Several companies have been significantly affected by the recent security breach of Snowflake where a financially motivated threat actor is suspected to have stolen a significant volume of records from Snowflake customer environments. The incident originated from a victim’s Snowflake instance using credentials previously stolen via infostealer malware. At the time of the compromise, the account did not have multi-factor authentication (MFA) enabled. The compromised customer data included customer credentials and access tokens, which were misused to breach multiple Snowflake customers. Numerous high-profile companies, including Ticketmaster, Advance Auto Parts, and Santander Bank were among the affected customers.
Impact of the Breach
The Snowflake breach has had a profound impact on various organizations. By accessing customer data through stolen credentials, attackers generated new session tokens and accessed vast amounts of data without detection.
- Ticketmaster: Notified of unauthorized access to sensitive data.
- Advance Auto Parts: Encountered data theft, with stolen information being offered for sale on dark web platforms.
- Santander Bank: Suffered financial and reputational harm due to compromised customer data.
- Face Hugging, Quote Wizard: Also disclosed breaches, indicating a growing trend among organizations likely to report similar incidents.
Elevate Your Snowflake Account Security Posture
The incident has emphasized the need for elevated security posture and proactive data security measures. It is an enterprise’s shared responsibility to take proactive security measures to safeguard its valuable data. TrustLogix has been helping Snowflake customers increase the security posture of Snowflake accounts for many years.
As Snowflake recommends on their website, the TrustLogix data security platform monitors human user accounts for MFA, machine-to- machine service accounts for Key-Pair or OAuth authentication. Furthermore monitor network security policies, data exfiltration, inactive users, ineffective roles, and unused roles that may expose the data. As an example, please see the screen captures below highlighting how TrustLogix monitors MFA and network policies as part of their comprehensive platform.
TrustLogix Monitoring Policy Setup to Monitor Non-MFA Users
TrustLogix Policy Alert on User without MFA Enabled
TrustLogix Policy Alert on Network Policies
Additionally, enterprises can take other measures to protect their data, such as :
- Enable MFA for human users and Key-Pair or OAuth authentication for service accounts.
- Regularly rotate account credentials to mitigate the risk of unauthorized access via compromised credentials.
- Utilize network allow lists to control access and reinforce the perimeter defense against external threats.
- Monitor usage of shadow IT tools to avoid data exfiltration.
- Educate users on security best practices to raise awareness and foster a culture of security vigilance.
The TrustLogix team is here to help strengthen your security defenses. Contact us to reinforce your security posture and fulfill the shared security responsibility. Get a free data security assessment on your Snowflake accounts by registering for a free 90-day data protection service.