Any Snowflake environment that contains customer data should look at the security bulletin, “Detecting and Preventing Unauthorized User Access.” It describes a Snowflake sales engineer's credentials being stolen, affecting over 150 customer environments such as TicketMaster and Santander bank. If your teams or customers use Snowflake, we highly suggest reading this security bulletin as it contains instructions on how to look for indicators of compromise for this specific breach.
The data breach, instigated by hacker group, ShinyHunters, targeted Snowflake’s production environment, and further illustrates that keeping your data secure has never been more critical.
According to Snowflake on May 23, 2024, their security team detected increased threat activity from a subset of IP addresses and “suspicious clients” related to unauthorized access attempts at Santander bank and TicketMaster:
Below are 5 assertions Snowflake is making regarding the intrusion:
1. Snowflake’s products are not at fault: No evidence suggests that this activity was caused by any underlying vulnerability or breach of Snowflake's network or product.
2. Snowflake’s security procedures are not at fault: Snowflake does not believe it was the source of any leaked customer credentials.
3. Snowflake customers are not at fault: Snowflake is built with security at its core, so no "master API" pathway exists for customers' credentials to be accessed and exfiltrated from its production environment.
4. Former Snowflake employee’s credentials accessed for demo account: There is evidence that ShinyHunters obtained personal credentials to access a demo account owned by a former Snowflake employee. The account did not contain sensitive data and is unconnected to Snowflake's production or corporate systems.
5. You can count on Snowflake: Snowflake remains committed to providing secure and reliable cloud data solutions for its customers.
Snowflake continues to assert there is no evidence linking the TicketMaster/Santander breaches to any vulnerability, misconfiguration, or breach of its underlying product. The former Snowflake account (a demo account) that was accessed didn’t contain sensitive data and wasn’t connected to its production or corporate networks.
For its part, Snowflake has:
At Concord, we’ve partnered with Immuta, a data security company, to protect your cloud data and provide secure access to ensure data is policy compliant. If you have a Snowflake account and believe it could be compromised, please follow Concord’s steps to mitigate potential intrusions:
1. Assess your security posture: Check out the Snowflake IoCs and investigative queries, and take preventive actions published on the Snowflake Community Security Bulletin, "Identifying Non-MFA Users and Enabling MFA."
(However, a security expert has indicated in a LinkedIn community that this bulletin does not provide a comprehensive-enough approach to identifying non-MFA users and has his own suggestion. But as we always say, “buyer beware!”)
2. Implement MFA to all privileged users (and identify non-MFA users): Enable the Snowflake implementation of Snowflake Duo MFA (multi-factor authentication) for privileged human users to guarantee users are accessing their account securely.
While no concrete evidence has been found to link the Snowflake breach directly within a Snowflake's product, it’s smart to be vigilant and to secure accounts against unauthorized access. By following the recommended actions and staying informed about the latest developments, you help safeguard your data and maintain trust in Snowflake as a reliable cloud solution provider.
However, if you’re concerned about your data security and would like to take proactive measures following the recent Snowflake breach, Concord, in conjunction with our partner Immuta, offer a comprehensive Data Risk Assessment service to improve your security posture:
1. Visit the Concord’s website and complete the form.
2. Briefly describe your concerns related to the Snowflake breach and indicate that you would like a data risk assessment or environment review based on the IoCs.
3. Click Submit to send your request. A Concord team member will reach out to you within 24 hours to discuss your needs and schedule a consultation.
During the consultation, we will assess your current data protection measures and work with you to develop a comprehensive plan to address potential vulnerabilities related to the Snowflake breach.
It is critical to safeguard your sensitive data and maintain customer trust investing in proactive security measures. By taking advantage of our data risk assessment and environment review services, you ensure your organization remains secure in the face of evolving cyber threats.
Not sure on your next step? We'd love to hear about your business challenges. No pitch. No strings attached.