A report indicated that Advance Auto Parts is allegedly the latest victim in a wave of data theft attacks targeting Snowflake customers.

Advance Auto Parts is reportedly the latest victim in a wave of data theft attacks targeting Snowflake customers, which are believed to be utilizing stolen passwords.

Separately, a report from TechCrunch highlighted the potential role of lenient Snowflake MFA (multi-factor authentication) policies in the success of the attacks, which have also recently claimed Ticketmaster and Santander Bank as victims.

[Related: Snowflake Data Cloud Summit 2024: The Biggest News]

As pointed out by the TechCrunch report, Snowflake documentation posted online shows that “at this time, users are not automatically enrolled in MFA.”

“To use MFA, users must enroll themselves,” the Snowflake online documentation reads.

While average users are notoriously averse to MFA, this sort of policy would seem to signal to malicious actors that Snowflake users are potentially vulnerable to being compromised with simply a username and password. To that end, TechCrunch also reported that it has viewed more than 500 stolen credentials posted online, containing usernames, passwords and URLs of the Snowflake login pages.

CRN has reached out to Snowflake for comment.

Meanwhile, BleepingComputer reported that a threat actor has advertised the sale of 3 TB of data from Advance Auto Parts, purportedly stolen from the auto parts retailer’s Snowflake environment. The cache includes customer information, order information and a number of other types of data, according to the report.

CRN has reached out to Advance Auto Parts for comment.

Prior Breaches

In a filing with the U.S. Securities and Exchange Commission Friday, Live Nation said that it had “identified unauthorized activity within a third-party cloud database environment” on May 20.

The cloud database contained unspecified “company data,” which “primarily” belonged to Ticketmaster, Live Nation said.

An unidentified Ticketmaster spokesperson told TechCrunch that the affected cloud database was operated by Snowflake.

Santander Bank disclosed in mid-May that “certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed.”

In response to the reports, Snowflake said in a post earlier this week that it “has promptly informed the limited number of Snowflake customers who it believes may have been affected.”

The customers were not impacted as a result of compromised Snowflake employee credentials or a breach of the Snowflake platform, the company said in its post.

“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” the company said.

Additionally, “we have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel,” Snowflake said.

Rather than a breach or compromised Snowflake employee credentials, the company said in its post that it believes that “threat actors have leveraged credentials previously purchased or obtained through infostealing malware.”

“This appears to be a targeted campaign directed at users with single-factor authentication,” Snowflake said.

This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned about the recent threat actor campaign targeting users of Snowflake and urged customers to proactively look for malicious activity.