Snowflake’s safety issues following a current spate of buyer information thefts are, for need of a greater phrase, snowballing.
After Ticketmaster was the primary firm to hyperlink its current information breach to the cloud information firm Snowflake, mortgage comparability website LendingTree has now confirmed its QuoteWizard subsidiary had information stolen from Snowflake.
“We will affirm that we use Snowflake for our enterprise operations, and that we have been notified by them that our subsidiary, QuoteWizard, might have had information impacted by this incident,” Megan Greuling, a spokesperson for LendingTree, advised TechCrunch.
“We take these issues critically, and instantly after listening to from [Snowflake] launched an inner investigation,” the spokesperson mentioned. “As of this time, it doesn’t seem that shopper monetary account data was impacted, nor data of the mother or father entity, LendingTree,” the spokesperson added, declining to remark additional citing its ongoing investigation.
As extra affected clients come ahead, Snowflake has mentioned little past a quick assertion on its web site reiterating that there wasn’t an information breach of its personal methods, somewhat its clients weren’t utilizing multi-factor authentication, or MFA — a safety measure that Snowflake doesn’t implement or require its clients to allow by default. Snowflake was itself caught out by the incident, saying a former worker’s “demo” account was compromised as a result of it was solely protected with a username and password.
In a press release Friday, Snowflake held robust on its response to date, stating its place “stays unchanged.” Citing its earlier assertion on Sunday, Snowflake chief data safety officer Brad Jones mentioned that this was a “focused marketing campaign directed at customers with single-factor authentication” and utilizing credentials stolen from info-stealing malware or obtained from earlier information breaches.
The shortage of MFA seems to be how cybercriminals downloaded enormous quantities of information from Snowflake clients’ environments, which weren’t protected by the extra safety layer.
TechCrunch earlier this week discovered on-line tons of of Snowflake buyer credentials stolen by password-stealing malware that contaminated the computer systems of workers who’ve entry to their employer’s Snowflake atmosphere. The variety of credentials suggests there stays a threat to Snowflake clients who’ve but to alter their passwords or allow MFA.
All through the week, TechCrunch has despatched greater than a dozen inquiries to Snowflake concerning the ongoing incident affecting its clients as we proceed to report on the story. Snowflake declined to reply our questions on at the least six events.
These are a few of the questions we’re asking, and why.
It’s not but identified what number of Snowflake clients are affected, or if Snowflake is aware of but.
Snowflake mentioned it has so far notified a “restricted variety of Snowflake clients” who the corporate believes might have been affected. On its web site, Snowflake says it has greater than 9,800 clients, together with tech corporations, telcos, and healthcare suppliers.
Snowflake spokesperson Danica Stanczak declined to say if the variety of affected clients was within the tens, dozens, tons of, or extra.
It’s probably that, regardless of the handful of reported buyer breaches this week, we’re solely within the early days of understanding the size of this incident.
It might not be clear even to Snowflake what number of of its clients are but affected, because the firm will both need to rely by itself information, similar to logs, or discovering out immediately from an affected buyer.
It’s not identified how quickly Snowflake might have identified concerning the intrusions into its clients’ accounts. Snowflake’s assertion mentioned it grew to become conscious on Could 23 of the “risk exercise” — the accessing of buyer accounts and downloading their contents — however subsequently discovered proof of intrusions relationship again to a no-more-specific timeframe than mid-April, suggesting the corporate does have some information to depend on.
However that additionally leaves open the query why Snowflake didn’t detect on the time the exfiltration of enormous quantities of consumers’ information from its servers till a lot later in Could, or if it did, why Snowflake didn’t publicly alert its clients sooner.
Incident response agency Mandiant, which Snowflake known as in to assist with outreach to its clients, advised Bleeping Pc on the finish of Could that the agency had already been serving to affected organizations for “a number of weeks.”
We nonetheless don’t know what was within the former Snowflake worker’s demo account, or whether it is related to the client information breaches.
A key line from Snowflake’s assertion says: “We did discover proof {that a} risk actor obtained private credentials to and accessed demo accounts belonging to a former Snowflake worker. It didn’t comprise delicate information.”
A few of the stolen buyer credentials linked to info-stealing malware embody these belonging to a then-Snowflake worker, in response to a evaluation by TechCrunch.
As we beforehand famous, TechCrunch will not be naming the worker because it’s not clear they did something mistaken. The truth that Snowflake was caught out by its personal lack of MFA enforcement permitting cybercriminals to obtain information from a then-employee’s “demo” account utilizing solely their username and password highlights a basic drawback in Snowflake’s safety mannequin.
Nevertheless it stays unclear what position, if any, that this demo account has on the client information thefts as a result of it’s not but identified what information was saved inside, or if it contained information from Snowflake’s different clients.
Snowflake declined to say what position, if any, the then-Snowflake worker’s demo account has on the current buyer breaches. Snowflake reiterated that the demo account “didn’t comprise delicate information,” however repeatedly declined to say how the corporate defines what it considers “delicate information.”
We requested if Snowflake believes that people’ personally identifiable data is delicate information. Snowflake declined to remark.
It’s unclear why Snowflake hasn’t proactively reset passwords, or required and enforced using MFA on its clients’ accounts.
It’s common for corporations to force-reset their clients’ passwords following an information breach. However for those who ask Snowflake, there was no breach. And whereas which may be true within the sense that there was no obvious compromise of its central infrastructure, Snowflake’s clients are very a lot getting breached.
Snowflake’s recommendation to its clients is to reset and rotate Snowflake credentials and implement MFA on all accounts. Snowflake beforehand advised TechCrunch that its clients are on the hook for their very own safety: “Beneath Snowflake’s shared duty mannequin, clients are answerable for imposing MFA with their customers.”
However since these Snowflake buyer information thefts are linked to using stolen usernames and passwords of accounts that aren’t protected with MFA, it’s uncommon that Snowflake has not intervened on behalf of its clients to guard their accounts with password resets or enforced MFA.
It’s not unprecedented. Final 12 months, cybercriminals scraped 6.9 million consumer and genetic data from 23andMe accounts that weren’t protected with MFA. 23andMe reset consumer passwords out of warning to stop additional scraping assaults, and subsequently required using MFA on all of its customers’ accounts.
We requested Snowflake if the corporate deliberate to reset the passwords of its clients’ accounts to stop any potential additional intrusions. Snowflake declined to remark.
Snowflake seems to be shifting in direction of rolling out MFA by default, in response to tech information website Runtime, quoting Snowflake CEO Sridhar Ramaswamy in an interview this week. This was later confirmed by Snowflake’s CISO Jones within the Friday replace.
“We’re additionally growing a plan to require our clients to implement superior safety controls, like multi-factor authentication (MFA) or community insurance policies, particularly for privileged Snowflake buyer accounts,” mentioned Jones.
A timeframe for the plan was not given.
Are you aware extra concerning the Snowflake account intrusions? Get in contact. To contact this reporter, get in contact on Sign and WhatsApp at +1 646-755-8849, or by e-mail. You may also ship information and paperwork by way of SecureDrop.
