Security

Hundreds of Snowflake customer passwords found online are linked to info-stealing malware

Comment

a series of illustrated colorful laptops featuring red, glitchy and matrix-like text symbolizing malware
Image Credits: Bryce Durbin / TechCrunch

Cloud data analysis company Snowflake is at the center of a recent spate of alleged data thefts, as its corporate customers scramble to understand if their stores of cloud data have been compromised. 

Snowflake helps some of the largest global corporations — including banks, healthcare providers and tech companies — store and analyze their vast amounts of data, such as customer data, in the cloud.

Last week, Australian authorities sounded the alarm saying they had become aware of “successful compromises of several companies utilising Snowflake environments,” without naming the companies. Hackers had claimed on a known cybercrime forum that they had stolen hundreds of millions of customer records from Santander Bank and Ticketmaster, two of Snowflake’s biggest customers. Santander confirmed a breach of a database “hosted by a third-party provider” but would not name the provider in question. On Friday, Live Nation confirmed that its Ticketmaster subsidiary was hacked and that the stolen database was hosted on Snowflake

Snowflake acknowledged in a brief statement that it was aware of “potentially unauthorized access” to a “limited number” of customer accounts, without specifying which ones, but that it has found no evidence there was a direct breach of its systems. Rather, Snowflake called it a “targeted campaign directed at users with single-factor authentication” and that the hackers used “previously purchased or obtained through infostealing malware,” which is designed to scrape a user’s saved passwords from their computer.

Despite the sensitive data that Snowflake holds for its customers, Snowflake lets each customer manage the security of their environments and does not automatically enroll or require its customers to use multi-factor authentication, or MFA, according to Snowflake’s customer documentation. Not enforcing the use of MFA appears to be how cybercriminals allegedly obtained huge amounts of data from some of Snowflake’s customers, some of which set up their environments without the additional security measure. 

Snowflake conceded that one of its own “demo” accounts was compromised because it wasn’t protected beyond a username and password, but claimed the account “did not contain sensitive data.” It’s unclear if this stolen demo account has any role in the recent breaches. 

TechCrunch has this week seen hundreds of alleged Snowflake customer credentials that are available online for cybercriminals to use as part of hacking campaigns, suggesting that the risk of Snowflake customer account compromises may be far wider than first known. 

The credentials were stolen by infostealing malware that infected the computers of employees who have access to their employer’s Snowflake environment.

Some of the credentials seen by TechCrunch appear to belong to employees at companies known to be Snowflake customers, including Ticketmaster and Santander, among others. The employees with Snowflake access include database engineers and data analysts, some of whom reference their experience using Snowflake on their LinkedIn pages.

For its part, Snowflake has told customers to immediately switch on MFA for their accounts. Until then, Snowflake accounts that aren’t enforcing the use of MFA to log in are putting their stored data at risk of compromise from simple attacks like password theft and reuse. 

How we checked the data

A source with knowledge of cybercriminal operations pointed TechCrunch to a website where would-be attackers can search through lists of credentials that have been stolen from various sources, such as infostealing malware on someone’s computer or collated from previous data breaches. (TechCrunch is not linking to the site where stolen credentials are available so as not to aid bad actors.)

In all, TechCrunch has seen more than 500 credentials containing employee usernames and passwords, along with the web addresses of the login pages for the corresponding Snowflake environments. 

The exposed credentials appear to pertain to Snowflake environments belonging to Santander, Ticketmaster, at least two pharmaceutical giants, a food delivery service, a public-run freshwater supplier, and others. We have also seen exposed usernames and passwords allegedly belonging to a former Snowflake employee. 

TechCrunch is not naming the former employee because there’s no evidence they did anything wrong. (It’s ultimately both the responsibility of Snowflake and its customers to implement and enforce security policies that prevent intrusions that result from the theft of employee credentials.) 

We did not test the stolen usernames and passwords, as doing so would break the law. As such, it’s unknown if the credentials are currently in active use or if they directly led to account compromises or data thefts. Instead, we worked to verify the authenticity of the exposed credentials in other ways. This includes checking the individual login pages of the Snowflake environments that were exposed by the infostealing malware, which were still active and online at the time of writing.

The credentials we’ve seen include the employee’s email address (or username), their password, and the unique web address for logging in to their company’s Snowflake environment. When we checked the web addresses of the Snowflake environments — often made up of random letters and numbers — we found the listed Snowflake customer login pages are publicly accessible, even if not searchable online.

TechCrunch confirmed that the Snowflake environments correspond to the companies whose employees’ logins were compromised. We were able to do this because each login page we checked had two separate options to sign in.

One way to log in relies on Okta, a single sign-on provider that allows Snowflake users to sign in with their own company’s corporate credentials using MFA. In our checks, we found that these Snowflake login pages redirected to Live Nation (for Ticketmaster) and Santander sign-in pages. We also found a set of credentials belonging to a Snowflake employee, whose Okta login page still redirects to an internal Snowflake login page that no longer exists.

Snowflake’s other login option allows the user to use only their Snowflake username and password, depending on whether the corporate customer enforces MFA on the account, as detailed by Snowflake’s own support documentation. It’s these credentials that appear to have been stolen by the infostealing malware from the employees’ computers.

It’s not clear exactly when the employees’ credentials were stolen or for how long they have been online. 

There is some evidence to suggest that several employees with access to their company’s Snowflake environments had their computers previously compromised by infostealing malware. According to a check on breach notification service Have I Been Pwned, several of the corporate email addresses used as usernames for accessing Snowflake environments were found in a recent data dump containing millions of stolen passwords scraped from various Telegram channels used for sharing stolen passwords.

Snowflake spokesperson Danica Stanczak declined to answer specific questions from TechCrunch, including whether any of its customers’ data was found in the Snowflake employee’s demo account. In a statement, Snowflake said it is “suspending certain user accounts where there are strong indicators of malicious activity.”

Snowflake added: “Under Snowflake’s shared responsibility model, customers are responsible for enforcing MFA with their users.” The spokesperson said Snowflake was “considering all options for MFA enablement, but we have not finalized any plans at this time.”

When reached by email, Live Nation spokesperson Kaitlyn Henrich did not comment by press time.

Santander did not respond to a request for comment.

Missing MFA resulted in huge breaches

Snowflake’s response so far leaves a lot of questions unanswered and lays bare a raft of companies that are not reaping the benefits that MFA security provides. 

What is clear is that Snowflake bears at least some responsibility for not requiring its users to switch on the security feature and is now bearing the brunt of that — along with its customers.

The data breach at Ticketmaster allegedly involves upward of 560 million customer records, according to the cybercriminals advertising the data online. (Live Nation would not comment on how many customers are affected by the breach.) If proven, Ticketmaster would be the largest U.S. data breach of the year so far, and one of the biggest in recent history.

Snowflake is the latest company in a string of high-profile security incidents and sizable data breaches caused by the lack of MFA. 

Last year, cybercriminals scraped around 6.9 million customer records from 23andMe accounts that weren’t protected with MFA, prompting the genetic testing company — and its competitors — to require users to enable MFA by default to prevent a repeat attack.

And earlier this year, the UnitedHealth-owned health tech giant Change Healthcare admitted hackers broke into its systems and stole huge amounts of sensitive health data from a system not protected with MFA. The healthcare giant hasn’t yet said how many individuals had their information compromised but said it is likely to affect a “substantial proportion of people in America.”


Do you know more about the Snowflake account intrusions? Get in touch. To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.

More TechCrunch

Fisker is just a few days into its Chapter 11 bankruptcy, and the fight over its assets is already charged, with one lawyer claiming the startup has been liquidating assets…

The fight over Fisker’s assets is already heating up

A hacker is advertising customer data allegedly stolen from the Australia-based live events and ticketing company TEG on a well-known hacking forum. On Thursday, a hacker put up for sale…

Hacker claims to have 30 million customer records from Australian ticket seller giant TEG

Welcome to Startups Weekly — Haje‘s weekly recap of everything you can’t miss from the world of startups. Sign up here to get it in your inbox every Friday. Elon…

Tesla makes Musk best-paid CEO of all time and Fisker bites the dust

Dot is a new AI companion and chatbot that thrives on getting to know your innermost thoughts and feelings.

Dot’s AI really, really wants to get to know you

The e-fuels startup is working on producing fuel for aviation and maritime shipping using carbon dioxide and other waste carbon streams.

E-fuels startup Aether Fuels is raising $34.3 million, per filing

Fisker was facing “potential financial distress” as early as last August, according to a new filing in its Chapter 11 bankruptcy proceeding, which the EV startup initiated earlier this week.…

Fisker faced financial distress as early as last August

Cruise, the self-driving subsidiary of General Motors, has agreed to pay a $112,500 fine for failing to provide full information about an accident involving one of its robotaxis last year.…

Cruise clears key hurdle to getting robotaxis back on roads in California

Feel Therapeutics has a pretty original deck, with some twists we rarely see; the company did a great job telling the overall story.

Pitch Deck Teardown: Feel Therapeutics’ $3.5M seed deck

The Rockset buy fits into OpenAI’s broader recent strategy of investing heavily in its enterprise sales and tech orgs.

OpenAI buys Rockset to bolster its enterprise AI

The U.S. government announced sanctions against 12 executives and senior leaders of the Russia-based cybersecurity giant Kaspersky. In a press release, the Department of the Treasury’s Office of Foreign Assets…

US government sanctions Kaspersky executives

Style DNA, an AI-powered fashion stylist app, creates a personalized style profile from a single selfie. The app is particularly useful for people interested in seasonal color analysis, a process…

Style DNA gets a generative AI chatbot that suggests outfit ideas based on your color type

Rates of depression, anxiety and suicidal thoughts are surging among U.S. teens. A recent report from the Center of Disease Control found that nearly one in three girls have seriously…

Khosla-backed Marble, built by former Headway founders, offers affordable group therapy for teens

Cover says what sets it apart is the underlying technology it employs, which has been exclusively licensed from NASA’s Jet Propulsion Laboratory.

A new startup from Figure’s founder is licensing NASA tech in a bid to curb school shootings

Spotify is introducing a new “Basic” streaming plan in the United States, the company announced on Friday. The new plan costs $10.99 per month and includes all of the benefits…

Spotify launches a new Basic streaming plan in the US

Photographers say the social media giant is applying a ‘Made with AI’ label to photos they took, causing confusion for users.

Meta is tagging real photos as ‘Made with AI,’ say photographers

Website building platform Squarespace is selling Tock, its restaurant reservation service, to American Express in a deal worth $400 million — the exact figure that Squarespace paid for the service…

Squarespace sells restaurant reservation system Tock to American Express for $400M

Featured Article

Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans

The February ransomware attack on UHG-owned Change Healthcare stands as one of the largest-ever known digital thefts of U.S. medical records.

19 hours ago
Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans

Google said today that it globally paused its experiment that aimed to allow new kinds of real-money games on the Play Store, citing the challenges that come with the lack…

Google pauses its experiment to expand real-money games on the Play Store

Venture firms raised $9.3 billion in Q1 according to PitchBook data, which means this year likely won’t match or surpass 2023’s $81.8 billion total. While emerging managers are feeling the…

Kevin Hartz’s A* raises its second oversubscribed fund in three years

Google is making reviews of all your movies, TV shows, books, albums and games visible under one profile page starting June 24, according to an email sent to users last…

Google is making your movie and TV reviews visible under a new profile page

Zepto, an Indian quick commerce startup, has more than doubled its valuation to $3.6 billion in a new funding round of $665 million.

Zepto, a 10-minute delivery app, raises $665M at $3.6B valuation

Speak, the AI-powered language learning app, has raised new money from investors at double its previous valuation.

Language learning app Speak nets $20M, doubles valuation

SpaceX unveiled Starlink Mini, a more portable version of its satellite internet product that is small enough to fit inside a backpack.  Early Starlink customers were invited to purchase the…

SpaceX debuts portable Starlink Mini for $599

Ali Rathod-Papier has stepped down from her role as global head of compliance at corporate card expense management startup Brex to join venture firm Andreessen Horowitz (a16z) as a partner…

Brex’s compliance head has left the fintech startup to join Andreessen Horowitz as a partner

U.S. officials imposed the “first of its kind” ban arguing that Kaspersky threatens U.S. national security because of its links to Russia.

US bans sale of Kaspersky software citing security risk from Russia 

Apple has released Final Cut Pro for iPad 2 and Final Cut Camera, the company announced on Thursday. Both apps were previously announced during the company’s iPad event in May.…

Apple releases Final Cut Pro for iPad 2 and Final Cut Camera

Paris has quickly established itself as a major European center for AI startups, and now another big deal is in the works.

Poolside is raising $400M+ at a $2B valuation to build a supercharged coding co-pilot

The space industry is all abuzz about how SpaceX’s Starship, Blue Origin’s New Glenn, and other heavy-lift rockets will change just about everything. One likely consequence is that spacecraft will…

Gravitics prepares a testing gauntlet for a new generation of giant spacecraft

LTK (formerly LiketoKnow.it and RewardStyle), the influencer shopping app with 40 million monthly users, announced on Thursday the launch of a free direct message tool for creators to instantly share…

Influencer shopping app LTK gets an automatic direct message tool

YouTube appears to be taking a firm stance against Premium subscribers who attempt to use a VPN (virtual private network) to access cheaper subscription prices in other countries. This week,…

YouTube confirms crackdown on VPN users accessing cheaper Premium plans