A hack against customers of the cloud storage company Snowflake looks like it may turn into one of the biggest-ever data breaches. Last week, Snowflake, which allows companies to store huge datasets on its servers, revealed that criminal hackers had been attempting to access its customers’ accounts using stolen login details. Data breaches targeting Ticketmaster and Santander have been linked to the attacks.
In the days since Snowflake first said a “limited number” of customer accounts had been accessed, however, cybercriminals have publicly claimed to be selling stolen data from two other major firms and alleged the information was taken from Snowflake accounts. At the same time, TechCrunch has reported that hundreds of Snowflake customer passwords have been found online and are accessible to cybercriminals.
Amid the claims, there remains uncertainty about the scope and scale of the attempted attack against Snowflake customers, who the attackers may be, and how an attack tool callously named “rapeflake” operates. It also highlights the growth in the use of infostealer malware in recent years and underscores the need for third-party software providers and companies to turn on multifactor authentication to reduce the chances of accounts being compromised.
Snowballing
A large proportion of the Snowflake drama has, so far, played out on the notorious cybercrime marketplace BreachForums. The FBI seized the forum in mid May, but another version quickly appeared, and its owners, hacker group ShinyHunters, claimed to be selling 560 million records from Ticketmaster and 30 million from Santander. Both companies have said they have suffered from data breaches, with Ticketmaster directly linking the incident to Snowflake while Santander said it had seen unauthorized access to one of its databases “hosted by a third-party provider.” Neither company has confirmed the size of the breaches.
In recent days, a BreachForums account going by the handle Sp1d3r has posted two more companies whose data it claims is related to the Snowflake incident: automotive giant Advance Auto Parts, which Sp1d3r claims to have 380 million customer details from, and financial services company LendingTree and subsidiary QuoteWizard, from which it claims to have data linked to 190 million people.
Some Advance Auto Parts staff and customer email addresses listed in sample data by the hacker appear to be legitimate accounts; emails WIRED sent to those addresses did not bounce nor were they otherwise rejected. BleepingComputer reports it has verified customer data from Advance Auto Parts.
“We are aware of reports that Advance may be involved in a security incident related to Snowflake,” Darryl Carr, a spokesperson from the company, tells WIRED. “We are investigating the matter and do not have further information to share at this time. We have not experienced any impact to our operations or systems.”
Neither LendingTree nor Advance Auto Parts has filed breach notifications with the Securities and Exchange Commission at the time of writing. Both companies have been listed by Snowflake as customers previously.
A LendingTree spokesperson confirmed in a statement to WIRED that the company uses Snowflake “for our business operations” and that the company was notified that its QuoteWizard subsidiary “may have had data impacted by this incident.” LendingTree's spokesperson says an internal investigation is ongoing. “As of this time, it does not appear that consumer financial account information was impacted, nor information of the parent entity, LendingTree,” the spokesperson says.
Since Snowflake acknowledged that accounts had been targeted, it has provided some more information about the incident. Brad Jones, Snowflake’s chief information security officer, said in a blog post that threat actors used login details to accounts that had been “purchased or obtained through infostealing malware,” which is designed to pull usernames and passwords from devices that have been compromised. The incident appears to be a “targeted campaign directed at users with single-factor authentication,” Jones added.
Jones’ post said Snowflake, alongside cybersecurity companies CrowdStrike and Mandiant, which it employed to investigate the incident, did not find evidence showing the attack was “caused by compromised credentials of current or former Snowflake personnel.” However, it has found one former employee's demo accounts were accessed, claiming they did not contain sensitive data.
When asked about potential breaches of specific companies’ data, a Snowflake spokesperson pointed to Jones’ statement: “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.” In a follow-up statement, the company clarified what it meant by “breach”: “Any of our customer's accounts that were accessed as the result of leaked credentials are not caused by … Snowflake,” a spokesperson said. (Security company Hudson Rock said it removed a research post including various unverified claims about the Snowflake incident after receiving a legal letter from Snowflake).
The US Cybersecurity and Infrastructure Security Agency has issued an alert about the Snowflake incident, while Australia's Cyber Security Center said it is “aware of successful compromises of several companies utilizing Snowflake environments.”
Unclear Origins
Little is known about the Sp1d3r account advertising data on BreachForums, and it is not clear whether ShinyHunters obtained the data it was selling from another source or directly from victims’ Snowflake accounts—information about a Ticketmaster and Santander breach was originally posted on another cybercrime forum by a new user called SpidermanData.
The Sp1d3r account posted on BreachForums that the 2 terabytes of alleged LendingTree and QuoteWizard data was for sale for $2 million; while 3 TB of data allegedly from Advance Auto Parts would cost someone $1.5 million. “The price set by the threat actor appears extremely high for a typical listing posted to BreachForums,” says Chris Morgan, a senior cyber-threat intelligence analyst at security firm ReliaQuest.
Morgan says the legitimacy of Sp1d3r is not clear; however, he points out there is a nod to teenage hacking group Scattered Spider. “Interestingly, the threat actor's profile picture is taken from an article referencing the threat group Scattered Spider, although it is unclear whether this is to make an intentional association with the threat group.”
While the exact source of the alleged data breaches is unclear, the incident highlights how interconnected companies can be when relying on products and services from third-party providers. “I think a lot of this is just a recognition of how interdependent these services now are and how hard it is to control the security posture of third parties,” security researcher Tory Hunt told WIRED when the incidents first emerged.
As part of its response to the attacks, Snowflake has told all customers to make sure they enforce multifactor authentication on all accounts and allow traffic only from authorized users or locations. Companies that have been impacted should also reset their Snowflake login credentials. Enabling multifactor authentication vastly reduces the chances that online accounts will be compromised. As mentioned, TechCrunch reported this week that it has seen “hundreds of alleged Snowflake customer credentials'' taken by infostealing malware from computers of people who have accessed Snowflake accounts.
In recent years, coinciding with more people working from home since the Covid-19 pandemic, there has been a rise in the use of infostealer malware. “Infostealers have become more popular because they’re in high demand and pretty easy to create,” says Ian Gray, the vice president of intelligence at security company Flashpoint. Hackers have been seen to be copying or modifying existing infostealers and selling them on for as little as $10 for all the login details, cookies, files, and more from one infected device.
“This malware can be delivered in different ways and targets sensitive info like browser data (cookies and credentials), credit cards, and crypto wallets,” Gray says. “Hackers might comb through the logs for enterprise credentials to break into accounts without permission.”
Updated 1:25 pm ET, June 7, 2024: Added an additional statement from Snowflake.
Updated 5:25 pm ET, June 7, 2024: Added comment from LendingTree confirming that the company is investigating a potential breach of QuoteWizard data.