Snowflake’s Lack of MFA Control Leaves Companies Vulnerable, Experts Say

Snowflake -- the largest cloud-data warehousing firm in the world by market share -- does not let companies enforce multi-factor authentication (MFA) for users. Experts say this leaves a gaping security hole threat actors can exploit.

Hacker group ShinyHunters claimed it used Snowflake user accounts to pull off breaches at Ticketmaster and Santander Bank that exposed half a billion customers’ data (and claims to have more data from several other prominent companies). While Snowflake said its systems were not compromised and was not the company responsible for the breaches, they admitted that a former employee’s credentials were used by threat actors.

Snowflake, unlike some competitors, leaves the option to add multi-factor authentication solely in the hands of individual users, according to the company’s own FAQ page. Companies cannot enforce MFA on users in the Snowflake environment and cannot enable a user’s MFA. The user is responsible for enrolling in MFA.

“MFA is a critical component in protecting against identity theft, and specifically against attacks related to the successful theft of passwords through phishing, malware (infostealers), or leakage of reused passwords from compromised sites,” says Ofer Maor, CTO and co-founder at cloud and SaaS incident response firm Mitiga, in an email interview.

No MFA ‘On-Switch’ for Admins

“While Snowflake offers users the ability to turn on MFA, this is a feature that is not enabled on users by default and … it cannot be enforced on users by the admin of the tenant,” Maor says. “This means Snowflake leaves it up to every user to decide whether they want to enroll with MFA or not. This naturally leads to many Snowflake users not having MFA turned on.”

He adds, “It appears that the current [ShinyHunters] campaign is leveraging this weakness and is targeting users which do not have MFA turned on.”

Competing data warehousing cloud firms do offer the ability to start service without MFA, but usually during a trial or “freemium” software-as-a-service (SaaS) offering, Maor says. “Most SaaS vendors, once deployed as an enterprise solution, allow administrators to enforce MFA … they require every user to enroll in MFA when they first login and make it no longer possible for users to work without it.”

Jon Sternstein of Stern Security says Snowflake does let administrators see if staff has MFA enabled -- and large enterprises often use Single Sign-On (SSO) to use the company’s password and MFA polices.

“It is surprising that the built-in account management within Snowflake doesn’t have more robust capabilities like the ability to enforce MFA … While it’s odd that MFA cannot be enforced on Snowflake, the companies should also understand how their teams are using applications and ensure that it’s done securely,” he tells InformationWeek.

Burden at User-Level

Snowflake over the weekend took to its blog to defend itself after security firm Hudson Rock posted an alleged conversation with ShinyHunters where the attackers said they used Snowflake users exclusively to gain access to the stolen data. Hudson Rock took the blog post down after receiving a letter from Snowflake attorneys, according to the company’s LinkedIn page.

While saying their platform was not targeted nor was the breach the result of any misconfiguration, the Snowflake statement says the “targeted campaign” focused on accounts without multifactor authentication.

John Pironti, president of IP Architects, tells InformationWeek that Snowflake’s MFA capabilities puts the onus on individual users. “The lack of governance capabilities for administrative roles like the ability to enforce MFA is concerning, in my opinion,” he says. “I am not sure the lack of governance capability creates the vulnerability. The option to use MFA is available it is just up to the user to both enable and continue to use.”

He said an organization can make it their policy that all users do set up MFA, “but they have limited enforcement capabilities without the option to enforce at an administrative level. They would instead be trusting their users to follow the policy but not verifying that it is being followed.”

While Snowflake declined to comment on the lack of MFA enforcement availability, a spokesperson tells InformationWeek: “Snowflake does allow MFA as well as allow for other granular controls like user level network ACLs [access control lists], public/private key pair authentication. We also allow customers to integrate with their IDP [identity provider] such as [Microsoft] or Okta.”

For some security professionals, that approach is not enough.

“The threat actors claim to have signed into a Snowflake employee’s ServiceNow account using stolen credentials, thus bypassing Okta,” John Paul Cunningham, CISO at Silverfort says in an email. “This is akin to someone picking the lock on your front door and giving them full access to everything in your house. By not using multifactor authentication (MFA) on their demo environment, and failing to disable the former employee’s access, the Snowflake incident highlights a major gap in identity that companies continue to face.”

According to 6sense, Snowflake has 14,623 customers and a 21.5% market share in the data warehousing segment.