Snowflake’s customer breaches make 2024 the year of the identity siege (2024)

Identities are best-sellers on the dark web, proving to be the fuel that drives billions of dollars of fraud every year. Breaches on Santander, TicketMaster, Snowflake, and most recently, Advanced Auto Parts, LendingTree, and its subsidiary QuoteWizard show how quickly attackers refine their tradecraft to prey on organizations’ security weaknesses. TechCrunch has verified that hundreds of Snowflake customer passwords found online are linked to information-stealing malware. Snowflake’s decision to make multi-factor authentication (MFA) optional instead of required contributed in part to the siege of identities their breached customers are experiencing today.

Cybercrime gangs, organizations and nation-states are so confident in their ability to execute identity breaches that they’re allegedly interacting with cybercrime intelligence providers over Telegram to share the details. The latest incident that reflects this growing trend involves cybercrime intelligence provider Hudson Rock publishing a detailed blog post on May 31 detailing how threat actors successfully breached Snowflake, claiming to have had a Telegram conversation with the threat actor who also breached Santander Bank and TicketMaster.

Their blog post, since taken down, explained how the threat actor was able to sign into a Snowflake employee’s ServiceNow account using stolen credentials to bypass OKTA. Once inside Snowflake’s systems, the blog post alleges attackers generated session tokens that enabled them to move through Snowflake’s systems undetected and exfiltrate massive amounts of data.

Single-factor authentication is an attack magnet

Snowflake configures its platform with single-factor authentication by default. Their documentation states that “by default, MFA is not enabled for individual Snowflake users. If you wish to use MFA for a more secure login, you must enroll using the Snowflake web interface.” CrowdStrike, Mandiant and Snowflake found evidence of a targeted campaign directed at users who have single-factor authentication enabled. According to a June 2nd community forum update, threat actors are “leveraging credentials previously purchased or obtained through infostealing malware.” CISA has also issued an alert for all Snowflake customers.

Snowflake, CrowdStrike and Mandiant found that the attackers had obtained a former Snowflake employee’s personal credentials to access demo accounts. The demo accounts didn’t contain sensitive data and weren’t connected to Snowflake’s production or corporate systems. Access happened because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems. Snowflake’s latest community forum update claims there’s no evidence suggesting the customer breaches are caused by a vulnerability, misconfiguration or breach of Snowflake’s platform.

Tens of millions are facing an identity security nightmare

Up to 30 million Santander banking customers’ credit card and personal data were exfiltrated in one of the largest breaches in the bank’s history. Five hundred sixty million TicketMaster customers also had their data exfiltrated during a separate breach targeting the entertainment conglomerate. The stolen data set includes customer names, addresses, emails, phone numbers, and credit card details. Threat actors ShinyHunters took to the revived BreachForums hacking forum the FBI had previously shut down, offering 560 million TicketMaster customers’ data for $500,000.

ShinyHunters advertising the 560 million TicketMaster customer records for sale on BreachForums. Source: Malwarebytes Labs, Ticketmaster confirms customer data breach, June 1, 2024.

Wired reports that another BreachForums account using the handle Sp1d3r has posted data from two more companies it claims are related to the Snowflake incident. These include automotive giant Advance Auto Parts, which Sp1d3r says has 380 million customer details, and financial services company LendingTree and its subsidiary QuoteWizard, which Sp1d3r claims include 190 million customer profiles and identity data.

Santander and TicketMaster’s damage control plan: Go all-in on transparency

Reflecting how high a priority CISOs and security leaders place on disclosing any event that could be interpreted as having a material impact on business operations, Santander and TicketMaster were quick to disclose unauthorized access to their third-party cloud database environments.

TicketMaster owner Live Nation filed an 8-K with the Securities and Exchange Commission (SEC) on Friday, writing that they first identified unauthorized activity in their third-party cloud database environment on May 20 and launched an investigation with industry-leading forensic investigators. The Live Nation 8-K goes on to say that on May 27, “a criminal threat actor offered what it alleged to be Company user data for sale via the dark web.”

LiveNation continued in their 8-K, writing, “We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.”

Santander’s statement begins, “We recently became aware of an unauthorized access to a Santander database hosted by a third-party provider,” consistent with what Live Nation included in the 8-K filing on Friday, May 31.

Too much trust is allowing identity attacks to soar

When attackers are so confident in their ability to extract nearly 600 million customer records containing valuable identity data in two breaches, it’s time to improve how identities are authenticated and protected. The greater the assumed trust in any authentication and identity and access management (IAM) system, the greater the potential for a breach.

One of the cornerstones of zero trust is assuming a breach has already occurred and that the attacker is moving laterally through an organization’s networks. Seventy-eight percent of enterprises say identity-based breaches have directly impacted their business operations this year. Of those companies breached, 96% now believe they could have avoided a breach if they had adopted identity-based zero-trust safeguards earlier. IAM is considered integral to zero trust and is part of the National Institute of Standards and Technology (NIST) SP 800-207 Zero Trust framework. Identity security and management are central to President Biden’s Executive Order 14028

VentureBeat has learned more IT and security teams are evaluating advanced user authentication methods corporate-wide and more thoroughly handling standard and nonstandard application enablement. Interest and proofs of concept evaluating passwordless authentication growing. “Despite the advent of passwordless authentication, passwords persist in many use cases and remain a significant source of risk and user frustration,” wrote Ant Allan, VP analyst, and James Hoover, principal analyst, in the Gartner IAM Leaders’ Guide to User Authentication.

CISOs tell VentureBeat that their goals for hardening authentication and strengthening IAM include the following:

• Achieving and scaling continuous authentication of every identity as quickly as possible.
• Making credential hygiene and rotation policies more frequent drives the adoption of the latest generation of cloud-based IAM, PAM and IGA platforms.
• Regardless of industry, tightening which apps users can load independently, opting only for a verified, tested list of apps and publishers.
• Relying increasingly on AM systems and platforms to monitor all activity on every identity, access credential, and endpoint.
• Improving user self-service, bring-your-own-identity (BYOI) and nonstandard application enablement with more external use cases.

CISOs need passwordless authentication systems that are intuitively designed to avoid frustrating users while ensuring adaptive authentication on any device. Leading vendors providing passwordless authentication solutions include Microsoft Authenticator, Okta, Duo Security, Auth0, Yubico and Ivanti’s Zero Sign-On (ZSO).