Topics
Latest
AI
Amazon
Image Credits:Bryce Durbin / TechCrunch
Apps
Biotech & Health
mood
Image Credits:Bryce Durbin / TechCrunch
Cloud Computing
Commerce
Crypto
endeavor
EVs
Fintech
Fundraising
contrivance
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
protection
Social
Space
Startups
TikTok
Transportation
speculation
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
adjoin Us
Cloud data analysis fellowship Snowflake is at the center of a recent heap of supposed datum thefts , as its collective customers sputter to understand if their stores of swarm data have been compromised .
Snowflake helps some of the turgid globose bay window — admit bank , healthcare provider and tech companies — store and analyze their vast amount of data , such as client data point , in the cloud .
Last calendar week , Australian authoritiessounded the alarmsaying they had become aware of “ successful compromises of several companies utilising Snowflake environments , ” without name the companies . Hackers had claimed on a known cybercrime assembly that they had steal hundred of millions of customer records from Santander Bank and Ticketmaster , two of Snowflake ’s biggest customer . Santanderconfirmed a breach of a database“hosted by a third - political party provider ” but would not name the provider in question . On Friday , Live Nation support that its Ticketmaster subsidiary was whoop andthat the stolen database was host on Snowflake .
Plectrophenax nivalis acknowledgedin a brief statementthat it was aware of “ potentially unauthorized entree ” to a “ limited number ” of customer accounts , without specifying which ones , but that it has found no grounds there was a direct breach of its systems . Rather , Snowflake called it a “ targeted campaign channelize at users with individual - factor authentication ” and that the hacker used “ previously purchase or obtain through infostealing malware , ” which is designed to come up a substance abuser ’s saved passwords from their figurer .
Despite the sensitive data that Snowflake holds for its customers , Snowflake lets each client manage the surety of their environments and does not automatically enroll or require its customers to use multi - factor hallmark , or MFA , according to Snowflake ’s client corroboration . Not enforce the enjoyment of MFA looks like how cybercriminals allegedly obtained huge amount of datum from some of Snowflake ’s customers , some of which rig up their environment without the additional security system quantity .
Snowflake conceded that one of its own “ demo ” accounts was compromised because it was n’t protected beyond a username and parole , but claimed the report “ did not contain sore data . ” It ’s unclear if this stolen demo report has any role in the recent rift .
TechCrunch has this week seen hundreds of alleged Snowflake customer credentials that are available online for cybercriminals to practice as part of hacking crusade , advise that the hazard of Snowflake customer account via media may be far wider than first know .
The credentials were stolen by infostealing malware that infect the computers of employee who have access to their employer ’s Snowflake environment .
Some of the credentials image by TechCrunch appear to go to employees at companies known to be Snowflake customers , including Ticketmaster and Santander , among others . The employees with Snowflake access admit database engine driver and data analysts , some of whom cite their experience using Snowflake on their LinkedIn pages .
For its part , Snowflake has told customers to straight off flip on MFA for their accounts . Until then , Snowflake account that are n’t enforcing the use of goods and services of MFA to enter are putting their stored data at endangerment of compromise from simple attacks like parole larceny and reuse .
How we checked the data
A informant with knowledge of cybercriminal operations pointed TechCrunch to a website where would - be assaulter can look through lists of certification that have been steal from various root , such as infostealing malware on someone ’s computer or collate from previous datum breaches . ( TechCrunch is not colligate to the internet site where stolen credential are available so as not to aid uncollectible actors . )
In all , TechCrunch has seen more than 500 credentials carry employee usernames and countersign , along with the web address of the login page for the corresponding Snowflake environments .
The exposed credentials appear to pertain to Snowflake surround belong to Santander , Ticketmaster , at least two pharmaceutic giants , a food bringing service , a public - run fresh water supplier , and others . We have also see exposed usernames and passwords allegedly belonging to a former Snowflake employee .
TechCrunch is not nominate the former employee because there ’s no grounds they did anything wrong . ( It ’s ultimately both the obligation of Snowflake and its customer to implement and impose security policies that forbid usurpation that result from the theft of employee certification . )
We did not test the stolen usernames and password , as doing so would break the law of nature . As such , it ’s unknown if the credentials are presently in combat-ready use or if they direct led to account compromises or data thefts . Instead , we worked to avow the authenticity of the exposed certificate in other slipway . This includes checking the individual login Thomas Nelson Page of the Snowflake environments that were exposed by the infostealing malware , which were still active and online at the meter of writing .
The credentials we ’ve see include the employee ’s e-mail speech ( or username ) , their password , and the unique web reference for lumber in to their company ’s Snowflake environment . When we chink the web addresses of the Snowflake environments — often made up of random letter of the alphabet and numbers — we found the listed Snowflake customer login pages are publicly accessible , even if not searchable online .
TechCrunch confirmed that the Snowflake environments match to the fellowship whose employee ’ logins were compromised . We were able to do this because each login page we checked had two freestanding options to signalize in .
Snowflake ’s other login option allows the user to use only their Snowflake username and password , reckon on whether the corporate customer enforces MFA on the accounting , as detailed bySnowflake ’s own documentation documentation . It ’s these credentials that appear to have been slip by the infostealing malware from the employees ’ computers .
It ’s not clear exactly when the employees ’ certificate were slip or for how long they have been on-line .
There is some evidence to hint that several employee with access to their company ’s Snowflake environments had their computers previously compromised by infostealing malware . According to a check on breach notification service Have I Been Pwned , several of the corporate email address used as usernames for accessing Snowflake environments were found ina recent data floor containing one thousand thousand of stolen passwordsscraped from various Telegram channels used for sharing stolen passwords .
Snowflake spokesperson Danica Stanczak declined to answer specific motion from TechCrunch , admit whether any of its client ’ data was found in the Snowflake employee ’s demo account . In a statement , Snowflake say it is “ set aside certain user score where there are potent indicators of malicious natural process . ”
Snowflake added : “ Under Snowflake ’s share responsibility model , customer are responsible for enforcing MFA with their users . ” The spokesperson said Snowflake was “ considering all options for MFA enablement , but we have not finalise any plans at this sentence . ”
When hit by e-mail , Live Nation voice Kaitlyn Henrich did not remark by wardrobe time .
Santander did not reply to a request for comment .
Missing MFA resulted in huge breaches
Snowflake ’s response so far leaves a lot of questions unrequited and lays bare a passel of companies that are not reap the benefits that MFA security bring home the bacon .
What is absolved is that Plectrophenax nivalis bears at least some responsibility for not involve its users to trade on the security feature and is now deport the brunt of that — along with its customer .
The data breach at Ticketmaster allegedly involves upwardly of 560 million customer records , fit in to the cybercriminals advertising the data online . ( Live Nation would not comment on how many customers are affect by the breach . ) If proven , Ticketmaster would be the gravid U.S. data breach of the twelvemonth so far , and one of the biggest in recent history .
Snowflake is the latest company in a strand of high - profile security incident and sizable information breaches have by the want of MFA .
Last twelvemonth , cybercriminalsscraped around 6.9 million client records from 23andMe accountsthat were n’t protected with MFA , prompting the genetic testing party — and its contender — to need users toenable MFA by defaultto foreclose a repetition attack .
And earlier this class , the UnitedHealth - owned health tech whale Change Healthcare admittedhackers break into its system and stole Brobdingnagian amounts of sensitive wellness datafrom a system not protect with MFA . The health care giant has n’t yet say how many individuals had their information compromised but enounce it is likely to strike a “ substantial proportion of people in America . ”
Do you get laid more about the Snowflake account encroachment ? Get in touch . To touch this newsperson , get in cutaneous senses on Signal and WhatsApp at +1 646 - 755 - 8849 , orby email . you may also send file and documents viaSecureDrop .
