Over 2.3 million individuals have fallen victim to a massive data breach that occurred via compromised Snowflake accounts lacking multi-factor authentication (MFA). Advance Auto Parts has officially confirmed this security incident by filing notices with the attorney general offices in various US states.
The compromised data includes sensitive personal information such as names, Social Security numbers, driver’s license or other government-issued identification numbers, and dates of birth. This data was obtained through the Advance Auto Parts job application process. In response to the breach, affected individuals are being offered credit monitoring and identity restoration services at no cost.
Snowflake, a cloud-based data storage and analytics company, has been identified as the third party hosting the data that was breached. The company had initially disclosed the compromise to the US Securities and Exchange Commission in May without revealing Snowflake’s involvement.
Investigations conducted by Mandiant and Crowdstrike confirmed that the breach was a result of compromised credentials for accounts lacking MFA. It was revealed that the threat actor behind the breach obtained credentials from historical infostealer infections, rather than exploiting vulnerabilities or misconfigurations in Snowflake’s systems.
Approximately 165 Snowflake customers have been affected by this breach, including major organizations such as TicketMaster, Santander Group, LendingTree, and Advance Auto Parts. The lack of MFA implementation and credential rotation, as well as the absence of network allow lists to restrict access to trusted locations, were identified as key factors contributing to the successful data grab.
Following the breach, security researcher Kevin Beaumont criticized Snowflake for not making it easy for customers to enable MFA and for lacking a policy to block users without MFA. In response to the incident, Snowflake has introduced new security measures, including a mandatory MFA authentication policy for all users, prompts within the Snowflake interface for MFA setup, and monitoring capabilities for adherence to MFA policies.
Snowflake’s Chief Information Security Officer Brad Jones and principal product manager Anoosh Saboori announced these changes, emphasizing the importance of MFA in securing user accounts. They also hinted at future features to enhance account security and urged all customers to start implementing MFA authentication policies and utilizing the Trust Center for monitoring.
In conclusion, the data breach stemming from compromised Snowflake accounts serves as a stark reminder of the critical importance of implementing robust security measures, such as multi-factor authentication, to protect sensitive data and prevent unauthorized access. Snowflake’s response to the breach highlights the company’s commitment to enhancing security protocols and safeguarding user information in the future.