The fallout from compromised Snowflake customer databases is growing as reports surface of additional businesses impacted by massive data theft.
At least four major companies are now reportedly exposed by cyberattacks involving the theft of corporate information stored on Snowflake database environments.
Threat analysts have uncovered evidence linking these attacks to the spree of identity-based intrusions Snowflake first disclosed on Friday. However, direct links between the victims and Snowflake’s data warehouse environments remain unconfirmed.
Pressure is mounting on Snowflake and its customers during a busy week for the cloud-based data warehouse and analytics vendor. Snowflake’s Data Cloud Summit kicked off in San Francisco on Monday and the company did not address or publicly comment on the identity-based attacks targeting its customers during the event.
Worries abound as more major businesses are likely impacted by attacks targeting Snowflake customer environments.
”A threat actor likely obtained access to multiple organizations’ Snowflake tenants by using credentials stolen by infostealing malware,” Mandiant Consulting CTO Charles Carmakal told Cybersecurity Dive last week.
Snowflake declined to say how many customers are impacted, but previously described it as a “limited number of Snowflake customers.”
“We have been communicating with our customers about how to best protect themselves, including enabling multifactor authentication and network access policies,” Snowflake CISO Brad Jones said Wednesday in a statement provided to Cybersecurity Dive.
“Snowflake is also suspending certain user accounts where there are strong indicators of malicious activity. We have also been incrementally blocking IP addresses that we have identified and have a high confidence level that are associated with the cyber threat,” Jones said.
MFA remains central to Snowflake customer attacks
Thus far, Snowflake has mostly shifted blame to its customers that didn’t use MFA, asserting the attacks were not caused by a vulnerability, misconfiguration or breach of Snowflake’s platform.
“Snowflake is a cloud product and anyone can sign up for an account at any time. If a threat actor obtains customer credentials, they may be able to access the account,” Snowflake said Friday in its initial disclosure.
The company removed these statements from its disclosure when it updated the post Sunday. The company is informing customers it considers impacted as it continues an ongoing investigation with assistance from CrowdStrike and Mandiant.
“This appears to be a targeted campaign directed at users with single-factor authentication,” Snowflake and the incident response firms said Sunday in a joint statement.
Snowflake does not enforce MFA by default or require its customers to use MFA, according to user documentation.
“Snowflake supports MFA via Duo Security service and strongly recommends that all users enable MFA, particularly those with account administrator privileges,” Jones said.
“Under Snowflake’s shared responsibility model, customers are responsible for enforcing MFA with their users,” Jones said. “We are considering all options for MFA enablement, but we have not finalized any plans at this time.”