Home Blogs The Snowflake Data Breach
Applications

About The Author

Outline

Passwords are Dead. Long Live Passkeys & MFA.

As you’re likely aware by now, Snowflake Inc. (NYSE: SNOW) as been making headlines over the last week on the back of an 8-K filing by Live Nation Entertainment (Ticketmaster) on 31 May 2024 regarding unauthorized activity in a 3rd party cloud database which was reported to be Snowflake. To kick off this post, Edgio was not impacted by this attack. However, considering the breadth of impact of this attack it’s important to be aware, as some are reporting this as the “world’s largest data breach.”

Who is Snowflake?

Let’s start from the beginning, who is Snowflake Inc? Snowflake is a data platform that enables storage, processing, and analytics, all in the cloud. They have been on the rise over the last year with customers in all industries, from Capital One to Ticketmaster to DoorDash, leveraging its platform.

“A single, global platform that powers the AI Data Cloud. Snowflake is uniquely designed to connect businesses globally, across any type or scale of data and many different workloads and unlock seamless data collaboration.” ~ https://www.snowflake.com/en/data-cloud/platform/

What do we know?

This breach really hit mainstream when Ticketmaster made an 8-K filing that outlined the discovery of unauthorized access and leakage of database records stored in a 3rd party cloud database provider. That provider was Snowflake and the compromised database consisted of over 560+ Million records. Snowflake has assured their customers, in a joint statement with CrowdStrike and Mandiant, that this is not a result of a breach of their platform, but rather as result of customers not using Multi-Factor Authentication (MFA) to protect their users coupled with an ongoing offensive attack targeting Snowflake customers. This attack also impacted Santander Bank as they reported unauthorized access to their third-party database on May 14, 2024. Going further, there have been concerns that this attack has impacted several other companies which have yet to be named publicly.

During Snowflake’s investigation they did discover that credentials of a prior employee were compromised, but that the account only had access to demo data. It’s worth noting this account was not protected with MFA.

Timeline:

  • 14 May 2024 – Santander Bank releases a statement noting compromise of a 3rd party database.
  • 20 May 2024 – Ticketmaster detects unauthorized access to their 3rd party database.
  • 23 May 2024 – Santander Bank data posted on dark web for $2 Million.
  • 27 May 2024 – Ticketmaster data posted on dark web for $500,000.
  • 31 May 2024 – Ticketmaster files 8k.

Why should I care if I’m not a Snowflake customer?

First, your data might have been a part of the dataset stolen. If that’s the case, resetting passwords, canceling credit cards, and taking precautions to protect yourself and your family should be first order of business.

Second, if you’re a SaaS provider it might be time to start taking a hard look at how you’re protecting your customers. Responsibility of 3rd party vendors has also been a topic of conversation and this breach will further fuel that discussion. Snowflake was not breached; however, they are having to defend themselves because their customers’ data was compromised on their watch. Let’s look at how the market has responded to this event.

First, Snowflakes stock has dropped 18.6% over the last two weeks. One might be able to pick out when word of Ticketmaster’s breach became mainstream news.

snowflake breach 2024

Looking at Live Nation Entertainment, we do see an impact, but not one nearly as dramatic as with Snowflake.

snowflake breach 2024

It is our responsibility as SaaS providers to protect our customers. There are also limitations to our ability to protect customers. Often, it comes down to the end-user to properly configure the solution in such a way that prevents compromise, but sometimes SaaS providers make that difficult or allow users to too easily shoot themselves in the foot.

SaaS providers’ jobs are to ensure they are building products with security top of mind: “Secure by Design” and “Secure by Default.” If we ask ourselves this basic question:

“What would have prevented this attack from being so widely successful?”

The answer we find is simple: Multi-Factor Authentication (MFA).

It’s time that we get more aggressive in protecting our customers. Access brokers have become a more pivotal part of the tech ecosystem since 2020 and breaches like this one continue to keep them in the spotlight. However, there is a basic precaution that everyone should take to lower their risk of breach, and that is to make MFA mandatory.

Like passwords, MFA should no longer be optional.

Vendors should take this seriously as Snowflake is catching heat because their users are able to access their solution without MFA. At Edgio, we’ll be working toward no longer allowing new users to be created without Multi-Factor Authentication. This move is to protect our customers. To live by the “Secure by Default” mantra.

Key takeaways from this breach:

  • It was discovered through the incident response process that a Snowflake Solution Engineer’s credentials were stolen.
    • Snowflake claims the account only had access to demo data, no access to production data.
    • The stolen user account was not protected with MFA (Multi-Factor Authentication).
    • The credentials were stolen through info-stealer malware.
  • An ongoing attack campaign targeting Snowflake customers/users is finding unfortunate success due to end-users not having MFA enabled.

What should businesses be doing in the light of this breach? What questions should they ask?

  1. Do you know if any of your employees have been compromised with info-stealing malware, or any malware that could have resulted in keylogging?
    1. If yes, have you forced password resets since that compromise?
  2. Do any of your departments have over-privileged users? How are you protecting those user accounts? How are you protecting those users?
  3. Are you forcing MFA on all your internal and third-party applications? This means even those that aren’t behind your SSO.
  4. Review and understand Snowflake IOC’s: https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

In conclusion, the recent data breach affecting Snowflake underscores the critical importance of robust security measures, particularly the implementation of Multi-Factor Authentication (MFA). As cyber threats continue to evolve, relying solely on passwords is no longer sufficient. At Edgio, we recognize the necessity of adopting a “Secure by Default” approach to safeguard our clients’ digital assets. By making MFA mandatory and continuously enhancing our security protocols, we aim to protect against unauthorized access and reduce the risk of breaches. Our security experts are here to help you fortify your defenses and ensure your organization remains resilient in the face of emerging threats.