The Snowflake Breach

A hack targeting customers of the cloud storage company Snowflake could become one of the largest data breaches ever. Last week, Snowflake, which provides data storage solutions for businesses, disclosed that criminal hackers had attempted to access its customers’ accounts using stolen login credentials. Data breaches involving Ticketmaster and Santander have been linked to these attacks.

Since Snowflake initially reported that a "limited number" of customer accounts had been accessed, cybercriminals have claimed to be selling stolen data from two other major firms, alleging that the information was taken from Snowflake accounts. TechCrunch has reported that hundreds of Snowflake customer passwords have been found online, accessible to cybercriminals.

The extent and nature of the attack on Snowflake customers remain uncertain, as does the identity of the attackers and the operation of a malicious tool named "rapeflake." This incident highlights the growing use of infostealer malware and the importance of enabling multifactor authentication to protect accounts from being compromised. Much of the Snowflake drama has unfolded on the cybercrime marketplace BreachForums. Although the FBI seized the forum in mid-May, a new version quickly emerged, with its owners, the hacker group ShinyHunters, claiming to sell 560 million records from Ticketmaster and 30 million from Santander. Both companies have confirmed data breaches, with Ticketmaster directly linking the incident to Snowflake, while Santander reported unauthorized access to a database hosted by a third-party provider. Neither company has disclosed the size of the breaches.

Recently, a BreachForums user named Sp1d3r claimed that the Snowflake incident also involved data from Advance Auto Parts, with 380 million customer details, and financial services company LendingTree and its subsidiary QuoteWizard, with data linked to 190 million people.

Sample data posted by the hacker appear to include legitimate email addresses of Advance Auto Parts staff and customers. WIRED sent emails to these addresses, which were not rejected. BleepingComputer has verified customer data from Advance Auto Parts.

“We are aware of reports that Advance may be involved in a security incident related to Snowflake,” said Darryl Carr, a spokesperson for the company. “We are investigating the matter and do not have further information to share at this time. We have not experienced any impact on our operations or systems.”

Neither LendingTree nor Advance Auto Parts has filed breach notifications with the Securities and Exchange Commission. Both companies have been listed as Snowflake customers. Little is known about the Sp1d3r account on BreachForums, and it is unclear whether ShinyHunters obtained the data directly from Snowflake accounts or another source. Information about the Ticketmaster and Santander breaches was initially posted on another cybercrime forum by a user named SpidermanData.

The Sp1d3r account listed 2 terabytes of alleged LendingTree and QuoteWizard data for sale at $2 million and 3 terabytes of data from Advance Auto Parts for $1.5 million. “The price set by the threat actor appears extremely high for a typical listing on BreachForums,” said Chris Morgan, a senior cyber-threat intelligence analyst at security firm ReliaQuest.

Morgan noted that the legitimacy of Sp1d3r is uncertain. However, the user’s profile picture references the teenage hacking group Scattered Spider, suggesting a possible connection.

As always, here is the link to the information in case you want to delve deeper.