Snowflake's security issues, following a recent spate of customer data thefts, are, for lack of a better word, snowballing.
After Ticketmaster first linked its recent data breach to cloud data company Snowflake, loan comparison site LendingTree confirmed that its subsidiary QuoteWizard had data stolen from Snowflake.
“We use Snowflake in our business operations and can confirm that Snowflake notified us that data for our subsidiary, QuoteWizard, may have been affected by this incident,” LendingTree spokesperson Megan Greuling told TechCrunch.
“We take these matters seriously. [Snowflake] “We have launched an internal investigation,” the spokesperson said. “At this time, it does not appear that consumers' financial account information or that of our parent company, LendingTree, has been impacted,” the spokesperson added, declining to comment further because the investigation is ongoing.
As affected customers come forward, Snowflake has said little beyond a short statement on its website reiterating that there was no data breach on its systems, but rather that customers simply did not use multi-factor authentication (MFA), a security measure that Snowflake does not enforce on customers or require them to enable by default. Snowflake itself was caught out in the incident, saying that a former employee's “demo” account was compromised because it was protected only by username and password.
Snowflake said in a statement on Friday that it stood by its previous response and that its position “remains unchanged.”Citing an earlier statement on Sunday, Snowflake's Chief Information Security Officer Brad Jones said this was a “targeted attack against users who use single-factor authentication,” using credentials stolen from information-stealing malware or obtained in previous data breaches.
The lack of MFA appears to have allowed cybercriminals to download large amounts of data from Snowflake customer environments that were not protected by additional layers of security.
TechCrunch found earlier this week that hundreds of Snowflake customer credentials had been stolen online by password-stealing malware that infected the computers of employees with access to their employers' Snowflake environments. The number of credentials suggests that Snowflake customers who have not yet changed their passwords or enabled MFA are still at risk.
As TechCrunch continued to cover this story this week, we sent Snowflake more than a dozen questions about the ongoing incident affecting its customers, and Snowflake declined to answer our questions at least six times.
These are some of the questions we are asking and why.
It's not yet clear how many Snowflake customers are affected or whether Snowflake already knows about it.
Snowflake said it had notified a “limited number of Snowflake customers” who it believed may have been affected. Snowflake claims more than 9,800 customers, including technology companies, telecommunications companies and healthcare organizations, according to its website.
Snowflake spokeswoman Danica Stanczak declined to comment on whether the number of affected customers was in the dozens, dozens, hundreds or more.
Despite several reports of customer data breaches this week, we're likely only just beginning to grasp the scale of this incident.
It may not even be clear to Snowflake how many customers are still affected, because the company must rely on its own data, such as logs, or get information directly from affected customers.
It's unclear how quickly Snowflake learned about the intrusion into customer accounts. According to a Snowflake statement, the company became aware of “threat activity” (access to customer accounts and the downloading of their contents) on May 23, but later discovered evidence of the intrusion dating back to mid-April, without specifying a specific time frame, which suggests the company has some reliable data.
But that also leaves open the question of why Snowflake didn't realize that so much customer data had been leaked from its servers until well into May, and, if it did, why it didn't publicly warn customers sooner.
Mandiant, the incident response firm Snowflake brought in to help with customer outreach, told Bleeping Computer in late May that it had already been helping affected organizations for “several weeks.”
It is not yet known what was in the former Snowflake employee's demo account or whether it is related to the customer data breach.
The key line from Snowflake's statement is, “We found evidence that threat actors obtained personal credentials of a former Snowflake employee and accessed their demo account, which did not contain any sensitive data.”
According to a TechCrunch investigation, some of the customer credentials stolen in connection with the information-stealing malware belonged to Snowflake employees at the time.
As we've said before, TechCrunch is not publishing the names of the employees because it's not clear whether they did anything wrong, but the fact that Snowflake failed to enforce MFA, allowing cybercriminals to download data from the then-employee's “demo” accounts using only their usernames and passwords, highlights fundamental problems with Snowflake's security model.
However, it remains unclear what role this demo account played in the theft of customer data, as it is not yet known what data was stored there or whether it included data of other Snowflake customers.
Snowflake declined to comment on what, if any, role the then-Snowflake employee's demo account played in the recent breach of customer information. Snowflake reiterated that the demo account “did not contain any sensitive data,” but repeatedly declined to comment on how the company defines what it considers “sensitive data.”
When asked whether Snowflake considers individuals' personal information to be sensitive data, Snowflake declined to comment.
It's unclear why Snowflake didn't proactively reset passwords or require and enforce the use of MFA on customers' accounts.
It's not uncommon for companies to force reset customers' passwords after a data breach, but when we asked Snowflake, they said no breach had occurred. That may be true in the sense that there was no obvious breach of their central infrastructure, but Snowflake's customers have been compromised.
Snowflake is advising customers to reset and rotate their Snowflake credentials and enforce MFA on all accounts. Snowflake previously told TechCrunch that customers are responsible for their own security: “Under Snowflake's shared responsibility model, customers are responsible for enforcing MFA for their users.”
However, because these thefts of Snowflake customer data involve the use of stolen usernames and passwords for accounts that were not protected by MFA, it is unusual that Snowflake has not stepped in on behalf of its customers to secure their accounts by resetting passwords or enforcing MFA.
This is not unprecedented: last year, cybercriminals scraped 6.9 million user and genetic records from 23andMe accounts that weren't protected by MFA. 23andMe took the precaution of resetting user passwords to prevent further scraping attacks, and has since mandated the use of MFA on all user accounts.
When asked whether it plans to reset passwords on customer accounts to prevent further intrusions, Snowflake declined to comment.
Snowflake is moving toward MFA by default, according to Snowflake CEO Sridhar Ramaswamy in an interview this week with tech news site Runtime, which Snowflake CISO Jones later confirmed in an update on Friday.
“We are also developing plans to require customers to implement advanced security controls, such as multi-factor authentication (MFA) and network policies, for particularly privileged Snowflake customer accounts,” Jones said.
No deadline was given for the plan.
Do you know more about the Snowflake account breach? Let us know. You can contact this reporter on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.