iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
US cloud-computing and AI data cloud firm Snowflake has revealed that a number of its clients have suffered from cyber attacks.
In a joint statement with CrowdStrike and Mandiant, Snowflake revealed that the attacks appear to be part of a targeted campaign.
“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” said Snowflake.
“We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel, this appears to be a targeted campaign directed at users with single-factor authentication as part of this campaign, threat actors have leveraged credentials previously purchased or obtained through info-stealing malware, and we did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee.
“It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or multifactor authentication (MFA), unlike Snowflake’s corporate and production systems.”
At least four major companies that are customers of Snowflake have been targeted in cyber attacks, including international automotive aftermarket retailer Advance Auto parts, which has 4,777 stores and 320 WorldPac branches throughout the US, the Virgin Islands, Mexico, Canada, Puerto Rico and several Caribbean islands.
The threat actor, who goes by Sp1d3r. claimed to have a massive amount of data, including the personal data of 380 million customers, including name, email, mobile, phone, address and more, 140 million customer orders, transaction tender details, sales history, auto parts and numbers, details of employment candidates, including social security numbers and driver’s licenses, and 44 million loyalty card numbers and customer details.
It is unclear if the same threat actor targeted the other victims.
While media reports suggest that Snowflake originally blamed the incident on its victims who did not have multifactor authentication involved, it has since deleted those statements.
It now says it has been advising its customers on how to stay safe.
“We have been communicating with our customers about how to best protect themselves, including enabling multifactor authentication and network access policies,” Snowflake chief information security officer Brad Jones told Cybersecurity Dive.
“Snowflake is also suspending certain user accounts where there are strong indicators of malicious activity. We have also been incrementally blocking IP addresses that we have identified and have a high confidence level that are associated with the cyber threat.”
Snowflake’s Data Cloud Summit, which started on Monday (3 June) in San Francisco, provided no additional answers for customers, with the company providing no updates on the matter.
Be the first to hear the latest developments in the cyber industry.
