Snowflake’s security issues following a latest spate of buyer information thefts are, for need of a greater phrase, snowballing.
After Ticketmaster was the primary firm to hyperlink its latest data breach to the cloud information firm Snowflake, mortgage comparability website LendingTree has now confirmed its QuoteWizard subsidiary had information stolen from Snowflake.
“We will affirm that we use Snowflake for our enterprise operations, and that we had been notified by them that our subsidiary, QuoteWizard, could have had information impacted by this incident,” Megan Greuling, a spokesperson for LendingTree, advised information.killnetswitch.
“We take these issues severely, and instantly after listening to from [Snowflake] launched an inner investigation,” the spokesperson mentioned. “As of this time, it doesn’t seem that client monetary account info was impacted, nor info of the father or mother entity, LendingTree,” the spokesperson added, declining to remark additional citing its ongoing investigation.
As extra affected clients come ahead, Snowflake has mentioned little past a quick assertion on its web site reiterating that there wasn’t a data breach of its personal techniques, slightly its clients weren’t utilizing multi-factor authentication, or MFA — a security measure that Snowflake doesn’t implement or require its clients to allow by default. Snowflake was itself caught out by the incident, saying a former worker’s “demo” account was compromised as a result of it was solely protected with a username and password.
In a press release Friday, Snowflake held robust on its response thus far, stating its place “stays unchanged.” Citing its earlier assertion on Sunday, Snowflake chief info security officer Brad Jones mentioned that this was a “focused marketing campaign directed at customers with single-factor authentication” and utilizing credentials stolen from info-stealing malware or obtained from earlier data breaches.
The dearth of MFA seems to be how cybercriminals downloaded enormous quantities of knowledge from Snowflake clients’ environments, which weren’t protected by the extra security layer.
information.killnetswitch earlier this week discovered on-line a whole lot of Snowflake buyer credentials stolen by password-stealing malware that contaminated the computer systems of workers who’ve entry to their employer’s Snowflake atmosphere. The variety of credentials suggests there stays a danger to Snowflake clients who’ve but to alter their passwords or allow MFA.
All through the week, information.killnetswitch has despatched greater than a dozen inquiries to Snowflake in regards to the ongoing incident affecting its clients as we proceed to report on the story. Snowflake declined to reply our questions on not less than six events.
These are among the questions we’re asking, and why.
It’s not but recognized what number of Snowflake clients are affected, or if Snowflake is aware of but.
Snowflake mentioned it has thus far notified a “restricted variety of Snowflake clients” who the corporate believes could have been affected. On its web site, Snowflake says it has greater than 9,800 clients, together with tech corporations, telcos, and healthcare suppliers.
Snowflake spokesperson Danica Stanczak declined to say if the variety of affected clients was within the tens, dozens, a whole lot, or extra.
It’s seemingly that, regardless of the handful of reported buyer breaches this week, we’re solely within the early days of understanding the size of this incident.
It will not be clear even to Snowflake what number of of its clients are but affected, because the firm will both need to rely by itself information, akin to logs, or discovering out instantly from an affected buyer.
It’s not recognized how quickly Snowflake might have recognized in regards to the intrusions into its clients’ accounts. Snowflake’s assertion mentioned it turned conscious on Could 23 of the “menace exercise” — the accessing of buyer accounts and downloading their contents — however subsequently discovered proof of intrusions courting again to a no-more-specific timeframe than mid-April, suggesting the corporate does have some information to depend on.
However that additionally leaves open the query why Snowflake didn’t detect on the time the exfiltration of enormous quantities of shoppers’ information from its servers till a lot later in Could, or if it did, why Snowflake didn’t publicly alert its clients sooner.
Incident response agency Mandiant, which Snowflake referred to as in to assist with outreach to its clients, advised Bleeping Pc on the finish of Could that the agency had already been serving to affected organizations for “a number of weeks.”
We nonetheless don’t know what was within the former Snowflake worker’s demo account, or whether it is related to the shopper data breaches.
A key line from Snowflake’s assertion says: “We did discover proof {that a} menace actor obtained private credentials to and accessed demo accounts belonging to a former Snowflake worker. It didn’t comprise delicate information.”
A few of the stolen buyer credentials linked to info-stealing malware embody these belonging to a then-Snowflake worker, in response to a overview by information.killnetswitch.
As we beforehand famous, information.killnetswitch shouldn’t be naming the worker because it’s not clear they did something unsuitable. The truth that Snowflake was caught out by its personal lack of MFA enforcement permitting cybercriminals to obtain information from a then-employee’s “demo” account utilizing solely their username and password highlights a elementary drawback in Snowflake’s security mannequin.
But it surely stays unclear what position, if any, that this demo account has on the shopper information thefts as a result of it’s not but recognized what information was saved inside, or if it contained information from Snowflake’s different clients.
Snowflake declined to say what position, if any, the then-Snowflake worker’s demo account has on the latest buyer breaches. Snowflake reiterated that the demo account “didn’t comprise delicate information,” however repeatedly declined to say how the corporate defines what it considers “delicate information.”
We requested if Snowflake believes that people’ personally identifiable info is delicate information. Snowflake declined to remark.
It’s unclear why Snowflake hasn’t proactively reset passwords, or required and enforced the usage of MFA on its clients’ accounts.
It’s commonplace for corporations to force-reset their clients’ passwords following a data breach. However should you ask Snowflake, there was no breach. And whereas which may be true within the sense that there was no obvious compromise of its central infrastructure, Snowflake’s clients are very a lot getting breached.
Snowflake’s recommendation to its clients is to reset and rotate Snowflake credentials and implement MFA on all accounts. Snowflake beforehand advised information.killnetswitch that its clients are on the hook for their very own security: “Underneath Snowflake’s shared accountability mannequin, clients are chargeable for imposing MFA with their customers.”
However since these Snowflake buyer information thefts are linked to the usage of stolen usernames and passwords of accounts that aren’t protected with MFA, it’s uncommon that Snowflake has not intervened on behalf of its clients to guard their accounts with password resets or enforced MFA.
It’s not unprecedented. Final yr, cybercriminals scraped 6.9 million consumer and genetic data from 23andMe accounts that weren’t protected with MFA. 23andMe reset consumer passwords out of warning to forestall additional scraping assaults, and subsequently required the usage of MFA on all of its customers’ accounts.
We requested Snowflake if the corporate deliberate to reset the passwords of its clients’ accounts to forestall any potential additional intrusions. Snowflake declined to remark.
Snowflake seems to be shifting in the direction of rolling out MFA by default, in response to tech information website Runtime, quoting Snowflake CEO Sridhar Ramaswamy in an interview this week. This was later confirmed by Snowflake’s CISO Jones within the Friday replace.
“We’re additionally creating a plan to require our clients to implement superior security controls, like multi-factor authentication (MFA) or community insurance policies, particularly for privileged Snowflake buyer accounts,” mentioned Jones.
A timeframe for the plan was not given.
Have you learnt extra in regards to the Snowflake account intrusions? Get in contact. To contact this reporter, get in contact on Sign and WhatsApp at +1 646-755-8849, or by electronic mail. You may also ship recordsdata and paperwork through SecureDrop.