Did Unsecured Accounts Lead to Snowflake Customer Password Breach?

Snowflake, a US cloud data company, has found itself in the middle of a data theft storm. Computer Weekly suggests a potential connection between data breaches on Ticketmaster and Santander and the Snowflake customer’s password breach.

Ticketmaster is a digital ticketing platform, and Santander is a consumer bank. The two companies are among the biggest Snowflake customers. After the Snowflake password breach, many corporate clients are worried. They fear their cloud data could have been stolen.

Snowflake serves big global corporations, like hospitals, banks, and tech firms. The company analyzes and stores huge volumes of data, including client data, in the cloud.

Confirmed Breach

Live Nation, Ticketmaster’s parent company, reported that hackers stole personal details. The details belonged to more than 550 million clients. The details include names, phone numbers, addresses, and credit card credentials. Santander has also seen its client data stolen.

According to the bank, the data belongs to customers in Latin America and Spain. The bank also lost personal details of 200,000 past and current employees, including 20,000 from the UK. ShinyHunters, a cybercriminal group, has claimed responsibility for the Snowflake customer data leak.

The group is demanding a $2 million ransom from Santander and $500,000 from Ticketmaster. The two companies have not named Snowflake. However, it said it’s aware of unauthorized access to some of its customer accounts. There is no evidence of a direct breach of its systems.

“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform. We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel,” Snowflake said in a statement.

Unsecured Accounts

The cloud data management company attributed the breach to a Snowflake info-stealing malware. This type of malware scrapes passwords that users save from their computers.

“This appears to be a targeted campaign directed at users with single-factor authentication. As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through info-stealing malware,” Snowflake added.

Snowflake stores sensitive data for its customers. However, it allows each customer to manage the security in their environment. Its system settings don’t require customers to automatically use multi-factor authentication. The lack of multi-factor authentication let cybercriminals access customer data.

Some customers may have set up their environments without extra security. This made them more vulnerable.

Compromise on Snowflake Accounts

The company confirmed that it has evidence of a Snowflake customer password breach. The breach was on the company’s own accounts. The company said an unauthorized actor had accessed personal details. They did this through a demo account. The account belonged to a former Snowflake staff member.

According to the company, its demo accounts did not have multi-factor authentication protection. Its corporate accounts were not linked to the demo account. Snowflake has asked its customers to put in place multi-factor authentication immediately.

Customers should establish network rules. They should also reset access credentials and rotate them from time to time. Snowflake is working with Mandiant and CrowdStrike to investigate the cybersecurity threat.