Skip to content

Hundreds of Snowflake customer passwords found online linked to information-stealing malware

Cloud data analytics company Snowflake is at the center of a recent series of alleged data thefts, as its corporate clients struggle to understand whether their cloud data stores have been compromised.

The Boston-based data giant helps some of the largest global corporations, including banks, healthcare providers and technology companies, store and analyze their large amounts of data, such as customer data, in the cloud.

Last week, Australian authorities The alarm rang saying that they had learned of “successful compromises of several companies using Snowflake environments,” without naming the companies. The hackers had claimed on a well-known cybercrime forum that they had stolen hundreds of millions of customer records from Banco Santander and Ticketmaster, two of Snowflake’s largest clients. Santander confirmed a database breach “hosted by a third-party provider”, but will not name the provider in question. On Friday, Live Nation confirmed that its Ticketmaster subsidiary was hacked and that the stolen database was hosted on Snowflake.

Recognized snowflake in a short statement that it was aware of “potentially unauthorized access” to a “limited number” of customer accounts, without specifying which ones, but that it has found no evidence that there was a direct breach of its systems. Rather, Snowflake called it a “campaign targeting users with single-factor authentication” and that the hackers used “previously purchased or obtained information-stealing malware,” which is designed to extract a user’s saved passwords from his computer.

Despite the sensitive data that Snowflake stores for its customers, Snowflake allows each customer to manage the security of their environments and does not automatically enroll or require its customers to use multi-factor authentication, or MFA, according to Snowflake client documentation. Not enforcing the use of MFA appears to be how cybercriminals allegedly obtained large amounts of data from some of Snowflake’s customers, some of whom set up their environments without the additional security measure.

Snowflake admitted that one of its own “demo” accounts was compromised because it was not protected beyond a username and password, but claimed that the account “contained no sensitive data.” It is unclear if this stolen demo account has any role in the recent leaks.

TechCrunch this week has seen hundreds of purported Snowflake customer credentials available online for cybercriminals to use as part of hacking campaigns, suggesting the risk of Snowflake customer accounts being compromised may be much broader than previously thought.

The credentials were stolen using data-stealing malware that infected the computers of employees who have access to their employer’s Snowflake environment.

Some of the credentials seen by TechCrunch appear to belong to employees of companies known to be Snowflake customers, including Ticketmaster and Santander, among others. Employees with access to Snowflake include database engineers and data analysts, some of whom reference their experience with Snowflake on their LinkedIn pages.

For its part, Snowflake has told customers to immediately activate MFA for their accounts. Until then, Snowflake accounts that don’t enforce the use of MFA for login put your stored data at risk of being compromised by simple attacks like password theft and reuse.

How we verify data

A source with knowledge of cybercriminal operations pointed TechCrunch to a website where potential attackers can search lists of credentials that have been stolen from various sources, such as malware stealing information from someone’s computer or collected from data breaches. previous. (TechCrunch is not linked to the site where the stolen credentials are available so as not to help bad actors.)

In total, TechCrunch has seen more than 500 credentials containing employee usernames and passwords, along with the web addresses of the login pages for the corresponding Snowflake environments.

The exposed credentials appear to belong to Snowflake environments belonging to Santander, Ticketmaster, at least two pharmaceutical giants, a food delivery service, a public fresh water supplier and others. We’ve also seen exposed usernames and passwords that supposedly belong to a former Snowflake employee.

TechCrunch is not naming the former employee because there is no evidence he did anything wrong. (Ultimately, it is the responsibility of Snowflake and its customers to implement and enforce security policies that prevent intrusions resulting from the theft of employee credentials.)

We do not test stolen usernames and passwords because doing so would violate the law. As such, it is unknown if the credentials are currently in active use or if they directly led to account compromises or data thefts. Instead, we work to verify the authenticity of exposed credentials in other ways. This includes checking the individual login pages of the Snowflake environments that were exposed by the infostealing malware, which were still up and online at the time of writing.

The credentials we’ve seen include the employee’s email address (or username), their password, and the unique web address to log into their company’s Snowflake environment. When we checked the web addresses of Snowflake environments, often made up of random letters and numbers, we found that the Snowflake customer login pages listed are publicly accessible, even if they are not searchable online.

TechCrunch confirmed that the Snowflake environments correspond to the companies whose employee logins were compromised. We were able to do this because each login page we reviewed had two separate options for logging in.

One way to log in is based on Okta, a single sign-on provider that allows Snowflake users to log in with their own company’s corporate credentials using MFA. In our checks, we found that these Snowflake login pages redirected to the Live Nation (for Ticketmaster) and Santander login pages. We also found a set of credentials belonging to a Snowflake employee, whose Okta login page still redirects to an internal Snowflake login page that no longer exists.

The other Snowflake login option allows the user to use only their Snowflake username and password, depending on whether the corporate customer applies MFA on the account, as detailed in Snowflake’s own support documentation. It is these credentials that appear to have been stolen by information-stealing malware from employees’ computers.

It’s unclear exactly when the employees’ credentials were stolen or how long they were online.

There is some evidence to suggest that several employees with access to their company’s Snowflake environments had their computers previously compromised by data-stealing malware. According to a check by breach reporting service Have I Been Pwned, several of the corporate email addresses used as usernames to access Snowflake environments were found in a recent data dump containing millions of stolen passwords extracted from several Telegram channels used to share stolen passwords.

Snowflake spokesperson Danica Stanczak declined to answer specific questions from TechCrunch, including whether any of its customer data was found in the Snowflake employee’s demo account. In a statement, Snowflake said it is “suspending certain user accounts where there are strong indicators of malicious activity.”

Snowflake added: “Under Snowflake’s shared responsibility model, customers are responsible for enforcing MFA with their users.” The spokesperson said Snowflake was “considering all options for enabling MFA, but we have not finalized any plans at this time.”

When reached by email, Live Nation spokesperson Kaitlyn Henrich had no comment by press time.

Santander did not respond to a request for comment.

Lack of MFA resulted in huge violations

Snowflake’s response so far leaves many questions unanswered and exposes a number of companies that are not taking advantage of the benefits that MFA security provides.

What is clear is that Snowflake bears at least some responsibility for not requiring its users to turn on the security feature, and is now bearing the brunt of it, along with its customers.

The Ticketmaster data breach reportedly affects more than 560 million customer records, according to cybercriminals who advertise the data online. (Live Nation declined to comment on how many customers are affected by the breach.) If proven, Ticketmaster would be the largest US data breach so far this year, and one of the largest in recent history.

Snowflake is the latest in a series of high-profile security incidents and major data breaches caused by the lack of MFA.

Last year, cybercriminals scraped around 6.9 million customer records from 23andMe accounts who were not protected without MFA, leading to the genetic testing company: and its competitors — to require users enable MFA by default to avoid a new attack.

And earlier this year, health technology giant Change Healthcare, owned by UnitedHealth, admitted Hackers broke into their systems and stole huge amounts of sensitive health data. from a system not protected with MFA. The health giant has not yet said how many people had their information compromised, but said it is likely to affect a “substantial proportion of people in the United States.”


Do you know more about Snowflake account intrusions? Get in touch. To contact this reporter, contact via Signal and WhatsApp at +1 646-755-8849, or By email. You can also send files and documents via safe fall.