Information stealer leaks over the past several years culminated in a series of breaches starting in May this year, involving 165 companies including Ticketmaster, Santander, AT&T, Advance Auto Parts, Anheuser-Busch, and Lending Tree. We will refer to these as the Snowflake breaches.
It all started when a threat actor group by the name of ShinyHunters put the personal and financial data of over 500 million Ticketmaster customers up for sale on a very well-known dark web forum. Ticketmaster later confirmed the breach, stating that it had originated from their Snowflake accounts.
Later that month, ShinyHunters once again took to the forums to sell data belonging to several customers, employees, and bank accounts, associated with major banking institution, Santander. The leaks were later confirmed by Santander to be legitimate. Santander also attributed the leaks to unauthorised access to a Santander database hosted by a third-party provider(Snowflake account).
These breaches were followed by several other breaches involving many major companies the likes of Advance Auto Parts, Lending tree, and Anheuser-Busch, all of which are clients of Snowflake and trace breaches back to their Snowflake accounts, bringing us to this month and the latest target in the Snowflake breaches, AT&T.
The Telco giant emerged recently as yet another victim of the Snowflake breaches when the call and message logs of all of the company’s 110 million customers surfaced online after reportedly being stolen in April 2024 from, you guessed it, it’s Snowflake account.
Now, although the data leaked through these breaches is not overly sensitive, one absolutely must ask, what is going on with Snowflake?!
As it turns out, nothing. Snowflake’s product itself has no security issues. These attacks were not a result of any sophisticated tactics, techniques, or procedures. The methods used were MUCH simpler than that.
The threat actors behind the campaign simply bought or found account credentials, stolen by information stealer malware, in previous attacks. The oldest credentials used could be traced back all the way to a leak in 2020. All of the 165 compromised Snowflake account holders had made one very stupid mistake. They did not enable Multi-Factor Authentication(MFA). As a result, the attackers were able to log right into the cloud and exfiltrate all the data hosted on it.
In the aftermath, both Ticketmaster and AT&T have had class-action lawsuits brought against them for their negligence in protecting customer data. They were indeed negligent.
So this is where we are now. All the money and resources in the world and companies are getting pwned due to a lack of MFA. Funny times.
Stay safe.