Cloud data analytics company Snowflake has been at the center of a recent spate of data thefts that have left its corporate customers scrambling to understand whether their cloud data stores have been breached.
The Boston-based data giant helps some of the world's largest companies, including banks, healthcare organizations and technology companies, store and analyze vast amounts of data, including customer data, in the cloud.
Australian authorities warned last week that they had learned of “successful intrusions into multiple companies using Snowflake environments,” but did not name the companies. Hackers claimed on a popular cybercrime forum that they had stolen hundreds of millions of customer records from two of Snowflake's biggest clients, Santander Bank and Ticketmaster. Santander acknowledged the intrusion into databases “hosted by a third-party provider,” but did not name the provider in question. Live Nation confirmed on Friday that its Ticketmaster subsidiary had been hacked and that the stolen databases were hosted on Snowflake.
In a brief statement, Snowflake acknowledged that it was aware of “potential unauthorized access” to a “limited number” of customer accounts but didn't say how many, but that it hadn't found evidence of a direct intrusion into its systems. Rather, Snowflake called it a “targeted attack against single-factor authentication users” and said the hackers used “previously purchased or obtained through information-stealing malware” that is designed to steal saved passwords from users' computers.
According to Snowflake's customer documentation, despite the sensitive data it holds, Snowflake allows each customer to manage the security of their environment and does not automatically enroll or require customers to use multi-factor authentication (MFA). Not enforcing MFA usage is likely how cybercriminals obtained large amounts of data from some Snowflake customers, some of whom had set up their environments without additional security measures.
Snowflake acknowledged that one of its “demo” accounts was compromised because it was not protected by anything other than a username and password, but claimed that the account “contained no sensitive data.” It is unclear if this stolen demo account has any connection to the recent breach.
TechCrunch found this week that there are hundreds of Snowflake customer credentials available online that cybercriminals could use in their hacking operations, suggesting that the risk of Snowflake customer account compromise may be much more widespread than initially thought.
The credentials were stolen by information-stealing malware that infected an employee's computer with access to the employer's Snowflake environment.
Some of the credentials reviewed by TechCrunch appear to belong to employees at companies known to be Snowflake customers, including Ticketmaster and Santander. Employees with access to Snowflake include database engineers and data analysts, some of whom have mentioned their experience using Snowflake on their LinkedIn pages.
Meanwhile, Snowflake is telling customers to enable MFA on their accounts immediately. Until then, Snowflake accounts that don't enforce MFA for logins are at risk of having their stored data compromised through simple attacks like stolen and reused passwords.
How to check your data
A source familiar with cybercrime activity pointed TechCrunch to a website where attackers can search for lists of stolen credentials from a variety of sources, including information-stealing malware on someone's computer and information gleaned from previous data breaches. (TechCrunch is not linking to the site where the stolen credentials are listed, to avoid aiding bad actors.)
In total, TechCrunch identified more than 500 credentials, including employee usernames and passwords, as well as web addresses for the corresponding login pages for Snowflake environments.
The exposed credentials appear to relate to Snowflake environments including Santander, Ticketmaster, at least two major pharmaceutical companies, a food delivery service and a public fresh water supplier, as well as usernames and passwords believed to belong to former Snowflake employees.
TechCrunch is not publishing the names of the former employees because there is no evidence they committed any wrongdoing (it is ultimately the responsibility of both Snowflake and its customers to implement and enforce security policies that prevent intrusions via stolen employee credentials).
We did not test the stolen usernames and passwords as this would be against the law, so it is unclear if the credentials are currently in use or if they have directly led to account compromise or data theft. Instead, we verified the authenticity of the exposed credentials through other means, including reviewing the individual login pages for the Snowflake environments exposed by the information stealing malware, which were still active and online at the time of writing.
The credentials we reviewed included the employee's email address (or username), password, and a unique web address to log into the company's Snowflake environment. When we reviewed the web addresses for the Snowflake environments (which often consist of random letters and numbers), we found that the Snowflake customer login pages listed were publicly available, although they were not searchable online.
TechCrunch has confirmed that the Snowflake environment corresponds to a company whose employee login details were compromised. We could tell because each login page had two options for signing in.
One of the login methods relies on Okta, a single sign-on provider, which allows Snowflake users to sign in with their corporate credentials using MFA. During our checks, we found that these Snowflake login pages redirect to Live Nation (for Ticketmaster) and Santander sign-in pages. We also found a set of credentials for Snowflake employees whose Okta login page redirected to a now-defunct internal Snowflake login page.
Snowflake's other login option allows users to use just their Snowflake username and password, depending on whether their enterprise customers have enforced MFA on their accounts, as detailed in Snowflake's support documentation. It is these credentials that are likely stolen by information-stealing malware from employee computers.
It's unclear exactly when the employee credentials were stolen or how long they remained online.
There is some evidence that the computers of several employees with access to the company's Snowflake environment had previously been compromised with information-stealing malware, and according to research by breach notification service Have I Been Pwned, several of the corporate email addresses used as usernames to access the Snowflake environment were found in a recent data dump containing millions of stolen passwords gleaned from various Telegram channels used to share the stolen passwords.
Snowflake spokesperson Danica Stanczak declined to answer specific questions from TechCrunch, including whether the company found any customer data in the Snowflake employee demo accounts. In a statement, Snowflake said it was “suspending certain user accounts where there are strong indications of malicious activity.”
Snowflake added: “Under Snowflake's shared responsibility model, customers are responsible for enforcing MFA for their users.” A spokesperson said Snowflake is “considering all options for enabling MFA but has not finalized plans at this time.”
Live Nation spokeswoman Kaitlyn Henrich reached via email but had no comment at press time.
Santander did not respond to a request for comment.
Lack of MFA led to massive breach
Snowflake's response so far has left many questions unanswered and made it clear that many businesses are not enjoying the benefits that MFA security provides.
What's clear is that Snowflake bears at least some responsibility for failing to require users to turn security features on and off, and it now shoulders that responsibility along with its customers.
The Ticketmaster data breach involves more than 560 million customer records, according to cybercriminals advertising the data online. (Live Nation declined to comment on how many customers were affected by the breach.) If proven true, it would mark Ticketmaster's largest data breach in the U.S. so far this year and one of the largest in recent history.
Snowflake is the latest in a series of high-profile security incidents and massive data breaches caused by a lack of MFA.
Last year, cybercriminals stole approximately 6.9 million customer records from 23andMe accounts that were unsecured without MFA, prompting the genetic testing company and its competitors to require users to enable MFA by default to prevent it from happening again.
And earlier this year, Change Healthcare, a health technology giant owned by UnitedHealth, acknowledged that hackers had broken into its systems and stolen large amounts of sensitive medical data from systems that weren't protected by MFA. The health care giant has not yet disclosed how many people's personal information was exposed, but said it likely affects “a significant proportion of Americans.”
Do you know more about the Snowflake account breach? Let us know. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.