The recent data breach at Snowflake, a popular cloud-based data platform, has sent shockwaves through the tech industry. The incident has compromised many customer accounts, exposing vast amounts of sensitive data. While the full extent of the breach is still being investigated, initial reports indicate that hundreds of millions of records have been exfiltrated, including data from major companies like Ticketmaster and Santander Bank. Alarmingly, the threat actor behind the attack claims to have accessed data from around 400 organizations.
In this blog post, we'll look into the details of the Snowflake breach, highlighting the critical importance of multifactor authentication (MFA) and device recognition in mitigating account takeover. We'll also explore how Fingerprint's device intelligence platform can enhance security measures while ensuring a seamless user experience.
Summary of the breach: How it all went down
The Snowflake data breach exposed critical vulnerabilities in customer account security, raising alarming concerns about protecting sensitive data. But how did this massive breach occur? Let’s examine how financially motivated threat actors gained access to the credentials and the main factors contributing to this security incident.
How were accounts accessed?
The attackers exploited previously compromised credentials to gain unauthorized access to Snowflake customer accounts. These customer credentials were likely obtained through infostealer malware or from previous data breaches. According to an analysis by Mandiant and Snowflake, about 80% of the accounts compromised had previously exposed credentials.
The threat actors then used custom tools to perform reconnaissance on the Snowflake platform, obtaining details such as organization names, users, roles, and IP addresses. Once inside, they executed SQL commands to exfiltrate data from the compromised customer accounts.
What factors opened the door for attackers?
Several security oversights left Snowflake accounts alarmingly vulnerable, rolling out the red carpet for the cybercriminals:
Inadequate authentication measures
The compromised accounts lacked MFA protection, relying solely on single-factor authentication. Snowflake has since emphasized the importance of enabling MFA for all customers to prevent similar breaches in the future, as it is currently not a mandatory requirement.
Stale credentials
Alarmingly, many of the stolen credentials were outdated — some even years old — indicating a dangerous lapse in regular password rotation practices. Maintaining fresh, frequently updated credentials is a vital security measure that was neglected, leaving accounts vulnerable to unauthorized access.
Open door for untrusted sources
To make matters worse, the impacted Snowflake customer instances lacked network allow lists, which grant access only to trusted locations. Without these digital guards, the threat actors could waltz in from any untrusted source, unchallenged and undetected.
The importance of MFA and device recognition
While Snowflake's systems were not directly breached, the attackers found a way to exploit weak links in the security practices of Snowflake's customers. By getting their hands on valid login credentials and taking advantage of the lack of MFA and network restrictions, the attackers gained unauthorized access to a treasure trove of sensitive data.
This incident serves as a wake-up call for many, underscoring the importance of implementing robust security measures to fortify defenses.
A multi-layered defense with MFA
It’s clear a simple password is no longer enough to protect accounts. MFA provides an extra layer of protection by requiring multiple verification forms, like a password and a one-time code, making unauthorized access extremely difficult, even if credentials are compromised.
However, an always-on MFA approach can lead to increased costs, user frustration, and potential exploitation through tactics like SMS pumping fraud, where attackers overwhelm the system with bogus verification requests to generate profit. This highlights the need for an adaptive, intelligent approach that maintains tight security while minimizing user inconvenience.
Recognizing trusted devices
Device recognition tools can identify devices that have previously gained trust and been verified. When a known, vetted device attempts to gain access, device recognition allows for a smooth login without requiring additional verification steps, ensuring a frictionless user experience. But when an unfamiliar device tries to gain entry, this triggers MFA prompts, ensuring only legitimate users can proceed after providing additional information.
Once you can identify trusted devices, you can require that all customers set up MFA even if it won’t always be used. By having customers configure MFA, businesses can ensure that unknown devices or suspicious activities can trigger additional verification steps as needed, enhancing data security without compromising the user experience.
How Fingerprint could have helped prevent the Snowflake data breaches
As we mentioned, recognizing known devices is crucial for maintaining a secure yet smooth login experience. Organizations can reduce unnecessary MFA prompts by identifying devices that customers regularly use, ensuring that legitimate users have a frictionless login experience.
Fingerprint’s browser and device fingerprinting technology allows organizations to recognize customer devices with extremely high accuracy. Our device intelligence platform creates a unique visitor identifier for each device based on over 70 attributes, enabling seamless recognition of known devices. This ensures that trusted devices bypass additional verification steps while unknown devices trigger additional authentication friction.
Additionally, our Smart Signals detect suspicious activities and attributes, such as VPN use, browser tampering, and bot detection. By analyzing these signals, organizations can identify suspicious devices and behavior and take appropriate actions to protect their systems from cyberattacks.
Fingerprint's intelligent gatekeeping
By using Fingerprint's device intelligence platform, businesses can easily implement a multi-layered security approach that seamlessly integrates device recognition and adaptive authentication measures into their existing login systems:
- The Familiar Faces: Fingerprint's solution begins by identifying customer devices and recognizing the trusted ones—like a seasoned host warmly greeting regular patrons. Businesses request visitor identification during login attempts, and associating those unique IDs with customer accounts builds a roster of familiar devices.
- The Velvet Rope: For trusted regulars, the velvet rope is lifted, allowing seamless access without the hassle of additional verification. However, when an unfamiliar face (AKA an unknown device) attempts entry, security barriers are raised, prompting multifactor authentication. This adaptive approach maintains security without introducing unnecessary friction for legitimate users.
- The Sixth Sense: Fingerprint's solution isn't just about recognizing devices; it also provides you with a sixth sense for detecting suspicious behavior. Armed with our Smart Signals, you can identify potentially malicious activity, such as login attempts from bots or tampered devices. When such threats are detected, you can take action, prompting additional verification, blocking the request, or implementing other robust security measures to protect against potential breaches.
Protect customer data without adding unnecessary friction
The recent Snowflake breach exposed critical vulnerabilities, but these risks could have been mitigated with Fingerprint's device intelligence. By recognizing known devices and leveraging our Smart Signals to detect suspicious behavior, Fingerprint enables targeted security measures, reducing unnecessary MFA prompts for trusted users while protecting sensitive accounts.
Implementing both device recognition and adaptive MFA ensures strong security without compromising user experience. To learn more about Fingerprint and how we empower our customers to enhance their security posture without sacrificing user experience, contact our team or start a free trial.
FAQ
The breach was caused by attackers using previously compromised credentials. The combination of missing MFA, outdated credentials, and a lack of network allow lists allowed attackers to exploit weak security practices, gaining unauthorized access to sensitive data.
MFA significantly enhances security by requiring multiple verification forms, making it much harder for attackers to gain unauthorized access. Even if a password is compromised, additional verification steps provide an extra layer of protection. This reduces the risk of account takeovers, protects sensitive data, and increases overall system security.
Device recognition allows businesses to identify and remember devices that users frequently use to access their accounts. By recognizing these trusted devices, businesses can reduce the number of unnecessary authentication prompts, prompting for MFA only when an unknown or suspicious device attempts to log in. This enhances security by ensuring that additional verification steps are only applied when there is potential risk, balancing security with user convenience.