Security Best Practices in the Aftermath of the Snowflake Data Breach

Data warehousing giant Snowflake disclosed on May 23, 2024, that they experienced a data breach affecting at least 165 of its customers. Since Snowflake’s customers are industry giants such as LiveNation and Santander Bank, this incident is already shaping up to be one of the most significant data breaches in history.

Snowflake has not yet disclosed precisely how this incident occurred. However, statements by Snowflake and forensic investigators on its behalf indicate that this breach was the result of credential theft.

Snowflake has publicly stated that “the threat actor obtained personal credentials to and accessed a demo account owned by a former Snowflake employee,” and Mandiant (which was hired by Snowflake to help with the forensic investigation of the attack), has stated that “Mandiant’s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake’s enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.”

User credentials can be stolen in various ways, some of which are within the organization’s control and others not. Nonetheless, it is helpful to look at the most common ways in which attackers steal credentials and how to reduce the risk of them occurring.

How Attackers Steal Credentials

• Hashes of Weak Passwords from Previous Data Breaches: Remembering passwords is hard, and many users simply choose not to bother. This makes password reuse one of the known ills of modern identity security. Moreover, if you are connected to the internet, unfortunately, you have most likely been the victim of data exposure. Put these two together, and the result is that past, large-scale, and high-profile breaches likely contain many passwords that are valid not just for those breached accounts but for many other accounts of those users, as well.

Passwords are encrypted in hashes, and when a data breach occurs that contains passwords, those are typically stored in hashes, not plain text.  However, the constant advancement in computing power makes it increasingly easy for attackers to decrypt hashes in plaintext format. Although even a moderately strong password will generate a hash too complex to decrypt in a reasonable time, weaker passwords are vulnerable to such tactics. And when those passwords are being re-used across multiple accounts, it leads to dangerous exposure.

• Account Sharing: Although not an attack vector in its own right, a common source of credential exposure is shared accounts. This is because when the same credentials are shared across multiple users, the risk of exposure increases exponentially. Moreover, shared accounts tend to have extensive permissions (to accommodate the variety of use cases by different users) and typically don’t have single sign-on (SSO) and multi-factor authentication (MFA) turned on. These common traits make shared accounts prime candidates for credential exposure, with disastrous effects on organizations.

• Phishing: Although many organizations use proxy-based URL filtering services, secure web gateways (SWGs), and endpoint DLP solutions, cybercriminals have adapted and learned to bypass traditional anti-phishing methods. This is because conventional anti-phishing methods rely on feeds of known malicious URLs or texts. However, phishing-scheme perpetrators have learned to use short-lived URLs (often ‘live’ for only a few minutes), adaptive texts, and hiding behind legitimate web hosting services to avoid detection or blocking.

As a result, despite all the efforts to combat it, good ol’ phishing is still with us. In fact, according to the 2024 Verizon Data Breach Investigations Report (DBIR), phishing is responsible for 40% of data breaches.

• Malicious Browser Extensions: Why work hard to bring unsuspecting users to you if you can have them bring you onto their computers and give you the keys to the kingdom? Browser extensions have become a staple of the browser-first world, and users commonly rely on extensions for communication, productivity, shopping, and more.

The problem, however, is that browser extensions are routinely granted extensive permissions, including passwords, cookies, session tokens, and more. Malicious browser extensions use these extensive permissions to steal data from users’ computers and have become a significant source of credential theft.

Actionable measures to mitigate the risk:

The techniques mentioned above are but a glimpse of the array of methods hackers use to steal user credentials. Nevertheless, there are several commonsense and actionable steps that organizations can take to vastly reduce the risk:

• Enforce strong passwords: It’s the oldest trick in the book, but still holds true. Strong passwords will make it difficult for attackers to brute-force or reverse-engineer passwords, even with formidable computing horsepower on their side.
• Eliminate shared accounts: eliminating shared accounts will go a long way to reducing your threat surface and making sure that each user has a distinct account, especially when you combine it with the following recommendation –
• Force SSO and MFA: forcing users to use only their organizational accounts and mandating the usage of MFA ensures not only a higher level of protection but also supports identity governance and compliance
• Deploy next-gen phishing protections: These are not based on feeds of known malicious web pages and URLs but actively analyze each individual web page and generate its own independent risk scoring.
• Block risky browser extensions: prevent password theft, cookie harvesting, and session token exposure by disabling and blocking risky browser extensions.

How LayerX Mitigates Snowflake Credential Exposure

LayerX is a browser security platform that natively integrates with any browser. It provides continuous monitoring, risk analysis, and real-time enforcement of any event and user activity in the browsing session.

LayerX can help mitigate the risk of Snowflake credential exposure in several ways:

1. Get Visibility into Snowflake credential usage: See which users are using Snowflake accounts and whether any of the Snowflake accounts are being shared between multiple users.
2. Force rotation of Snowflake passwords: Make sure that all Snowflake passwords are changed, blocking any future access.
3. Mandate usage of SSO on Snowflake accounts: Ensure that all Snowflake accounts use corporate credentials backed by SSO and MFA.

Contact us today to schedule a demo and see how LayerX can help protect you!