What Snowflake isnt saying about its customer data breaches TechCrunch
pFeatured ArticleppCommentppSnowflakes security problems following a recent spate of customer data thefts are for want of a better word snowballingppTicketmaster was the first company to link its recent data breach to the cloud data company Snowflake and loan comparison site LendingTree has now confirmed its QuoteWizard subsidiary had data stolen from SnowflakeppWe can confirm that we use Snowflake for our business operations and that we were notified by them that our subsidiary QuoteWizard may have had data impacted by this incident Megan Greuling a spokesperson for LendingTree told TechCrunchppWe take these matters seriously and immediately after hearing from Snowflake launched an internal investigation Greuling said As of this time it does not appear that consumer financial account information was impacted nor information of the parent entity LendingTreeppGreuling declined to comment further citing the companys ongoing investigationppAs more affected customers come forward Snowflake has said little beyond a brief statement on its website reiterating that there wasnt a data breach of its own systems Instead it says customers were not using multifactor authentication or MFA a security measure that Snowflake doesnt enforce or require its customers to enable by default Snowflake was itself caught out by the incident saying a former employees demo account was compromised because it was only protected with a username and passwordppIn a statement Friday Snowflake said its position remains unchanged It cited an earlier statement in which Snowflakes chief information security officer Brad Jones said this was a targeted campaign directed at users with singlefactor authentication and using credentials stolen from infostealing malware or obtained from previous data breachesppThe lack of MFA appears to be how cybercriminals downloaded huge amounts of data from Snowflake customers environments which werent protected by the additional security layerppTechCrunch earlier this week found online hundreds of Snowflake customer credentials stolen by passwordstealing malware that infected the computers of employees who have access to their employers Snowflake environment The number of credentials suggests there remains a risk to Snowflake customers who have yet to change their passwords or enable MFAppThroughout the week TechCrunch has sent more than a dozen questions to Snowflake about the ongoing incident affecting its customers as we continue to report on the story Snowflake declined to answer our questions on at least six occasions ppThese are some of the questions were asking and whyppSnowflake said it has currently notified a limited number of Snowflake customers who the company believes may have been affected On its website Snowflake says it has more than 9800 customers including tech companies telcos and healthcare providersppSnowflake spokesperson Danica Stanczak declined to say if the number of affected customers was in the tens dozens hundreds or moreppIts likely that despite the handful of reported customer breaches this week we are only in the early days of understanding the scale of this incidentppIt may not be clear even to Snowflake how many of its customers are yet affected since the company will either have to rely on its own data such as logs or find out directly from an affected customerppIts not known how soon Snowflake could have known about the intrusions into its customers accounts Snowflakes statement said it became aware on May 23 of the threat activity the accessing of customer accounts and downloading their contents but subsequently found evidence of intrusions dating back to a nomorespecific timeframe than midApril suggesting the company does have some data to rely on ppBut that also leaves open the question why Snowflake did not detect at the time the exfiltration of large amounts of customers data from its servers until much later in May or if it did why Snowflake didnt publicly alert its customers soonerppIncident response firm Mandiant which Snowflake called in to help with outreach to its customers told Bleeping Computer at the end of May that the firm had already been helping affected organizations for several weeksppA key line from Snowflakes statement says We did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee It did not contain sensitive datappSome of the stolen customer credentials linked to infostealing malware include those belonging to a thenSnowflake employee according to a review by TechCrunchppAs we previously noted TechCrunch is not naming the employee as its not clear they did anything wrong The fact that Snowflake was caught out by its own lack of MFA enforcement allowing cybercriminals to download data from a thenemployees demo account using only their username and password highlights a fundamental problem in Snowflakes security model ppBut it remains unclear what role if any that this demo account has on the customer data thefts because its not yet known what data was stored within or if it contained data from Snowflakes other customersppSnowflake declined to say what role if any the thenSnowflake employees demo account has on the recent customer breaches Snowflake reiterated that the demo account did not contain sensitive data but repeatedly declined to say how the company defines what it considers sensitive data ppWe asked if Snowflake believes that individuals personally identifiable information is sensitive data Snowflake declined to comment ppIts not unusual for companies to forcereset their customers passwords following a data breach But if you ask Snowflake there has been no breach And while that may be true in the sense that there has been no apparent compromise of its central infrastructure Snowflakes customers are very much getting breachedppSnowflakes advice to its customers is to reset and rotate Snowflake credentials and enforce MFA on all accounts Snowflake previously told TechCrunch that its customers are on the hook for their own security Under Snowflakes shared responsibility model customers are responsible for enforcing MFA with their usersppBut since these Snowflake customer data thefts are linked to the use of stolen usernames and passwords of accounts that arent protected with MFA its unusual that Snowflake has not intervened on behalf of its customers to protect their accounts with password resets or enforced MFAppIts not unprecedented Last year cybercriminals scraped 69 million user and genetic records from 23andMe accounts that werent protected with MFA 23andMe reset user passwords out of caution to prevent further scraping attacks and subsequently required the use of MFA on all of its users accounts ppWe asked Snowflake if the company planned to reset the passwords of its customers accounts to prevent any possible further intrusions Snowflake declined to commentppSnowflake appears to be moving toward rolling out MFA by default according to tech news site Runtime quoting Snowflake CEO Sridhar Ramaswamy in an interview this week This was later confirmed by Snowflakes CISO Jones in the Friday updateppWe are also developing a plan to require our customers to implement advanced security controls like multifactor authentication MFA or network policies especially for privileged Snowflake customer accounts said Jones ppA timeframe for the plan was not givenppDo you know more about the Snowflake account intrusions Get in touch To contact this reporter get in touch on Signal and WhatsApp at 1 6467558849 or by email You can also send files and documents via SecureDropppEvery weekday and Sunday you can get the best of TechCrunchs coverageppStartups are the core of TechCrunch so get our best coverage delivered weeklyppThe latest Fintech news and analysis delivered every TuesdayppTechCrunch Mobility is your destination for transportation news and insightppBy submitting your email you agree to our Terms and Privacy Notice
ppTelegrams founder Pavel Durov says his company only employs around 30 engineers Security experts say that raises serious questions about the companys cybersecurity ppEmergence on Monday emerged from stealth with 972 million in funding ppThe Multi deal seems to fit into OpenAIs broader recent strategy of investing heavily in enterprise solutions ppCar dealerships and auto shops around the US enter a second week of disruption following cyberattacks at software maker CDK ppConsumer technology is hard but few people have mastered it as well as Matt Rogers cofounder of Nest and now Mill his new startup that promises to turn your table ppGoogle announced on Monday that its bringing its AI technology Gemini to teen students using their school accounts after having already offered Gemini to teens using their personal accounts The company ppShopify merchants can now sell their items to Targets millions of shoppers thanks to a new partnership The companies announced on Monday that sellers on the commerce platform can apply ppA few months after opening a noncompliance case on Apple and the Digital Markets Act DMA the European Commission has shared its preliminary findings with Apple And the bottom line ppMixhalo Translate couples the startups ultralow latency inperson streaming with AIgenerated audio translations ppProsus the largest external investor in Byjus has written off its 96 stake in Indian edtech firm ppVinod Khosla the Sun Microsystems cofounder turned prominent investor talks about how AI is changing tech and the risks of government regulation ppAfter a few months of testing during the general elections Meta is making its Llama 3powered AI chatbot available to all users in India However Meta AI currently only supports ppWere at a transitional moment in streaming user growth is slowing and major players are looking to consolidate but the longpromised dream of profitability finally seems within reach especially ppAnika Collier Navaroli is working to shift the power imbalance She is known for her research and advocacy work within technology ppIf all goes to plan Europeans will be able to download and use a free EU Digital Identity Wallet to access a wide range of public and private services ppFeatured ArticleppScale AI founder Alexandr Wang set off another debate with an antiDEI post It revealed a lot about the current state of DEI in tech ppAs Apple enters the AI race its also looking for help from partners During the announcement of Apple Intelligence earlier this month Apple said it would be partnering with OpenAI pp18yearolds Christopher Fitzgerald and Nicholas Van Landschoot have founded APIGen a platform to build custom APIs from natural language prompts ppWelcome back to TechCrunchs Week in Review TechCrunchs newsletter recapping the weeks biggest news Want it in your inbox every Saturday Sign up here This week Ilya Sutskever launched ppReally X should have learned its lesson by now ppOmniAI is a set of tools that transform unstructured enterprise data into a something that data analytics apps and AI can understand ppCharlette NGuessan is the Data Solutions and Ecosystem Lead at Amini a deep tech startup leveraging space technology and artificial intelligence to tackle environmental data scarcity in Africa and the ppFeatured ArticleppJournalists understand the basic structure of the deals but they still have questions ppFeatured ArticleppThe human brain has long been a subject of fascination for art and science which are now both mixed into Brainstorms A Great Gig in the Sky a new live interactive experience to the tune of Pink Floyd Interactivity is optional but memorable Exhibition visitors can opt in and pay ppWhen former YouTube product manager Kevin Xu known as Sir Jack A Lot on Reddit turned 35000 into 8 million trading stocks between 2020 and 2022 many people thought his ppFeatured ArticleppThe Open Source Initiative is trying to address the debate stirring around the notion of opensource AI ppFisker is just a few days into its Chapter 11 bankruptcy and the fight over its assets is already charged with one lawyer claiming the startup has been liquidating assets ppA hacker is advertising customer data allegedly stolen from the Australiabased live events and ticketing company TEG on a wellknown hacking forum On Thursday a hacker put up for sale ppWelcome to Startups Weekly Hajes weekly recap of everything you cant miss from the world of startups Sign up here to get it in your inbox every Friday Elon ppDot is a new AI companion and chatbot that thrives on getting to know your innermost thoughts and feelings ppPowered by WordPress VIPp
ppTelegrams founder Pavel Durov says his company only employs around 30 engineers Security experts say that raises serious questions about the companys cybersecurity ppEmergence on Monday emerged from stealth with 972 million in funding ppThe Multi deal seems to fit into OpenAIs broader recent strategy of investing heavily in enterprise solutions ppCar dealerships and auto shops around the US enter a second week of disruption following cyberattacks at software maker CDK ppConsumer technology is hard but few people have mastered it as well as Matt Rogers cofounder of Nest and now Mill his new startup that promises to turn your table ppGoogle announced on Monday that its bringing its AI technology Gemini to teen students using their school accounts after having already offered Gemini to teens using their personal accounts The company ppShopify merchants can now sell their items to Targets millions of shoppers thanks to a new partnership The companies announced on Monday that sellers on the commerce platform can apply ppA few months after opening a noncompliance case on Apple and the Digital Markets Act DMA the European Commission has shared its preliminary findings with Apple And the bottom line ppMixhalo Translate couples the startups ultralow latency inperson streaming with AIgenerated audio translations ppProsus the largest external investor in Byjus has written off its 96 stake in Indian edtech firm ppVinod Khosla the Sun Microsystems cofounder turned prominent investor talks about how AI is changing tech and the risks of government regulation ppAfter a few months of testing during the general elections Meta is making its Llama 3powered AI chatbot available to all users in India However Meta AI currently only supports ppWere at a transitional moment in streaming user growth is slowing and major players are looking to consolidate but the longpromised dream of profitability finally seems within reach especially ppAnika Collier Navaroli is working to shift the power imbalance She is known for her research and advocacy work within technology ppIf all goes to plan Europeans will be able to download and use a free EU Digital Identity Wallet to access a wide range of public and private services ppFeatured ArticleppScale AI founder Alexandr Wang set off another debate with an antiDEI post It revealed a lot about the current state of DEI in tech ppAs Apple enters the AI race its also looking for help from partners During the announcement of Apple Intelligence earlier this month Apple said it would be partnering with OpenAI pp18yearolds Christopher Fitzgerald and Nicholas Van Landschoot have founded APIGen a platform to build custom APIs from natural language prompts ppWelcome back to TechCrunchs Week in Review TechCrunchs newsletter recapping the weeks biggest news Want it in your inbox every Saturday Sign up here This week Ilya Sutskever launched ppReally X should have learned its lesson by now ppOmniAI is a set of tools that transform unstructured enterprise data into a something that data analytics apps and AI can understand ppCharlette NGuessan is the Data Solutions and Ecosystem Lead at Amini a deep tech startup leveraging space technology and artificial intelligence to tackle environmental data scarcity in Africa and the ppFeatured ArticleppJournalists understand the basic structure of the deals but they still have questions ppFeatured ArticleppThe human brain has long been a subject of fascination for art and science which are now both mixed into Brainstorms A Great Gig in the Sky a new live interactive experience to the tune of Pink Floyd Interactivity is optional but memorable Exhibition visitors can opt in and pay ppWhen former YouTube product manager Kevin Xu known as Sir Jack A Lot on Reddit turned 35000 into 8 million trading stocks between 2020 and 2022 many people thought his ppFeatured ArticleppThe Open Source Initiative is trying to address the debate stirring around the notion of opensource AI ppFisker is just a few days into its Chapter 11 bankruptcy and the fight over its assets is already charged with one lawyer claiming the startup has been liquidating assets ppA hacker is advertising customer data allegedly stolen from the Australiabased live events and ticketing company TEG on a wellknown hacking forum On Thursday a hacker put up for sale ppWelcome to Startups Weekly Hajes weekly recap of everything you cant miss from the world of startups Sign up here to get it in your inbox every Friday Elon ppDot is a new AI companion and chatbot that thrives on getting to know your innermost thoughts and feelings ppPowered by WordPress VIPp
