Stolen Credentials Fuel Snowflake Data Breaches: Lessons Learned

Snowflake, a cloud-based data storage and analytics platform, has been at the centre of a number of data breaches affecting organisations including Ticketmaster and AT&T.

It was initially reported in June 2024 that a cyber threat actor is suspected to have stolen a significant volume of customer data from the Snowflake platform.

Since then Ticketmaster parent company Live Nation has confirmed that internal data was exposed in a cyber-attack relating to their use of third-party provider Snowflake.

Telecommunications giant AT&T has also said that Snowflake was at the centre of a data breach that exposed customer data, including AT&T records of calls and texts of nearly all of AT&T’s cellular customers.

This recent breach calls into focus a number of security concerns, including the use of stolen credentials, multi-factor authentication (or lack of it), software as a service providers and third-party security, which we will explore in this blog. 

Threat intelligence researchers at Mandiant highlighted that a financially motivated threat actor, UNC5537, was systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.

These breaches did not stem from a breach of Snowflake’s enterprise environment, instead every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.

Snowflake became aware of potentially unauthorised access to certain customer accounts on May 23, 2024.

A joint investigation by Mandiant and Snowflake found that the majority of the credentials used by UNC5537 were available from historical infostealer infections dating back as far as 2020.

The issues stemmed from a lack of multi-factor authentication (MFA) used by customers. MFA was a security measure that the firm did not enforce upon its customers.

In an update published in June 2024, Brad Jones, CISO at Snowflake, said that the company is developing a plan to require its customers to implement advanced security controls, MFA or network policies.

Generally, anyone using a third-party service, not just Snowflake, via an authenticated session, should be using a credential stronger than just username and password.

Some may argue that the data breaches that occurred following organisations not having MFA implemented is the fault of Snowflake, as the firm should have enforced this security measure.

However, Jake Williams, former US National Security Agency (NSA) hacker and Faculty member at IANS Research, said: “I personally have a hard time with all the blame Snowflake is getting.

“They had to balance customer adoption with ease of use and didn't force users to employ stronger security settings. But those more secure configuration options were available. This is akin to a car in the 80s that had seat belts but no alarm for unbuckling. If the manufacturer provided a safety option you chose not to use and you get hurt, whose fault is it?”

As well as lacking MFA, two other factors contributed to successful compromised of Snowflake Data. This included:

• Credentials stolen from past infostealer infections had not been rotated or updated
• The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations

Snowflake recommended organisations immediately take the following steps:

• Enforce MFA on all accounts
• Set up Network Policy Rules to only allow authorised users or only allow traffic from trusted locations (VPN, Cloud workload NAT, etc.)
• Impacted organisations should reset and rotate Snowflake credentials

Williams added to this list and urged organisations to build an inventory of any data they have in Snowflake.

They should also be aggressively rotating/invalidating authentication material, including API keys and access tokens, that may have found its way into a Snowflake instance, especially ones managed by a third party.

Williams further advised that whether your business is a Snowflake customer or not, vendor management teams need to be reaching out to service providers to make sure they are aware of this issue.

Snowflake itself remains a secure platform. The breaches are not believed to have been caused by any vulnerability, misconfiguration or malicious activity within the Snowflake product.

However, these incidents serve as a reminder that all organisations using cloud services need to prioritise robust security practices to protect their data.

No matter how strong an organisation’s security is, cybercriminals can seek to exploit data via partners or vendors.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?