Representative image.

Snowflake, a leading cloud data platform, recently became the center of attention due to one of the most significant data breaches in recent history. This incident has potentially damaging consequences for businesses and consumers alike.

The breach, while not confirmed as the largest in history, has certainly raised alarms across the tech industry.

On May 23, 2024, Snowflake discovered unauthorized access to certain user accounts. Initially appearing trivial, the breach soon revealed its extensive nature. Cybercriminals allegedly accessed and sold data from high-profile customers such as Santander, Ticketmaster, LendingTree, and Advance Auto Parts.

A breach forums account by the handle Sp1d3r claimed to have 380 million customer details from Advance Auto Parts and data linked to 190 million people from LendingTree and its subsidiary QuoteWizard.

TechCrunch reported seeing hundreds of Snowflake customer credentials available online due to info-stealing malware.

Chris Morgan, a senior cyber-threat intelligence analyst at ReliaQuest, suggested a possible connection between the self-identified culprit, sp1d3r, and the teenage hacking group Scattered Spider.

The rise of infostealer malware has coincided with the increase in remote work due to the COVID-19 pandemic, with hackers selling stolen data for as little as $10 per infected device.

Web of intrusion

The Snowflake breach was not the result of a single vulnerability but a sophisticated, multi-pronged attack.

Brad Jones, Snowflake’s Chief Information Security Officer, explained that the breach was orchestrated through a combination of phishing, malware, and info-stealing tools. The attackers utilized login credentials from compromised devices, specifically targeting accounts protected only by single-factor authentication.

A critical factor in the breach was Snowflake’s policy on multifactor authentication (MFA). According to the company’s customer documentation, Snowflake does not automatically enroll or require customers to use MFA, instead allowing each customer to manage the security of their environments.

This decision drew criticism, as it left many accounts vulnerable to attack.

The consequences of this policy were significant. For instance, the Ticketmaster data breach allegedly involves over 560 million customer records, potentially marking it as one of the largest US data breaches in recent history.

Similar incidents have occurred with other companies. Last year, cybercriminals accessed 6.9 million consumer records from 23andMe accounts without multifactor authentication. Earlier this year, Change Healthcare, a major health I.T. company owned by United Health, suffered a breach affecting a “substantial proportion of people in America” due to an MFA-unprotected system.

The immediate fallout from the breach was substantial. Snowflake’s stock price fell by more than 20 percent since the breach was first made public, highlighting both financial losses and damage to the company’s reputation.

International regulatory agencies took notice, with the Australian Cyber Security Center confirming successful hacks of multiple businesses using Snowflake, and the U.S. Cybersecurity and Infrastructure Security Agency issuing a warning.

The Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) in the United States initiated investigations to determine the impact of the breach and Snowflake’s compliance with cybersecurity regulations.

Snowflake has maintained transparency throughout the investigation, collaborating with cybersecurity experts from CrowdStrike and Mandiant. Here’s a timeline of key updates:

May 30, 2024: Snowflake addressed rumors of a breach in its production environment, emphasizing no evidence of platform vulnerabilities or misconfiguration. The company confirmed that personal login credentials for demo accounts were compromised, with these accounts lacking MFA protection.

June 2, 2024: Initial findings, supported by Mandiant and CrowdStrike, indicated that the incident was not caused by Snowflake’s platform vulnerabilities or misconfiguration. The attackers primarily targeted accounts without multifactor authentication using stolen credentials.

June 7, 2024: Further investigation confirmed earlier reports that the hack specifically compromised single-factor authentication accounts. The breach was carried out using credentials stolen by info-stealing software.

June 10, 2024: Mandiant and Snowflake released comprehensive findings from their examination. The company continued to work closely with affected clients to enhance security protocols and develop a plan to enforce strict network rules and multifactor authentication (MFA) to prevent similar incidents in the future.

Breach resulted from the use of stolen credentials

The investigation revealed that Snowflake’s core platform had no vulnerabilities or misconfigurations. Instead, the breach resulted from the use of stolen credentials rather than flaws in the company’s infrastructure.

Attackers employed info-stealing malware in a targeted campaign to obtain login credentials from infected machines. These credentials were then used to access Snowflake accounts lacking multifactor authentication.

The incident directly impacted demo accounts without Okta or MFA protection, which did not contain sensitive information and were not connected to Snowflake’s primary infrastructure. However, the breach extended to customer accounts that also lacked proper security measures.

Moving forward

In response to the attacks, Snowflake has urged its customers to implement several security measures such as activating MFA on all accounts, limiting access to traffic from only authorized individuals or locations, changing Snowflake login credentials for affected businesses and utilizing MFA to significantly reduce the likelihood of online account breaches.

Snowflake has also offered assistance to customers, including guidance on securing their data and monitoring for any signs of misuse.

The Snowflake breach has exposed significant vulnerabilities even in the most sophisticated cloud data platforms.

However, it has also provided valuable lessons about the necessity of continuous improvement and the importance of robust security procedures.

One of the key takeaways from this incident is the critical importance of multifactor authentication. The breach primarily affected accounts without MFA, highlighting its crucial role in cybersecurity. This incident also underscores the concept of shared responsibility in data protection.

The financial and reputational consequences of data breaches cannot be overstated. Snowflake’s significant stock price drop underscores the severe impact such incidents can have on a company’s value and reputation, serving as a reminder of the high stakes involved in data security.

Snowflake’s response, combined with industry-leading expertise from CrowdStrike and Mandiant, also sets a precedent for how businesses can effectively handle and mitigate the impact of large-scale attacks.

The Snowflake breach reminds us that in the realm of cybersecurity, complacency is not an option. Continuous improvement, proactive measures, and a culture of security awareness are essential for safeguarding sensitive data in today’s world.