Recently, the cybersecurity world was shook by a data breach involving Snowflake, a cloud-based third-party server utilized by many companies to store huge datasets. Around 165 businesses, including Ticketmaster and Santander Bank, are believed to have been impacted.
Here’s the lowdown on what happened and why MFA is an essential component of securing online accounts.
The breach
The Snowflake data breach first came to light on May 27 with a post on the cybercrime forum Exploit. Asking for $500,000, the hacker advertised 1.3TB of Ticketmaster data, which included over 560 million people’s names, addresses, credit card numbers, ticket sales, and more.
Banking firm Santander then revealed their customers’ data had also been advertised in a hacking forum by a group called ShinyHunters. They claimed the data included 30 million people’s bank account details, 6 million account numbers and balances, 28 million credit card numbers, and staff HR information.
Following the revelations, Snowflake confirmed that data had been compromised and that it was aware of “potentially unauthorized access to certain customer accounts,” it wasn’t due to an issue with their platform: “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.”
So, what was the issue?
Single-factor authentication accounts
When the data breach became known, Snowflake enlisted the help of cybersecurity firms Mandiant and Crowdstrike to find out the cause. They discovered no evidence suggesting Snowflake’s enterprise environment was breached, but found that the campaign targeted users with single-factor authentication that the hackers used “previously purchased or obtained through infostealing malware.”
The Snowflake platform allows customers to oversee their security environments, and didn’t require its customers to set up multi-factor authentication (MFA). As a result, it seems hackers were able to glean huge amounts of data from Snowflake customers who didn’t think of adding MFA to their security measures.
Mandiant revealed that it had traced the data breach to a “financially motivated threat actor” it identified as UNC5537. It says the campaign has resulted in “numerous successful compromises” because of poor security practices such as lack of MFA and not updating stolen login credentials. Mandian expects the number of impacted accounts to grow and that UNC5337 will probably attack more platforms in the near future.
The importance of MFA
While it’s true that Snowflake’s platform wasn’t compromised, many security experts have criticized the company for not enforcing MFA, which would have prevented such a large breach. Co-founder and chief security officer at Egnyte Kris Lahiri, told Information Week:
“Even sophisticated breaches are all coming down to user authentication compromise. This should be a wakeup call to all organizations to revisit basic security hygiene like ensuring MFA setup (the primary reason for this Snowflake compromise) and reviewing every company’s supply chain of critical data vendors.”
It’s also important to be aware of potential credential leaks so you always know who has access to your accounts. To do this you can use a service like Mandiant Digital Threat Monitoring or have i been pwned? And remember to always practice good password hygiene.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.