The Snowflake Attack: Unraveling One of the Potentially Largest Data Breaches in History

Matt Burgess

A hack against customers of the cloud storage company Snowflake looks like it may turn into one of the biggest-ever data breaches. Last week, Snowflake, which allows companies to store huge datasets on its servers, revealed that criminal hackers had been attempting to access its customers’ accounts using stolen login details. Data breaches targeting Ticketmaster and Santander have been linked to the attacks.

In the days since Snowflake first said a “limited number” of customer accounts had been accessed, however, cybercriminals have publicly claimed to be selling stolen data from two other major firms and alleged the information was taken from Snowflake accounts. At the same time, TechCrunch has reported that hundreds of Snowflake customer passwords have been found online and are accessible to cybercriminals.

Amid the claims, there remains uncertainty about the scope and scale of the attempted attack against Snowflake customers, who the attackers may be, and how an attack tool callously named “rapeflake” operates. It also highlights the growth in the use of infostealer malware in recent years and underscores the need for third-party software providers and companies to turn on multifactor authentication to reduce the chances of accounts being compromised.

A significant part of the Snowflake incident has unfolded on BreachForums, a well-known hub for cybercriminal activities. The FBI seized the forum in May, yet a new version emerged shortly after, operated by the hacker collective ShinyHunters. This new forum features claims of possessing massive amounts of stolen data, specifically 560 million records from Ticketmaster and 30 million from Santander. Both Ticketmaster and Santander confirmed breaches, with Ticketmaster associating their incident directly with Snowflake, while Santander noted unauthorized access via a third-party provider.

Recently, a BreachForums user identified as Sp1d3r has disclosed potential breaches at two additional companies tied to the Snowflake case. Sp1d3r alleges possession of data from 380 million customers of Advance Auto Parts, and 190 million individuals connected to LendingTree and its affiliate QuoteWizard.

Verification efforts for some of the posted email addresses from Advance Auto Parts indicate that they are genuine; messages sent by WIRED to these addresses were neither returned nor rejected. BleepingComputer confirms some of the leaked customer details pertain to Advance Auto Parts.

According to Darryl Carr, spokesperson for Advance Auto Parts, the company is aware of the potential involvement in a security incident connected to Snowflake. “We are investigating the matter and cannot provide more details at this moment. There has been no noted impact on our operations or systems,” he stated to WIRED.

LendingTree has not responded to multiple requests from WIRED about the alleged breaches sent in the past few days. Neither LendingTree nor Advance Auto Parts has filed breach notifications with the Securities and Exchange Commission at the time of writing. Both companies have been listed by Snowflake as customers previously.

By Joseph Cox

By Matt Burgess

By Dhruv Mehrotra

By Hannah Zeavin

Since Snowflake acknowledged that accounts had been targeted, it has provided some more information about the incident. Brad Jones, Snowflake’s chief information security officer, said in a blog post that threat actors used login details to accounts that had been “purchased or obtained through infostealing malware,” which is designed to pull usernames and passwords from devices that have been compromised. The incident appears to be a “targeted campaign directed at users with single-factor authentication,” Jones added.

Jones’ post said Snowflake, alongside cybersecurity firms CrowdStrike and Mandiant, which it employed to investigate the incident, did not find evidence showing the attack was “caused by compromised credentials of current or former Snowflake personnel.” However, it has found one former employee’s demo accounts were accessed, claiming they did not contain sensitive data.

When asked about potential breaches of specific companies’ data, a Snowflake representative referred to Jones’ statement: “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.” The company did not elaborate further on what was meant by a “breach.” (Security company Hudson Rock removed a research post including various unverified claims about the Snowflake incident after receiving a legal letter from Snowflake).

The US Cybersecurity and Infrastructure for Security Agency has released an alert regarding the Snowflake incident, while the Australian Cyber Security Center reported that “several companies using Snowflake environments have been compromised.”

Details remain unclear regarding the Sp1d3r account, which advertised data on BreachForums. It is uncertain if ShinyHunters sourced their data directly from compromised Snowflake accounts or elsewhere — details on breaches involving Ticketmaster and Santander were initially shared in another cybercrime forum by a newcomer called SpidermanData.

The Sp1d3r account indicated on BreachForums that 2 terabytes of supposed LendingTree and QuoteWizard data were being sold for $2 million; meanwhile, 3 TB of purported data from Advance Auto Parts were priced at $1.5 million. Chris Morgan, a senior cyber-threat intelligence analyst at ReliaQuest, commented that “the pricing by the threat actor is unusually high for typical listings on BreachForums.”

Morgan noted the ambiguous legitimacy of Sp1d3r but highlighted a potential reference to the teenage hacking group Scattered Spider. “Interestingly, the threat actor’s profile picture originates from an article about Scattered Spider, though it’s uncertain if this implies an intentional connection with the group,” he stated.

While the origins of the reported data breaches remain uncertain, the event underscores the vulnerabilities inherent in employing third-party providers for company products and services. “Many companies are now realizing how reliant they are on interconnected services and the complexity in managing third-party security,” explained security expert Tory Hunt to WIRED upon the outbreak of these incidents.

In response to the security breaches, Snowflake has advised its customers to implement multifactor authentication for all user accounts and to restrict connectivity to approved users or locations only. Affected companies are further urged to change their Snowflake user credentials. According to a report by TechCrunch, enabling multifactor authentication significantly diminishes the likelihood of online account compromises. TechCrunch also disclosed that it has observed numerous purported Snowflake user credentials leaked through malware that steals information from computers used to access Snowflake accounts.

Amid the shift to remote work following the Covid-19 pandemic, there has been an escalation in infostealer malware usage. “The demand for these types of malware is high and they are relatively straightforward to develop,” noted Ian Gray, Vice President of Intelligence at Flashpoint. Cybercriminals are known to replicate or modify pre-existing infostealers and offer them in underground markets for as low as $10, which includes a collection of login credentials, cookies, files, and other data from compromised computers.

“These malware variants can infiltrate in various manners and target critical data such as browser information (cookies and login details), credit card numbers, and cryptocurrency wallets,” explained Gray. “Attackers commonly sift through these stolen data batches for enterprise login credentials to unlawfully access company accounts.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Article

US National Security Experts Raise Alarm: AI Companies Must Enhigten Protection of Sensitive Data

Next Article

Navigating the Evolving Landscape of Network Jobs: Trends in Hiring, Skills, and Certifications

Related Posts