The Snowflake Attack May Be Turning Into One of the Largest Data Breaches Ever
Can you detail the response measures Snowflake has implemented following the breach?
In response to the recent security breach, Snowflake has implemented several measures to secure its customers' accounts and prevent future incidents. Some of the key response measures include:
-
Enabling Multi-Factor Authentication (MFA): Snowflake has advised all its customers to enforce MFA on all accounts to add an additional layer of security, making it more challenging for unauthorized access to occur.
-
Reviewing Indicators of Compromise (IoCs): Snowflake has provided customers with IoCs and recommended investigating any suspicious activity linked to these indicators. This includes identifying access from suspected IP addresses and clients.
-
Disabling Suspicious Users: Snowflake has recommended immediately disabling any users who show unusual activity or are suspected of being compromised.
-
Resetting Credentials: For any users or accounts that might have been exposed, Snowflake has advised customers to reset their credentials to prevent further unauthorized access.
-
Monitoring Executed Queries: Regularly reviewing logs for executed queries, especially those involving external data access or potentially exposing sensitive information, has been recommended by Snowflake.
-
Analyzing Sessions for Unusual Applications: Examining active sessions to identify any non-standard applications or tools that might indicate a breach is another measure suggested by Snowflake.
Additionally, Snowflake has provided guidelines for detecting and preventing unauthorized access, which include setting up network policies at both the account and user levels, reviewing account parameters, monitoring configuration changes, and authenticating service accounts securely. The company has also engaged cybersecurity firms CrowdStrike and Mandiant for incident response and has been actively cooperating with law enforcement and regulatory authorities.
What specific methods did the hackers use to gain access to Snowflake customer accounts?
The hackers gained access to Snowflake customer accounts by using stolen login details1. These credentials were obtained through infostealing malware, which is designed to pull usernames and passwords from compromised devices. The attackers targeted users with single-factor authentication, leveraging the stolen credentials to access the Snowflake accounts.
How many customer accounts did Snowflake initially report as being accessed by hackers?
Snowflake initially reported that a "limited number" of customer accounts had been accessed by hackers using stolen login details. The exact number of affected accounts has not been disclosed.