Leaked Snowflake Customer Data Linked to Info-Stealing Malware

• New reports say cloud data analysis company Snowflake may be at the center of several of its clients’ alleged data thefts.
• These high-profile security incidents may have been caused by wavering the use of multi-factor authentication.
• The usernames and passwords of clients using Snowflake environments were found to be exposed online.

TechCrunch reports that Snowflake may be the main way threat actors targeted its corporate customers, including banks, healthcare providers, and tech companies, possibly compromising their cloud data. Letting clients manage their environments’ security without enforcing multi-factor authentication (MFA) may have been how cybercriminals allegedly breached these enterprise accounts. 

Snowflake seems to be the latest company involved in a string of serious security incidents and massive data breaches caused by the lack of mandatory MFA. Hackers had claimed to have stolen a sizable number of customer records from two of Snowflake’s biggest clients, Santander Bank and Ticketmaster. 

TechCrunch says credentials were stolen by info-stealing malware on employee computers with access to their employer’s Snowflake environment. Searching a cybercrime website with lists of stolen credentials from various sources, the publication found over 500 sets of usernames and passwords and the addresses of their Snowflake environment login pages. 

Santander said a supply chain attack left a database with sensitive customer details exposed to an unnamed unauthorized third party. On Friday, Live Nation confirmed that its stolen Ticketmaster database was hosted on Snowflake. Cybersecurity firm Hudson Rock recently reported that a threat actor may have used the stolen credentials of a Snowflake employee for these two breaches to bypass the single sign-on authentication service Okta.

TechCrunch verified the authenticity of the exposed credentials by checking the individual login pages of the exposed Snowflake environments, which turned out to correspond to the companies whose employees’ logins were compromised. The first Snowflake login option asks for a Snowflake username and password and permits not using MFA, which TechCrunch says were exfiltrated via info-stealing malware previously on the computers, as some evidence suggests.

Verifying logins via Okta, they discovered that some Snowflake users' sign-in pages with MFA were redirected to Ticketmaster, Santander, and an internal Snowflake login page that no longer existed.

Breach notification service Have I Been Pwned reveals several of the enterprise email addresses used for accessing Snowflake environments were found in a recent data dump containing over 360 million stolen accounts scraped from several Telegram cybercrime channels.

Snowflake called it a “targeted campaign directed at users with single-factor authentication” and that the hackers used “previously purchased or obtained through info-stealing malware,” acknowledging a “potentially unauthorized access” to a “limited number” of customer accounts and no evidence of a direct breach of its systems.