back to article Snowflake customers not using MFA are not unique – over 165 of them have been compromised

An unknown financially motivated crime crew has swiped a "significant volume of records" from Snowflake customers' databases using stolen credentials, according to Mandiant. "To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organizations," the Google-owned threat hunters wrote on Monday, and …

  1. Lord Elpuss Silver badge

    Sounds like the customers affected deserved anything and everything they got.

    Which doesn't negate the fact that these gangs are scum and should be ejected into space for the benefit of Humanity.

  2. Anonymous Coward
    Anonymous Coward

    No real excuse

    I have every account I can protected by 2FA with my trusty Google Authenticator app (other authentication apps are available), and backup passcodes saved into Bitwarden (other password managers are available).

    No security is 100% perfect, but I will settle for an easy x<100% knowing the bad guys will just move on.

  3. KeshLives

    I work for a bank (in IT), and also play some online games, and I find it interesting that I know a LOT more people who have 2FA on their gaming accounts, than people who have 2FA on their banking accounts. And, yes, people will whine about 2FA on their banking accounts endlessly.

    1. Dan 55 Silver badge

      Not the same. People have 2FA on their gaming accounts and are sent a code through SMS which requires coverage and arrives within 5 seconds-5 minutes on their bank accounts.

      1. Cav Bronze badge

        Never waited more than a few seconds for access to my bank.

        1. Dan 55 Silver badge

          If I don't put the phone in a specific corner of the house, I'm not logging in before the session times out.

          Using SMS for bank security is nonsense, it's susceptible to SIM swapping and malware swiping codes from text messages.

      2. MatthewSt

        Vote with your feet. If your bank requires SMS then move to one that works app based. More secure, more reliable, and probably a better bank!

        1. hayzoos

          Any suggestions?

          I have not found a bank in the US where I can use it's services that uses anything better than SMS. I don't need SMS 2FA, I use the longest password allowed by any service I use, randomly generated, saved to a password manager. These entities implement 2FA because their low hanging fruit customers (password reuse, easy to guess passwords, etc), not for real security. I keep badgering my bank to implement something better than SMS 2FA, I have FIDO U2F keys, passkeys, software authenticator, heck even email these days is better than SMS.

          I use Bitwarden for my password manager. It supports passkeys, FIDO U2F, and is a software authenticator. Did I mention I use a 48 character randomly generated master password?

          I know, I may seem to be a good target for the effort of cracking my accounts maintaining these high levels of security. I counter that by maintaining a low and even sometimes negative net worth and a poor credit rating.

      3. KeshLives

        Neither my game accounts or my bank accounts use SMS for auth.

        And I'm never far from my phone. Doesn't mean I live on it, like some it's just near me if it's needed.

  4. This post has been deleted by its author

  5. Doctor Syntax Silver badge

    If this is an inordinate proportion of breaches of individual accounts rather than a breach of the platform itself it raises the question of what's special about this platform. Is it something used as shadow IT by managers renting time on their company credit card?

    1. Anonymous Coward
      Anonymous Coward

      Probably points to lower credential stuffing protection on the platform.

      If I had a list of millions of known usernames / email addresses / passwords that may have been re-used all over the place I'm going to test them against the platforms I can hit the quickest / easiest even if it's not one of the biggest platforms around.

      Even if what is held on the platform turns out to be rubbish it gives me an extra data point against that email/username/password combination that confirms it is being reused across multiple platforms, at which point that becomes one to test as a higher priority against other platforms with more robust protection.

      1. Doctor Syntax Silver badge

        Sigh. I suppose they use email addresses as user IDs which just opens the floodgates to that.

        The best rules for acceptable user IDs would be:

        1. '@' and the sequence 'at' not allowed

        2. Should not end with a sequence recognisable as a TLD name.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like