\n
![](\"https:\/\/readwrite.com\/wp-content\/uploads\/2024\/06\/Snowflake-enforces-MFA-as-data-breach-probe-continues-900x600.png\")
<\/p>\n [ad_1]
\n<\/p>\n
Cloud data analytics platform Snowflake<\/a> announced that it will enforce multi-factor authentication following what might be one of the largest data breaches<\/a> on record.<\/p>\n This decision was prompted by a breach noticed last month by Hudson Rock analysts, involving a massive data theft<\/a> from Ticketmaster, Spanish bank Santander, and potentially hundreds of millions of files from Advance Auto Parts\u2014all of whom are Snowflake clients.<\/p>\n Snowflake, a platform that hosts massive datasets for corporations, revealed that hackers had been using stolen credentials to try to infiltrate its customer accounts.<\/p>\n Despite Snowflake launching legal actions against Hudson Rock, forcing them to withdraw<\/a> their report, the company acknowledged that it was investigating \u201ca targeted threat campaign against some Snowflake customer accounts.\u201d At the same time, TechCrunch<\/a> reported the discovery of a trove of Snowflake customer passwords online, available to hackers. Snowflake had at first signaled that only a \u201climited\u201d number of customer accounts were compromised.<\/p>\n However, the news outlet reported that LendingTree\u2019s subsidiary, QuoteWizard, also suffered a data breach at Snowflake. \u201cWe can confirm that we use Snowflake for our business operations, and that we were notified by them that our subsidiary, QuoteWizard, may have had data impacted by this incident,\u201d a spokesperson stated.<\/p>\n Much of the drama involving Snowflake has unfolded on BreachForums, a well-known cybercrime marketplace. This site was shut down by the FBI in mid-May, only to be replaced by a new version. This iteration is allegedly managed by the hacker group ShinyHunters, who claim they are trading 560 million records from Ticketmaster and 30 million from Santander.<\/p>\n Both organizations have acknowledged these data breaches. Ticketmaster<\/a> has specifically attributed its breach to Snowflake, whereas Santander<\/a> has reported unauthorized access to a database managed by a third-party provider, without confirming the extent of the breach.<\/p>\n Recently, a BreachForums group with the username Sp1d3r has spotted two additional companies affected by the Snowflake incident. According to Sp1d3r, they have 3TB worth of data for 380 million customers from Advance Auto Parts and information in regards to 190 million customers from financial services firm LendingTree and its subsidiary QuoteWizard. BleepingComputer<\/a> has verified the customer data related to Advance Auto Parts.<\/p>\n \ud83d\udea8UPDATE: Sp1d3r claims to have stolen 3TB of data from @ AdvanceAutoParts via Snowflake breach. Allegedly includes 380M customer profiles, 140M order records, and more. Data is up for sale for $1.5M.https:\/\/t.co\/asHVxtHFyZ<\/a> #DataBreach<\/a> #CyberSecurity<\/a> #Snowflake<\/a> pic.twitter.com\/DeSqRPnBTP<\/a><\/p>\n \u2014 SOCRadar\u00ae (@socradar) June 6, 2024<\/a><\/p>\n<\/blockquote>\n The LendingTree spokesperson said, \u201cWe take these matters seriously, and immediately after hearing from [Snowflake] launched an internal investigation.\u201d They added, \u201cAs of this time, it does not appear that consumer financial account information was impacted, nor information of the parent entity, LendingTree.\u201d<\/p>\n After acknowledging that accounts had been targeted, Snowflake provided further information about the incident. Brad Jones, the chief information security officer at Snowflake, explained in a post<\/a> that threat actors used login details that had been \u201cpurchased or obtained through infostealing malware,\u201d which is designed to pull usernames and passwords from devices that have been compromised. He described the incident as a \u201ctargeted campaign directed at users with single-factor authentication.\u201d<\/p>\n In the same post, Jones mentioned that Snowflake, with the help of cybersecurity firms CrowdStrike and Mandiant, found no evidence that the attack was \u201ccaused by compromised credentials of current or former Snowflake personnel.\u201d However, he noted that a former employee\u2019s demo accounts were accessed but maintained that they \u201cdid not contain sensitive data.\u201d<\/p>\n In a separate blog post<\/a> by Mandiant, the company reiterated: \u201cMandiant\u2019s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake\u2019s enterprise environment.\u201d However, it added that every incident it had responded to associated with the campaign \u201cwas traced back to compromised customer credentials.\u201d ReadWrite reached out to Snowflake, however, the company directed us to Jones\u2019 post for more information.<\/p>\n In addition, the US Cybersecurity and Infrastructure Security Agency has issued an alert<\/a> concerning the Snowflake incident. Similarly, Australia\u2019s Cyber Security Center has admitted<\/a> being \u201caware of successful compromises of several companies utilizing Snowflake environments.\u201d<\/p>\n ReadWrite has reached out to Snowflake and Live Nation for comment.<\/p>\n Featured image: Ideogram<\/em><\/p>\n<\/p><\/div>\nData breach reported on BreachForums<\/h2>\n
\n
Snowflake reveals details about threat actors<\/h2>\n