Featured Article

What Snowflake isn’t saying about its customer data breaches

Another Snowflake customer, LendingTree, confirms a data breach. Snowflake says its position “remains unchanged.”

Comment

an illustrated laptop on a red darkened background, with blue flakes of data spilling out of the laptop's screen — indicating a data spill/leak.
Image Credits: Bryce Durbin / TechCrunch

Snowflake’s security problems following a recent spate of customer data thefts are, for want of a better word, snowballing.

Ticketmaster was the first company to link its recent data breach to the cloud data company Snowflake, and loan comparison site LendingTree has now confirmed its QuoteWizard subsidiary had data stolen from Snowflake.

“We can confirm that we use Snowflake for our business operations, and that we were notified by them that our subsidiary, QuoteWizard, may have had data impacted by this incident,” Megan Greuling, a spokesperson for LendingTree, told TechCrunch.

“We take these matters seriously, and immediately after hearing from [Snowflake] launched an internal investigation,” Greuling said. “As of this time, it does not appear that consumer financial account information was impacted, nor information of the parent entity, LendingTree.”

Greuling declined to comment further, citing the company’s ongoing investigation.

As more affected customers come forward, Snowflake has said little beyond a brief statement on its website reiterating that there wasn’t a data breach of its own systems. Instead, it says customers were not using multifactor authentication, or MFA — a security measure that Snowflake doesn’t enforce or require its customers to enable by default. Snowflake was itself caught out by the incident, saying a former employee’s “demo” account was compromised because it was only protected with a username and password.

In a statement Friday, Snowflake said its position “remains unchanged.” It cited an earlier statement in which Snowflake’s chief information security officer, Brad Jones, said this was a “targeted campaign directed at users with single-factor authentication” and using credentials stolen from info-stealing malware or obtained from previous data breaches.

The lack of MFA appears to be how cybercriminals downloaded huge amounts of data from Snowflake customers’ environments, which weren’t protected by the additional security layer.

TechCrunch earlier this week found online hundreds of Snowflake customer credentials stolen by password-stealing malware that infected the computers of employees who have access to their employer’s Snowflake environment. The number of credentials suggests there remains a risk to Snowflake customers who have yet to change their passwords or enable MFA.

Throughout the week, TechCrunch has sent more than a dozen questions to Snowflake about the ongoing incident affecting its customers as we continue to report on the story. Snowflake declined to answer our questions on at least six occasions. 

These are some of the questions we’re asking, and why.

It’s not yet known how many Snowflake customers are affected, or if Snowflake knows yet

Snowflake said it has currently notified a “limited number of Snowflake customers” who the company believes may have been affected. On its website, Snowflake says it has more than 9,800 customers, including tech companies, telcos, and healthcare providers.

Snowflake spokesperson Danica Stanczak declined to say if the number of affected customers was in the tens, dozens, hundreds, or more.

It’s likely that, despite the handful of reported customer breaches this week, we are only in the early days of understanding the scale of this incident.

It may not be clear even to Snowflake how many of its customers are yet affected, since the company will either have to rely on its own data, such as logs, or find out directly from an affected customer.

It’s not known how soon Snowflake could have known about the intrusions into its customers’ accounts. Snowflake’s statement said it became aware on May 23 of the “threat activity” — the accessing of customer accounts and downloading their contents — but subsequently found evidence of intrusions dating back to a no-more-specific timeframe than mid-April, suggesting the company does have some data to rely on. 

But that also leaves open the question why Snowflake did not detect at the time the exfiltration of large amounts of customers’ data from its servers until much later in May, or if it did, why Snowflake didn’t publicly alert its customers sooner.

Incident response firm Mandiant, which Snowflake called in to help with outreach to its customers, told Bleeping Computer at the end of May that the firm had already been helping affected organizations for “several weeks.”

We still don’t know what was in the former Snowflake employee’s demo account, or if it is relevant to the customer data breaches

A key line from Snowflake’s statement says: “We did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. It did not contain sensitive data.”

Some of the stolen customer credentials linked to info-stealing malware include those belonging to a then-Snowflake employee, according to a review by TechCrunch.

As we previously noted, TechCrunch is not naming the employee, as it’s not clear they did anything wrong. The fact that Snowflake was caught out by its own lack of MFA enforcement allowing cybercriminals to download data from a then-employee’s “demo” account using only their username and password highlights a fundamental problem in Snowflake’s security model. 

But it remains unclear what role, if any, that this demo account has on the customer data thefts because it’s not yet known what data was stored within, or if it contained data from Snowflake’s other customers.

Snowflake declined to say what role, if any, the then-Snowflake employee’s demo account has on the recent customer breaches. Snowflake reiterated that the demo account “did not contain sensitive data,” but repeatedly declined to say how the company defines what it considers “sensitive data.” 

We asked if Snowflake believes that individuals’ personally identifiable information is sensitive data. Snowflake declined to comment. 

It’s unclear why Snowflake hasn’t proactively reset passwords, or required and enforced the use of MFA on its customers’ accounts

It’s not unusual for companies to force-reset their customers’ passwords following a data breach. But if you ask Snowflake, there has been no breach. And while that may be true in the sense that there has been no apparent compromise of its central infrastructure, Snowflake’s customers are very much getting breached.

Snowflake’s advice to its customers is to reset and rotate Snowflake credentials and enforce MFA on all accounts. Snowflake previously told TechCrunch that its customers are on the hook for their own security: “Under Snowflake’s shared responsibility model, customers are responsible for enforcing MFA with their users.”

But since these Snowflake customer data thefts are linked to the use of stolen usernames and passwords of accounts that aren’t protected with MFA, it’s unusual that Snowflake has not intervened on behalf of its customers to protect their accounts with password resets or enforced MFA.

It’s not unprecedented. Last year, cybercriminals scraped 6.9 million user and genetic records from 23andMe accounts that weren’t protected with MFA. 23andMe reset user passwords out of caution to prevent further scraping attacks, and subsequently required the use of MFA on all of its users’ accounts

We asked Snowflake if the company planned to reset the passwords of its customers’ accounts to prevent any possible further intrusions. Snowflake declined to comment.

Snowflake appears to be moving toward rolling out MFA by default, according to tech news site Runtime, quoting Snowflake CEO Sridhar Ramaswamy in an interview this week. This was later confirmed by Snowflake’s CISO Jones in the Friday update.

“We are also developing a plan to require our customers to implement advanced security controls, like multifactor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts,” said Jones. 

A timeframe for the plan was not given.


Do you know more about the Snowflake account intrusions? Get in touch. To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.

More TechCrunch

Fisker is just a few days into its Chapter 11 bankruptcy, and the fight over its assets is already charged, with one lawyer claiming the startup has been liquidating assets…

The fight over Fisker’s assets is already heating up

A hacker is advertising customer data allegedly stolen from the Australia-based live events and ticketing company TEG on a well-known hacking forum. On Thursday, a hacker put up for sale…

Hacker claims to have 30 million customer records from Australian ticket seller giant TEG

Welcome to Startups Weekly — Haje‘s weekly recap of everything you can’t miss from the world of startups. Sign up here to get it in your inbox every Friday. Elon…

Tesla makes Musk best-paid CEO of all time and Fisker bites the dust

Dot is a new AI companion and chatbot that thrives on getting to know your innermost thoughts and feelings.

Dot’s AI really, really wants to get to know you

The e-fuels startup is working on producing fuel for aviation and maritime shipping using carbon dioxide and other waste carbon streams.

E-fuels startup Aether Fuels is raising $34.3 million, per filing

Fisker was facing “potential financial distress” as early as last August, according to a new filing in its Chapter 11 bankruptcy proceeding, which the EV startup initiated earlier this week.…

Fisker faced financial distress as early as last August

Cruise, the self-driving subsidiary of General Motors, has agreed to pay a $112,500 fine for failing to provide full information about an accident involving one of its robotaxis last year.…

Cruise clears key hurdle to getting robotaxis back on roads in California

Feel Therapeutics has a pretty original deck, with some twists we rarely see; the company did a great job telling the overall story.

Pitch Deck Teardown: Feel Therapeutics’ $3.5M seed deck

The Rockset buy fits into OpenAI’s broader recent strategy of investing heavily in its enterprise sales and tech orgs.

OpenAI buys Rockset to bolster its enterprise AI

The U.S. government announced sanctions against 12 executives and senior leaders of the Russia-based cybersecurity giant Kaspersky. In a press release, the Department of the Treasury’s Office of Foreign Assets…

US government sanctions Kaspersky executives

Style DNA, an AI-powered fashion stylist app, creates a personalized style profile from a single selfie. The app is particularly useful for people interested in seasonal color analysis, a process…

Style DNA gets a generative AI chatbot that suggests outfit ideas based on your color type

Rates of depression, anxiety and suicidal thoughts are surging among U.S. teens. A recent report from the Center of Disease Control found that nearly one in three girls have seriously…

Khosla-backed Marble, built by former Headway founders, offers affordable group therapy for teens

Cover says what sets it apart is the underlying technology it employs, which has been exclusively licensed from NASA’s Jet Propulsion Laboratory.

A new startup from Figure’s founder is licensing NASA tech in a bid to curb school shootings

Spotify is introducing a new “Basic” streaming plan in the United States, the company announced on Friday. The new plan costs $10.99 per month and includes all of the benefits…

Spotify launches a new Basic streaming plan in the US

Photographers say the social media giant is applying a ‘Made with AI’ label to photos they took, causing confusion for users.

Meta is tagging real photos as ‘Made with AI,’ say photographers

Website building platform Squarespace is selling Tock, its restaurant reservation service, to American Express in a deal worth $400 million — the exact figure that Squarespace paid for the service…

Squarespace sells restaurant reservation system Tock to American Express for $400M

Featured Article

Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans

The February ransomware attack on UHG-owned Change Healthcare stands as one of the largest-ever known digital thefts of U.S. medical records.

19 hours ago
Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans

Google said today that it globally paused its experiment that aimed to allow new kinds of real-money games on the Play Store, citing the challenges that come with the lack…

Google pauses its experiment to expand real-money games on the Play Store

Venture firms raised $9.3 billion in Q1 according to PitchBook data, which means this year likely won’t match or surpass 2023’s $81.8 billion total. While emerging managers are feeling the…

Kevin Hartz’s A* raises its second oversubscribed fund in three years

Google is making reviews of all your movies, TV shows, books, albums and games visible under one profile page starting June 24, according to an email sent to users last…

Google is making your movie and TV reviews visible under a new profile page

Zepto, an Indian quick commerce startup, has more than doubled its valuation to $3.6 billion in a new funding round of $665 million.

Zepto, a 10-minute delivery app, raises $665M at $3.6B valuation

Speak, the AI-powered language learning app, has raised new money from investors at double its previous valuation.

Language learning app Speak nets $20M, doubles valuation

SpaceX unveiled Starlink Mini, a more portable version of its satellite internet product that is small enough to fit inside a backpack.  Early Starlink customers were invited to purchase the…

SpaceX debuts portable Starlink Mini for $599

Ali Rathod-Papier has stepped down from her role as global head of compliance at corporate card expense management startup Brex to join venture firm Andreessen Horowitz (a16z) as a partner…

Brex’s compliance head has left the fintech startup to join Andreessen Horowitz as a partner

U.S. officials imposed the “first of its kind” ban arguing that Kaspersky threatens U.S. national security because of its links to Russia.

US bans sale of Kaspersky software citing security risk from Russia 

Apple has released Final Cut Pro for iPad 2 and Final Cut Camera, the company announced on Thursday. Both apps were previously announced during the company’s iPad event in May.…

Apple releases Final Cut Pro for iPad 2 and Final Cut Camera

Paris has quickly established itself as a major European center for AI startups, and now another big deal is in the works.

Poolside is raising $400M+ at a $2B valuation to build a supercharged coding co-pilot

The space industry is all abuzz about how SpaceX’s Starship, Blue Origin’s New Glenn, and other heavy-lift rockets will change just about everything. One likely consequence is that spacecraft will…

Gravitics prepares a testing gauntlet for a new generation of giant spacecraft

LTK (formerly LiketoKnow.it and RewardStyle), the influencer shopping app with 40 million monthly users, announced on Thursday the launch of a free direct message tool for creators to instantly share…

Influencer shopping app LTK gets an automatic direct message tool

YouTube appears to be taking a firm stance against Premium subscribers who attempt to use a VPN (virtual private network) to access cheaper subscription prices in other countries. This week,…

YouTube confirms crackdown on VPN users accessing cheaper Premium plans