Hundreds of Snowflake Customer Passwords Exposed Online, Tied to Info-Stealing Malware

Malware Attack

Cloud data analysis company Snowflake is facing scrutiny as its corporate customers grapple with potential data breaches. Snowflake, which serves major global corporations including banks, healthcare providers, and tech companies, helps store and analyze vast amounts of data in the cloud.

Last week, Australian authorities issued a warning about the "successful compromises of several companies utilizing Snowflake environments," without disclosing the specific companies involved. Hackers on a known cybercrime forum claimed to have stolen hundreds of millions of customer records from Santander Bank and Ticketmaster, two prominent Snowflake clients. Santander confirmed a breach of a database "hosted by a third-party provider" but did not identify the provider. On Friday, Live Nation confirmed that its Ticketmaster subsidiary was hacked and that the stolen database was hosted on Snowflake.

Snowflake acknowledged in a brief statement that it was aware of "potentially unauthorized access" to a "limited number" of customer accounts. However, it found no evidence of a direct breach of its systems. Snowflake described the incident as a "targeted campaign directed at users with single-factor authentication," where hackers used credentials "previously purchased or obtained through info stealing malware," designed to scrape saved passwords from users' computers.

Despite managing sensitive data, Snowflake allows customers to control the security of their environments and does not mandate multi-factor authentication (MFA), as per its customer documentation. This lack of enforced MFA appears to have enabled cybercriminals to access significant amounts of data from some of Snowflake’s customers, who had set up their environments without this additional security measure.

Snowflake conceded that one of its "demo" accounts was compromised due to a lack of protection beyond a username and password but claimed the account "did not contain sensitive data." It is unclear if this compromised demo account is connected to the recent breaches.

TechCrunch has seen hundreds of alleged Snowflake customer credentials available online for cybercriminals to use in hacking campaigns, suggesting a broader risk of Snowflake account compromises. These credentials were stolen by infostealing malware infecting employees' computers with access to their employer's Snowflake environment.

Some credentials viewed by TechCrunch appear to belong to employees at companies known to be Snowflake customers, including Ticketmaster and Santander. These employees include database engineers and data analysts who reference their experience using Snowflake on LinkedIn.

Snowflake has advised customers to enable MFA for their accounts immediately. Until then, Snowflake accounts without enforced MFA remain vulnerable to simple attacks like password theft and reuse.