Snowflake Scrambles to Enforce MFA as Breaches Pile Up

Data breaches related to stolen Snowflake credentials continue to mount this week as CEO Sridhar Ramaswamy says the company will begin enforcing multi-factor authentication (MFA).

So far this month, Snowflake-related data breaches have been reported at Ticketmaster (with hacker group ShinyHunters claiming to steal data from 560 million customers); Santander Bank (another 30 million customers impacted); Advance Auto Parts (with 380 million customers and 358,000 current and former employees impacted, according to Bleeping Computer); and Pure Storage (which has confirmed a breach but not specified number of customers impacted). Lending Tree’s Quote Wizard also confirmed a related breach.

Snowflake in a blog post denied direct fault for the recent breaches by ShinyHunters and others, foisting blame on user accounts not enabled with MFA.

InformationWeek reported Snowflake’s lack of enforcement mechanism for companies to enable MFA, which experts believe caused increased vulnerability. Snowflake said the stolen credentials were linked to accounts (Mandiant later said 165 instances were found) without MFA enabled.

In an interview with Runtime at last week’s Snowflake Data Cloud Summit in the UK, Ramaswamy signaled that Snowflake would add an enforcement mechanism to its MFA policy. It has encouraged all users to enable MFA in the meantime.

Related:Snowflake Denies Responsibility for Ticketmaster, Santander Breaches

"It's clear that we have to do something about this … I think making this programmatic is the next logical step we do need to take," Ramaswamy told Runtime.

Both Advance Auto Parts and Pure Storage immediately pointed out the Snowflake connection. A spokesperson for Advanced Auto Parts in an email to InformationWeek said, “We are aware of reports that Advance may be involved in a security incident related to Snowflake. We are investigating the matter and do not have further information to share at this time. We have not experienced any impact to our operations or systems.”   

Kris Lahiri, co-founder and chief security officer at Egnyte, in an email says sound authentication is crucial to cybersecurity. “Even sophisticated breaches are all coming down to user authentication compromise,” Lahiri says. “This should be a wakeup call to all organizations to revisit basic security hygiene like ensuring MFA setup (the primary reason for this Snowflake compromise) and reviewing every company’s supply chain of critical data vendors.”

A blog post from social risk management firm ZeroFox warns that similar attacks are likely in the future as threat actors try new extortion tactics -- with threat actors working in concert. “The alleged Snowflake breach was most likely conducted by a single, coordinated threat collective identical to -- or associated with -- ShinyHunters. The implication of multiple aliases in a single data breach would likely be an attempt to minimize the chances of exacerbating ongoing [law enforcement] scrutiny.”

Related:ShinyHunters Strikes Again: Group Hacks Santander Bank, Ticketmaster Customers File Suit