In June, cloud services provider Snowflake along with Mandiant, a cyber security firm, notified at least 165 Snowflake clients about potential account compromises. Data breaches at Santander Bank, Ticketmaster and QuoteWizard were linked to the Snowflake cloud storage and analytics accounts these organizations hold, as reported by Wired and Verge.
Bad actors used employee credential stuffing to attack companies using Snowflake to steal their company’s customer data. Snowflake has numerous clients and holds a large amount of PII data for those clients. Snowflake clients were likely not even aware these attacks were occurring. And Snowflake is only one of many third party providers in this space. It’s becoming more common for companies to use third parties like Snowflake to hold sensitive data and increases the need to expand your visibility into where you may be vulnerable for account takeover.
Mandiant traced the issue to a hacker group leveraging stolen credentials, some going as far back as 2020, from infostealer malware.
While this cyber attack has primarily been referred to as the Snowflake data breach in the media, it would be more accurately described as a credential stuffing attack targeting companies using Snowflake, using credential pairs compromised by malware. This is typical of credential stuffing attacks. Our web monitoring services alerts our clients to their exposure from over 50 million credential stuffing attacks a day, across thousands of companies with over 50 attacks each day impacting 1m or more accounts. Bad actors capitalize on poor password hygiene and frequent credential password reuse among users, using systematic credential stuffing attacks to test passwords compromised by malware or a third-party data breach across other systems where these compromised credential pairs may also be used.
Business user accounts get compromised, just like consumer accounts, and many of these account holders reuse their passwords if not full credential pairs. Organizations need to ensure their employees, vendors and contractors are not using compromised credentials, as they can be used to access business services (as in the case of credential stuffing targeting Snowflake accounts) and sensitive data.
AllCreds is myNetWatchman’s compromised credential screening service. This service can be applied at account creation, but in the wake of attacks like those targeting Snowflake accounts, it should be used to identify compromised credentials in an organization’s Active Directory. We call this AD Audit. AllCreds screens the credentials of all users and identifies which are known to be compromised. Those flagged as compromised should then be required to change their passwords, preventing account takeover via use of the stolen credentials, similar to what Ticketmaster and others experienced with their Snowflake accounts.
myNetWatchman is trusted by top firms around the world to help detect, prevent and recover from compromised credentials. It doesn’t matter how they were compromised or that the password is used across multiple accounts or services for a given user – when compromised credential pairs are presented, it is up to the organization seeing the credential stuffing attack or account takeover (ATO) attempt to stop unauthorized account access. Here’s how we help:
myNetWatchman’s credential web monitoring service: Benefit from myNetWatchman’s ten-plus years of live data surveillance, proprietary and constantly growing data set of over 30 billion exposed credential pairs and network of 550 million protected users. Leveraging live surveillance, myNetWatchman alerts clients of bad actors’ activity targeting your company or domains, including where your clients log-in or access your services. Know whether it’s an isolated credential stuffing or ATO attack targeting one client’s account login page, or a widespread attack targeting many clients across the various URLs and pages where they authenticate to access your services.
AllCreds is myNetWatchman’s compromised credential screening service. Risk and reputation scoring is provided on specific users (customers or employees) based on whether we see their credential pairs implicated in data breaches or successfully used by bad actors on other sites. Companies use these insights to strategically present forms of step-up authentication or to require password resets. Chances are that compromised credential pairs will be used or tested elsewhere before they are attempted against your users or site. myNetWatchman brings this information to light so you can act accordingly. Not just compromised passwords, but credentials pairs. Not just credentials that have been breached, but ones that are actively being used.
Comments