Snowflake’s safety issues following a latest spate of buyer knowledge thefts are, for need of a greater phrase, snowballing.
After Ticketmaster was the primary firm to hyperlink its latest knowledge breach to the cloud knowledge firm Snowflake, mortgage comparability web site LendingTree has now confirmed its QuoteWizard subsidiary had knowledge stolen from Snowflake.
“We will affirm that we use Snowflake for our enterprise operations, and that we have been notified by them that our subsidiary, QuoteWizard, could have had knowledge impacted by this incident,” Megan Greuling, a spokesperson for LendingTree, advised TechCrunch.
“We take these issues significantly, and instantly after listening to from [Snowflake] launched an inner investigation,” the spokesperson stated. “As of this time, it doesn’t seem that shopper monetary account data was impacted, nor data of the guardian entity, LendingTree,” the spokesperson added, declining to remark additional citing its ongoing investigation.
As extra affected prospects come ahead, Snowflake has stated little past a quick assertion on its web site reiterating that there wasn’t an information breach of its personal techniques, reasonably its prospects weren’t utilizing multi-factor authentication, or MFA — a safety measure that Snowflake doesn’t implement or require its prospects to allow by default. Snowflake was itself caught out by the incident, saying a former worker’s “demo” account was compromised as a result of it was solely protected with a username and password.
In a press release Friday, Snowflake held sturdy on its response up to now, stating its place “stays unchanged.” Citing its earlier assertion on Sunday, Snowflake chief data safety officer Brad Jones stated that this was a “focused marketing campaign directed at customers with single-factor authentication” and utilizing credentials stolen from info-stealing malware or obtained from earlier knowledge breaches.
The shortage of MFA seems to be how cybercriminals downloaded big quantities of knowledge from Snowflake prospects’ environments, which weren’t protected by the extra safety layer.
TechCrunch earlier this week discovered on-line a whole bunch of Snowflake buyer credentials stolen by password-stealing malware that contaminated the computer systems of workers who’ve entry to their employer’s Snowflake surroundings. The variety of credentials suggests there stays a threat to Snowflake prospects who’ve but to vary their passwords or allow MFA.
All through the week, TechCrunch has despatched greater than a dozen inquiries to Snowflake concerning the ongoing incident affecting its prospects as we proceed to report on the story. Snowflake declined to reply our questions on not less than six events.
These are among the questions we’re asking, and why.
It’s not but recognized what number of Snowflake prospects are affected, or if Snowflake is aware of but.
Snowflake stated it has up to now notified a “restricted variety of Snowflake prospects” who the corporate believes could have been affected. On its web site, Snowflake says it has greater than 9,800 prospects, together with tech firms, telcos, and healthcare suppliers.
Snowflake spokesperson Danica Stanczak declined to say if the variety of affected prospects was within the tens, dozens, a whole bunch, or extra.
It’s probably that, regardless of the handful of reported buyer breaches this week, we’re solely within the early days of understanding the size of this incident.
It might not be clear even to Snowflake what number of of its prospects are but affected, for the reason that firm will both must rely by itself knowledge, resembling logs, or discovering out immediately from an affected buyer.
It’s not recognized how quickly Snowflake may have recognized concerning the intrusions into its prospects’ accounts. Snowflake’s assertion stated it turned conscious on Might 23 of the “risk exercise” — the accessing of buyer accounts and downloading their contents — however subsequently discovered proof of intrusions courting again to a no-more-specific timeframe than mid-April, suggesting the corporate does have some knowledge to depend on.
However that additionally leaves open the query why Snowflake didn’t detect on the time the exfiltration of huge quantities of shoppers’ knowledge from its servers till a lot later in Might, or if it did, why Snowflake didn’t publicly alert its prospects sooner.
Incident response agency Mandiant, which Snowflake known as in to assist with outreach to its prospects, advised Bleeping Pc on the finish of Might that the agency had already been serving to affected organizations for “a number of weeks.”
We nonetheless don’t know what was within the former Snowflake worker’s demo account, or whether it is related to the client knowledge breaches.
A key line from Snowflake’s assertion says: “We did discover proof {that a} risk actor obtained private credentials to and accessed demo accounts belonging to a former Snowflake worker. It didn’t comprise delicate knowledge.”
A number of the stolen buyer credentials linked to info-stealing malware embrace these belonging to a then-Snowflake worker, in line with a overview by TechCrunch.
As we beforehand famous, TechCrunch will not be naming the worker because it’s not clear they did something unsuitable. The truth that Snowflake was caught out by its personal lack of MFA enforcement permitting cybercriminals to obtain knowledge from a then-employee’s “demo” account utilizing solely their username and password highlights a basic drawback in Snowflake’s safety mannequin.
However it stays unclear what function, if any, that this demo account has on the client knowledge thefts as a result of it’s not but recognized what knowledge was saved inside, or if it contained knowledge from Snowflake’s different prospects.
Snowflake declined to say what function, if any, the then-Snowflake worker’s demo account has on the latest buyer breaches. Snowflake reiterated that the demo account “didn’t comprise delicate knowledge,” however repeatedly declined to say how the corporate defines what it considers “delicate knowledge.”
We requested if Snowflake believes that people’ personally identifiable data is delicate knowledge. Snowflake declined to remark.
It’s unclear why Snowflake hasn’t proactively reset passwords, or required and enforced the usage of MFA on its prospects’ accounts.
It’s common for firms to force-reset their prospects’ passwords following an information breach. However should you ask Snowflake, there was no breach. And whereas that could be true within the sense that there was no obvious compromise of its central infrastructure, Snowflake’s prospects are very a lot getting breached.
Snowflake’s recommendation to its prospects is to reset and rotate Snowflake credentials and implement MFA on all accounts. Snowflake beforehand advised TechCrunch that its prospects are on the hook for their very own safety: “Underneath Snowflake’s shared accountability mannequin, prospects are answerable for implementing MFA with their customers.”
However since these Snowflake buyer knowledge thefts are linked to the usage of stolen usernames and passwords of accounts that aren’t protected with MFA, it’s uncommon that Snowflake has not intervened on behalf of its prospects to guard their accounts with password resets or enforced MFA.
It’s not unprecedented. Final 12 months, cybercriminals scraped 6.9 million consumer and genetic information from 23andMe accounts that weren’t protected with MFA. 23andMe reset consumer passwords out of warning to forestall additional scraping assaults, and subsequently required the usage of MFA on all of its customers’ accounts.
We requested Snowflake if the corporate deliberate to reset the passwords of its prospects’ accounts to forestall any doable additional intrusions. Snowflake declined to remark.
Snowflake seems to be shifting in direction of rolling out MFA by default, in line with tech information web site Runtime, quoting Snowflake CEO Sridhar Ramaswamy in an interview this week. This was later confirmed by Snowflake’s CISO Jones within the Friday replace.
“We’re additionally growing a plan to require our prospects to implement superior safety controls, like multi-factor authentication (MFA) or community insurance policies, particularly for privileged Snowflake buyer accounts,” stated Jones.
A timeframe for the plan was not given.
Are you aware extra concerning the Snowflake account intrusions? Get in contact. To contact this reporter, get in contact on Sign and WhatsApp at +1 646-755-8849, or by e mail. You too can ship recordsdata and paperwork through SecureDrop.
