An investigation into the theft of customer information from clients of data storage company Snowflake has underscored why cloud-based service providers aren’t solely responsible for preventing a breach. The user organizations that employ the service, and any partner company it contracts with to help run and optimize the service, must take it upon themselves to exercise due diligence and practice proper cyber hygiene.
Citing findings from external investigators, Snowflake has claimed in a recent series of blog posts that the ongoing threat campaign against its corporate customers – which began in April – is not the result of a Snowflake platform vulnerability or misconfiguration, or a Snowflake employee’s compromised credentials. Rather, “this appears to be a targeted campaign directed at users with single-factor authentication,” Snowflake alleged, adding that the threat actors also leveraged older credentials “previously purchased or obtained through info-stealing malware.”
This statement implies that Snowflake’s approximately 165 affected business clients – which includes such notable companies as Advance Auto Parts, AT&T, Neiman Marcus, Santander Bank and Ticketmaster (Live Nation) – may have been victimized via substandard user practices. Employees within user organizations may not have secured their Snowflake instances with multi-factor authentication, or they may not have changed an older password that had been previously exfiltrated by infostealer malware. As a result, bad actors were able to illegally obtain information on millions of these user organizations’ customers as part of a major extortion scheme.
In addition, a report from one of the firms investigating the malicious campaign noted that certain third-party contractors that provide Snowflake-based services may have also inadvertently played a role, after being compromised by an infostealer. Not long after, a member of the hacking collective ShinyHunters (one of the groups tied to recent malicious Snowflake activity – although the primary one has been identified as UNC5537) claimed to Wired that the cybercriminal outfit gained access to certain Snowflake accounts using data found on an employee system belonging to EPAM, a third-party contractor that some companies use to help manage their Snowflake accounts. EPAM, for its part, has denied this and claims the hacker was fabricating a story.
Regardless where the truth lies and who is primarily accountable, this large-scale data theft and extortion campaign serves as an important reminder. Don’t assume your third-party data services provider bears the full responsibility of securing your assets. You as the customer must still follow basic principles like practicing MFA, regularly changing passwords (especially if they have been compromised), and limiting and securing third-party contractors’ access to your data instances.
Snowflake, for its part, likely could have also prevented some of this nefarious activity had it promoted MFA among its user base. This now appears to be the direction the company is heading, as Snowflake has announced that it will now allow admins of existing accounts to enforce mandatory MFA practices.
Snowflake also acknowledged that a threat actor “obtained personal credentials to and accessed a demo account owned by a former Snowflake employee.” Snowflake alleges that this account did not result in customer data breaches, as it did not, according to the company, contain sensitive data, nor was it connected to Snowflake’s production or corporate systems.