What happened
Snowflake, a Montana-based data platform and warehouse that provides data storage, processing, and analytic solutions, recently suffered a large breach. The breach is believed to have occurred in 2024, after Mandiant, a cybersecurity firm, identified the threat campaign.
Snowflake stores massive datasets on its services for companies like Ticketmaster, Santander Banking, Advance Auto Parts, and more.
Attackers allegedly began attempting to access customer’s logins using stolen details. According to a report from Wired, Snowflake has said that only a limited number of customer accounts have been accessed.
Despite Snowflake’s claims, TechCrunch has found hundreds of Snowflake customer passwords online, all accessible to cybercriminals.
By the numbers
According to the Record, Santander Bank has had over 12,000 employees impacted in the breach. The company believes its data was first accessed on April 17th, 2024.
In their breach notification letter, the company said that personal information such as names, Social Security numbers, and bank account information may have been accessed.
Other organizations, like the Los Angeles Unified School District, also reported stolen data.
Currently, it’s estimated that the breach has impacted 165 organizations, albeit many are still gathering numbers. Another breach against Truist Bank occurred simultaneously but is believed to be unrelated.
Going deeper
Mandiant and another cybersecurity company, Crowdstrike, continue to investigate the claims. Organizations have found that the hacking group is based in North America but may have an additional collaborator in Turkey.
The hacking occurred through obtaining stolen credentials that dated back to 2020. Mandiant determined that the credentials were obtained from multiple infostealer malware campaigns that infected non-Snowflake-owned systems. According to a Google report, the compromises were successful because of several factors:
- Impacted accounts were not configured with multi-factor authentication enabled, allowing hackers to enter with only a username and password.
- Credentials were valid even years after they had been stolen.
- Impacted Snowflake customers did not only allow access from trusted networks
Currently, it’s believed that the hacker is still attempting to sell the data for millions in ransom. Snowflake is now taking steps to close the investigation.
The big picture
Attacks like these can have significant ramifications because they are used by so many industries and hold such significant amounts of data. Some victims, like Santander, show that attacks originating in the United States can impact companies far beyond. Because Mandiant quickly spotted the vulnerability, the attack was more easily traced to Snowflake, yet prior to the discovery, other organizations may have been left confused about how their data had become compromised.
Healthcare organizations can no longer solely worry about the security systems within their network; every organization must now consider the security of the companies they work with. Even one compromise can have a lasting effect.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
