A whole bunch of Snowflake buyer passwords discovered on-line are linked to info-stealing malware


Cloud knowledge evaluation firm Snowflake is on the heart of a latest spate of alleged knowledge thefts, as its company prospects scramble to grasp if their shops of cloud knowledge have been compromised. 

The Boston-based knowledge large helps a few of the largest world companies — together with banks, healthcare suppliers and tech firms — retailer and analyze their huge quantities of information, equivalent to buyer knowledge, within the cloud.

Final week, Australian authorities sounded the alarm saying they had turn into conscious of “profitable compromises of a number of firms utilising Snowflake environments,” with out naming the businesses. Hackers had claimed on a identified cybercrime discussion board that they’d stolen lots of of hundreds of thousands of buyer data from Santander Financial institution and Ticketmaster, two of Snowflake’s greatest prospects. Santander confirmed a breach of a database “hosted by a third-party supplier,” however wouldn’t identify the supplier in query. On Friday, Dwell Nation confirmed that its Ticketmaster subsidiary was hacked and that the stolen database was hosted on Snowflake

Snowflake acknowledged in a brief statement that it was conscious of “probably unauthorized entry” to a “restricted quantity” of buyer accounts, with out specifying which of them, however that it has discovered no proof there was a direct breach of its techniques. Relatively, Snowflake referred to as it a “focused marketing campaign directed at customers with single-factor authentication” and that the hackers used “beforehand bought or obtained by means of infostealing malware,” which is designed to scrape a consumer’s saved passwords from their laptop.

Regardless of the delicate knowledge that Snowflake holds for its prospects, Snowflake lets every buyer handle the safety of their environments, and doesn’t routinely enroll or require its prospects to make use of multi-factor authentication, or MFA, according to Snowflake’s customer documentation. Not implementing the usage of MFA seems to be how cybercriminals allegedly obtained big quantities of information from a few of Snowflake’s prospects, a few of which arrange their environments with out the extra safety measure. 

Snowflake conceded that one in all its personal “demo” accounts was compromised as a result of it wasn’t protected past a username and password, however claimed the account “didn’t comprise delicate knowledge.” It’s unclear if this stolen demo account has any position within the latest breaches. 

TechCrunch has this week seen lots of of alleged Snowflake buyer credentials which can be obtainable on-line for cybercriminals to make use of as a part of hacking campaigns, suggesting that the danger of Snowflake buyer account compromises could also be far wider than first identified. 

The credentials have been stolen by infostealing malware that contaminated the computer systems of staff who’ve entry to their employer’s Snowflake setting.

A number of the credentials seen by TechCrunch seem to belong to staff at firms identified to be Snowflake prospects, together with Ticketmaster and Santander, amongst others. The staff with Snowflake entry embody database engineers and knowledge analysts, a few of whom reference their expertise utilizing Snowflake on their LinkedIn pages.

For its half, Snowflake has advised prospects to instantly change on MFA for his or her accounts. Till then, Snowflake accounts that aren’t implementing the usage of MFA to log in are placing their saved knowledge prone to compromise from easy assaults like password theft and reuse. 

How we checked the info

A supply with information of cybercriminal operations pointed TechCrunch to a web site the place would-be attackers can search by means of lists of credentials which have been stolen from numerous sources, equivalent to infostealing malware on somebody’s laptop or collated from earlier knowledge breaches. (TechCrunch isn’t linking to the location the place stolen credentials can be found in order to not help dangerous actors.)

In all, TechCrunch has seen greater than 500 credentials containing worker usernames and passwords, together with the net addresses of the login pages for the corresponding Snowflake environments. 

The uncovered credentials seem to pertain to Snowflake environments belonging to Santander, Ticketmaster, at the least two pharmaceutical giants, a meals supply service, a public-run freshwater provider, and others. We’ve got additionally seen uncovered usernames and passwords allegedly belonging to a former Snowflake worker. 

TechCrunch isn’t naming the previous worker as a result of there’s no proof they did something improper. (It’s finally each the accountability of Snowflake and its prospects to implement and implement safety insurance policies that stop intrusions that consequence from the theft of worker credentials.) 

We didn’t take a look at the stolen usernames and passwords as doing so would break the legislation. As such, it’s unknown if the credentials are presently in lively use or in the event that they immediately led to account compromises or knowledge thefts. As a substitute, we labored to confirm the authenticity of the uncovered credentials in different methods. This contains checking the person login pages of the Snowflake environments that have been uncovered by the infostealing malware, which have been nonetheless lively and on-line on the time of writing.

The credentials we’ve seen embody the worker’s e mail handle (or username), their password, and the distinctive internet handle for logging in to their firm’s Snowflake setting. Once we checked the net addresses of the Snowflake environments — typically made up of random letters and numbers — we discovered the listed Snowflake buyer login pages are publicly accessible, even when not searchable on-line.

TechCrunch confirmed that the Snowflake environments correspond to the businesses whose staff’ logins have been compromised. We have been ready to do that as a result of every login web page we checked had two separate choices to register.

One technique to login depends on Okta, a single sign-on supplier that enables Snowflake customers to register with their very own firm’s company credentials utilizing MFA. In our checks, we discovered that these Snowflake login pages redirected to Dwell Nation (for Ticketmaster) and Santander sign-in pages. We additionally discovered a set of credentials belonging to a Snowflake worker, whose Okta login web page nonetheless redirects to an inner Snowflake login web page that now not exists.

Snowflake’s different login choice permits the consumer to make use of solely their Snowflake username and password, relying on whether or not the company buyer enforces MFA on the account, as detailed by Snowflake’s own support documentation. It’s these credentials that seem to have been stolen by the infostealing malware from the staff’ computer systems.

It’s not clear precisely when the staff’ credentials have been stolen or for the way lengthy they’ve been on-line. 

There may be some proof to recommend that a number of staff with entry to their firm’s Snowflake environments had their computer systems beforehand compromised by infostealing malware. In line with a examine on breach notification service Have I Been Pwned, a number of of the company e mail addresses used as usernames for accessing Snowflake environments have been present in a recent data dump containing millions of stolen passwords scraped from numerous Telegram channels used for sharing stolen passwords.

Snowflake spokesperson Danica Stanczak declined to reply particular questions from TechCrunch, together with whether or not any of its prospects’ knowledge was discovered within the Snowflake worker’s demo account. In an announcement, Snowflake mentioned it’s “suspending sure consumer accounts the place there are robust indicators of malicious exercise.”

Snowflake added: “Beneath Snowflake’s shared accountability mannequin, prospects are liable for implementing MFA with their customers.” The spokesperson mentioned Snowflake was “contemplating all choices for MFA enablement, however we have now not finalized any plans right now.”

When reached by e mail, Dwell Nation spokesperson Kaitlyn Henrich didn’t remark by press time.

Santander didn’t reply to a request for remark.

Lacking MFA resulted in big breaches

Snowflake’s response to date leaves quite a lot of questions unanswered, and lays naked a raft of firms that aren’t reaping the advantages that MFA safety gives. 

What is evident is that Snowflake bears at the least some accountability for not requiring its customers to modify on the safety characteristic, and is now bearing the brunt of that — together with its prospects.

The information breach at Ticketmaster allegedly entails upwards of 560 million buyer data, in keeping with the cybercriminals promoting the info on-line. (Dwell Nation wouldn’t touch upon what number of prospects are affected by the breach.) If confirmed, Ticketmaster could be the biggest U.S. knowledge breach of the yr to date, and one of many greatest in latest historical past.

Snowflake is the newest firm in a string of high-profile safety incidents and sizable knowledge breaches attributable to the shortage of MFA. 

Final yr, cybercriminals scraped around 6.9 million customer records from 23andMe accounts that weren’t protected with out MFA, prompting the genetic testing firm — and its competitors — to require customers enable MFA by default to forestall a repeat assault.

And earlier this yr, the UnitedHealth-owned well being tech large Change Healthcare admitted hackers broke into its systems and stole huge amounts of sensitive health data from a system not protected with MFA. The healthcare large hasn’t but mentioned what number of people had their data compromised however mentioned it’s more likely to have an effect on a “substantial proportion of individuals in America.”


Have you learnt extra in regards to the Snowflake account intrusions? Get in contact. To contact this reporter, get in contact on Sign and WhatsApp at +1 646-755-8849, or by email. You can even ship information and paperwork by way of SecureDrop.

Leave a Reply

Your email address will not be published. Required fields are marked *