop.
