Hundreds of Snowflake customer passwords found online are linked to info-stealing malware
Cloud data analysis company Snowflake is at the center of a recent spate of alleged data thefts, as its corporate customers scramble to understand if their stores of cloud data have been compromised.Â
The Boston-based data giant helps some of the largest global corporations â including banks, healthcare providers and tech companies â store and analyze their vast amounts of data, such as customer data, in the cloud.
Last week, Australian authorities sounded the alarm saying they had become aware of âsuccessful compromises of several companies utilising Snowflake environments,â without naming the companies. Hackers had claimed on a known cybercrime forum that they had stolen hundreds of millions of customer records from Santander Bank and Ticketmaster, two of Snowflakeâs biggest customers. Santander confirmed a breach of a database âhosted by a third-party provider,â but would not name the provider in question. On Friday, Live Nation confirmed that its Ticketmaster subsidiary was hacked and that the stolen database was hosted on Snowflake.Â
Snowflake acknowledged in a brief statement that it was aware of âpotentially unauthorized accessâ to a âlimited numberâ of customer accounts, without specifying which ones, but that it has found no evidence there was a direct breach of its systems. Rather, Snowflake called it a âtargeted campaign directed at users with single-factor authenticationâ and that the hackers used âpreviously purchased or obtained through infostealing malware,â which is designed to scrape a userâs saved passwords from their computer.
Despite the sensitive data that Snowflake holds for its customers, Snowflake lets each customer manage the security of their environments, and does not automatically enroll or require its customers to use multi-factor authentication, or MFA, according to Snowflakeâs customer documentation. Not enforcing the use of MFA appears to be how cybercriminals allegedly obtained huge amounts of data from some of Snowflakeâs customers, some of which set up their environments without the additional security measure.Â
Snowflake conceded that one of its own âdemoâ accounts was compromised because it wasnât protected beyond a username and password, but claimed the account âdid not contain sensitive data.â Itâs unclear if this stolen demo account has any role in the recent breaches.Â
TechCrunch has this week seen hundreds of alleged Snowflake customer credentials that are available online for cybercriminals to use as part of hacking campaigns, suggesting that the risk of Snowflake customer account compromises may be far wider than first known.Â
The credentials were stolen by infostealing malware that infected the computers of employees who have access to their employerâs Snowflake environment.
Some of the credentials seen by TechCrunch appear to belong to employees at companies known to be Snowflake customers, including Ticketmaster and Santander, among others. The employees with Snowflake access include database engineers and data analysts, some of whom reference their experience using Snowflake on their LinkedIn pages.
For its part, Snowflake has told customers to immediately switch on MFA for their accounts. Until then, Snowflake accounts that arenât enforcing the use of MFA to log in are putting their stored data at risk of compromise from simple attacks like password theft and reuse.Â
How we checked the data
A source with knowledge of cybercriminal operations pointed TechCrunch to a website where would-be attackers can search through lists of credentials that have been stolen from various sources, such as infostealing malware on someoneâs computer or collated from previous data breaches. (TechCrunch is not linking to the site where stolen credentials are available so as not to aid bad actors.)
In all, TechCrunch has seen more than 500 credentials containing employee usernames and passwords, along with the web addresses of the login pages for the corresponding Snowflake environments.Â
The exposed credentials appear to pertain to Snowflake environments belonging to Santander, Ticketmaster, at least two pharmaceutical giants, a food delivery service, a public-run freshwater supplier, and others. We have also seen exposed usernames and passwords allegedly belonging to a former Snowflake employee.Â
TechCrunch is not naming the former employee because thereâs no evidence they did anything wrong. (Itâs ultimately both the responsibility of Snowflake and its customers to implement and enforce security policies that prevent intrusions that result from the theft of employee credentials.)Â
We did not test the stolen usernames and passwords as doing so would break the law. As such, itâs unknown if the credentials are currently in active use or if they directly led to account compromises or data thefts. Instead, we worked to verify the authenticity of the exposed credentials in other ways. This includes checking the individual login pages of the Snowflake environments that were exposed by the infostealing malware, which were still active and online at the time of writing.
The credentials weâve seen include the employeeâs email address (or username), their password, and the unique web address for logging in to their companyâs Snowflake environment. When we checked the web addresses of the Snowflake environments â often made up of random letters and numbers â we found the listed Snowflake customer login pages are publicly accessible, even if not searchable online.
TechCrunch confirmed that the Snowflake environments correspond to the companies whose employeesâ logins were compromised. We were able to do this because each login page we checked had two separate options to sign in.
One way to login relies on Okta, a single sign-on provider that allows Snowflake users to sign in with their own companyâs corporate credentials using MFA. In our checks, we found that these Snowflake login pages redirected to Live Nation (for Ticketmaster) and Santander sign-in pages. We also found a set of credentials belonging to a Snowflake employee, whose Okta login page still redirects to an internal Snowflake login page that no longer exists.
Snowflakeâs other login option allows the user to use only their Snowflake username and password, depending on whether the corporate customer enforces MFA on the account, as detailed by Snowflakeâs own support documentation. Itâs these credentials that appear to have been stolen by the infostealing malware from the employeesâ computers.
Itâs not clear exactly when the employeesâ credentials were stolen or for how long they have been online.Â
There is some evidence to suggest that several employees with access to their companyâs Snowflake environments had their computers previously compromised by infostealing malware. According to a check on breach notification service Have I Been Pwned, several of the corporate email addresses used as usernames for accessing Snowflake environments were found in a recent data dump containing millions of stolen passwords scraped from various Telegram channels used for sharing stolen passwords.
Snowflake spokesperson Danica Stanczak declined to answer specific questions from TechCrunch, including whether any of its customersâ data was found in the Snowflake employeeâs demo account. In a statement, Snowflake said it is âsuspending certain user accounts where there are strong indicators of malicious activity.â
Snowflake added: âUnder Snowflakeâs shared responsibility model, customers are responsible for enforcing MFA with their users.â The spokesperson said Snowflake was âconsidering all options for MFA enablement, but we have not finalized any plans at this time.â
When reached by email, Live Nation spokesperson Kaitlyn Henrich did not comment by press time.
Santander did not respond to a request for comment.
Missing MFA resulted in huge breaches
Snowflakeâs response so far leaves a lot of questions unanswered, and lays bare a raft of companies that are not reaping the benefits that MFA security provides.Â
What is clear is that Snowflake bears at least some responsibility for not requiring its users to switch on the security feature, and is now bearing the brunt of that â along with its customers.
The data breach at Ticketmaster allegedly involves upwards of 560 million customer records, according to the cybercriminals advertising the data online. (Live Nation would not comment on how many customers are affected by the breach.) If proven, Ticketmaster would be the largest U.S. data breach of the year so far, and one of the biggest in recent history.
Snowflake is the latest company in a string of high-profile security incidents and sizable data breaches caused by the lack of MFA.Â
Last year, cybercriminals scraped around 6.9 million customer records from 23andMe accounts that werenât protected without MFA, prompting the genetic testing company â and its competitors â to require users enable MFA by default to prevent a repeat attack.
And earlier this year, the UnitedHealth-owned health tech giant Change Healthcare admitted hackers broke into its systems and stole huge amounts of sensitive health data from a system not protected with MFA. The healthcare giant hasnât yet said how many individuals had their information compromised but said it is likely to affect a âsubstantial proportion of people in America.â
Do you know more about the Snowflake account intrusions? Get in touch. To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.