back to article Snowflake denies miscreants melted its security to steal data from top customers

Infosec analysts at Hudson Rock believe Snowflake was compromised by miscreants who used that intrusion to steal data on hundreds of millions of people from Ticketmaster, Santander, and potentially other customers of the cloud storage and analytics provider. Snowflake denies its security was defeated. This week one or more …

  1. Joe Dietz

    Okta and MFA has nothing to do with it.

    If you have a renewable token with access to things... that is a post authentication token. It's a shared secret between you and whatever API that honors it. If I as an attacker happen to read it out of your browser's session data... (which is exactly what an info stealer like Lumastealer which is the specific variant cited here does) I have the exact same access as you do, and if its renewable, I can get new tokens just as easily. Info stealers aren't after your passwords as much because to use them they need to also defeat MFA... but who needs a password if you already have access with a token?

    1. diodesign (Written by Reg staff) Silver badge

      Pass the popcorn

      We have a feeling there's more to come on this saga, especially regarding the storage source of the stolen data and how that info was obtained.

      C.

  2. myxiplx2

    Did they actually deny it?

    The wording of Snowflakes response doesn't actually state the claims are false. For example they state there's no vulnerability or breach of their *product*.

    The claim isn't that their product was breached, but their internal systems. It's a long rebuttal, but there are loopholes in their wording, I feel there's more to come here.

    1. diodesign Silver badge

      Re: Did they actually deny it?

      Snowflake is a publicly traded company so their response is going to be painfully worded. But it's, simply put, denied it was compromised directly, leading to the theft of data, and instead suggested its customers may have been individually pwned by losing control of their own credentials.

      Still not a great look either way. This situation is ongoing.

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: Did they actually deny it?

        This Hudson Rock blog post is a fake news. For anybody even remotely familiar with Snowflake technology, it is immediately apparent, this is a fake.

        In other places on the net there are references to a hack tool named rapeflake - which looks like a script to change source IPs and trying to login to some of the public (trial) Snowflake URLs with some common usernames and passwords. Mitigation to this "hacking tool" ? Change password and use MFA.

        Come on... Do not feed trolls like that. Learn how to ignore fake news. Learn. Read.

        1. diodesign (Written by Reg staff) Silver badge

          FYI...

          Hudson Rock has withdrawn its report so we're doing a followup.

          C.

  3. sitta_europea Silver badge

    I think it's time people who use weasel words were called out for that.

    And called out, especially, by their customers, who as a direct result of the weasel words suffer more than they already have.

    What's needed here is openness and plain speech.

    Vote with your wallet, folks.

    1. Phil O'Sophical Silver badge

      Vote with your wallet, folks.

      People do, they buy the cheapest stuff they can and are then surprised when it turns out to be insecure crap.

    2. TReko Silver badge

      The people affected aren't Ticket Master or Snowflake, so why should these two companies care much.

      Ticket Master's customers had little or no choice in using them. All they can hope for after they've had their ID stolen is a bad credit record and maybe $0.50 when the class action gets settled in 2029.

    3. Anonymous Coward
      Anonymous Coward

      Remind me how well that worked with RSA keys...... the lesson is weaseling works.

  4. IGotOut Silver badge

    Any chance

    Ticketmaster get fined so hard they go bankrupt? Please, pretty please...

    1. dinsdale54

      Re: Any chance

      Think how much the fine will be after the admin fee is added!

      1. Guido Esperanto

        Re: Any chance

        ...and if there issuing org has many fines to issue, it should increase the fines to reflect the demand

  5. yoganmahew

    What do they do?

    It seems Snowflake offer analytical tools, but it is unclear, even the Wikipedia site says so:

    https://en.wikipedia.org/wiki/Snowflake_Inc.

    "In particular, it is unclear what the company actually does."

    From Snowflake's site, it appears to be a plausible deniability function, allowing companies to outsource sharing of customer and employee data to thiird parties (e.g selling to advertisers) presumably under the "partners" catch-all.

    https://www.snowflake.com/en/why-snowflake/

    "The AI Data Cloud enables an organization’s most critical workloads, including seamless data collaboration within an organization; across its business units; with its ecosystem of partners, suppliers, and customers; and between any combination of the thousands of AI Data Cloud customers and Snowflake Marketplace providers. The opportunity to securely share and access governed data, tools, applications, other technologies, and data services– while preserving privacy– creates a near-endless combination of strategies and solutions to advance any organization’s business. Snowflake’s security and governance features were baked into the platform from day one, including end-to-end data encryption in transit and at rest."

    Why are all these databases on employees shipped over to Snowflake?

    Why did DLP not trigger? https://www.snowflake.com/guides/data-loss-protection-modern-cloud Snowflake claims to have it...

    Where is the GDPR opt-out? Did anyone at Ticketmaster get the option to not have their data shared with Snowflake?

    Where is the access limitation? Surely a single authorized user can't download everything in a corporate instance in Snotflake? (As if I didn't already know the answer...).

    1. Kevin McMurtrie Silver badge

      Re: What do they do?

      Yep, it's a big database. Say you have 2 antiquated databases that will drop dead from a single gust of wind plus 40 disorganized microservice databases. You can't query that for analytics and marketing. You write scripts to extract data updates, convert the format, and send it to Snowflake. ETL scripts - extract, transform, load. Now it's all on a system optimized for analytics queries.

      If your company is handling data correctly, you drop all personal data in the ETL scripts. You send only IDs that you need to correlate everything for your analytics. This means Snowflake and your analytics departments can dig through all the data all they want without any privacy issues. If customers need to be contacted, it can be through a secured/restricted system that looks up the IDs.

      1. Doctor Syntax Silver badge

        Re: What do they do?

        If your company is handling data correctly, you drop all personal data in the ETL scripts.

        There's that word again: "if".

        Doing it properly takes time and time is money.

    2. Gordon 10

      Re: What do they do?

      You seem to have no idea what you are talking about.

      Shipping data to 3rd parties is nothing new....and hasnt been since the first server was offered for rental and certainly not since the rise of AWS.

      Also there is no requirement to provide an opt out, EVERYONE has sub-processors.

      Snowflake is the same as any database. You can have a single admin account running everything or you can have fine grained role permissions down to column level - in that case the fact that its cloud is neither here nor there.

  6. Tron Silver badge

    Generally...

    ...you need more than customer access to a service to hack it, or each and every one of its customers could. The breach is usually further up the food chain.

    Services should be able to spot a large exfiltration of data. It should also be possible for users to program in exactly what would constitute a breach of their data for a service to block it as soon as it is detected.

  7. ThinkingMonkey

    So security research shows it was highly likely it was Snowflake's fault, the crooks themselves say they got it from Snowflake, but Snowflake says "Hell naw, it wasn't!" It's dizzying. I'm not sure who to believe. The crooks could be lying of course, since they're mad Snowflake wouldn't pay up, but Snowflake has a whole lot of shekels to lose if it looks like they can't be trusted to secure data, so a denial is probably in order, true or not.

    The truth shall be found in a future Register article, of that I have no doubt.

  8. tiggity Silver badge

    worth a read

    As so often, Kevin Beaumont (AKA GossiTheDog) has a good, detailed write up on this (obv the situation is fast changing in terms of details of exactly what happened, but this is from a day ago - article itself at the end makes clear its a developing story, but a good (easy - nothing too technical) read)

    https://doublepulsar.com/snowflake-at-central-of-worlds-largest-data-breach-939fc400912e?gi=74de8871bc0a

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like