Security
Protecting against Snowflake breaches

In the last few weeks several very high-profile breaches have been in the news, from Santander to Ticketmaster and AT&T.

These breaches all have the same attack vector: identity-based attacks against Snowflake instances.

In this article, we discuss the causes of the breach and our approach to protect against identity-based attacks against Snowflake.

Protecting against Snowflake breaches

Introduction

In the last few weeks, numerous Snowflake customers experienced very significant data breaches.

All the breaches were attributed to compromised credentials and the lack of multi-factor authentication (MFA) among customers.

The attackers utilized stolen credentials from various infostealer malware to gain access to sensitive data. High-profile companies such as Ticketmaster, Santander, Advance Auto Parts, and, most recently, AT&T were affected. The attackers believed to be the ShinyHunters group, are one of the more prolific groups involved in several high-profile breaches over the years.

Let’s dig deeper into Snowflake and how to prevent these breaches in the future.

The Snowflake identity model

Snowflake has 3 key identity and access concepts that form the backbone of IAM.

  1. Roles: They define a set of permissions that determine what actions a user or a group of users can perform within the Snowflake environment. Roles can be organized in a hierarchical manner, where roles can inherit permissions from other roles
  2. Users: Users in Snowflake represent individuals or entities that need access to Snowflake’s resources. Crucially, users can be used as “service accounts” through passwords and RSA key pairs.
  3. Service Integration: These represent integration with third-party systems, either via OAuth 2.0 or API keys. This is also how a Snowflake instance can be provisioned through a third-party IdP.

Notably, Snowflake natively supports only the following authentication methods for a User:

  1. Password
  2. RSA keys
  3. MFA via Duo

As discussed, from what is publicly known, all the breaches in the past few months show the same pattern: the attacker ran a credential-stuffing attack against Snowflake instances that weren’t protected by RSA.

Note, however, that this is the low-hanging fruit. More sophisticated attackers could target MFA-enabled accounts through AITM, MFA Fatigue, and several other attacks.

How can SlashID help

As we discussed in our previous article on NHI - at SlashID we believe that the Identity Security maturity model should follow a familiar pattern we have seen in endpoints and other security areas:

  1. Visibility
  2. Detection
  3. Remediation
  4. Prevention

Towards this end, we are happy to announce support for Snowflake in our Identity Security product.

Through SlashID you can:

  1. Visualize and collect all roles, users, and service integrations for all your Snowflake instances
  2. Detect identity-based attacks or lateral movement
  3. Prevent and remediate by rotating credentials and dropping privileges
identity list

In particular, SlashID can detect several attack patterns, including:

  1. The provisioning of malicious users or integrations
  2. Credential stuffing attempts
  3. Authentication attempts from malicious or suspicious IP addresses, times of the data, and locations
  4. Overprivileged accounts
  5. Stale accounts and credentials
user detail

Beyond detections, SlashID can help rotate credentials, suspend/block users, turn on MFA, and, update roles.

Conclusion

Snowflake contains some of the most sensitive user data a company has and it’s a very complicated system to secure properly, reach out to us to see how SlashID can help secure your Snowflake instances.

Related articles

Protecting against malicious OAuth 2.0 applications

Security

/ 8 Jan, 2025

Protecting against malicious OAuth 2.0 applications

Several Chrome extension developers were compromised in recent weeks by an attack seeking to create a backdoor in the

extensions.

The root cause of the breach was a phishing email that leveraged OAuth 2.0/OIDC to steal

the user credentials.

This blog post explores the details of such attacks and how SlashID can help detect them and contain

the blast radius.

Vincenzo Iozzo
Vincenzo Iozzo
Navigating PCI DSS 4.0: The Challenge of Non-Human Identities

Security

/ 16 Dec, 2024

Navigating PCI DSS 4.0: The Challenge of Non-Human Identities

The Payment Card Industry Data Security Standard (PCI DSS) has long served as the foundation for organizations handling payment card data, ensuring robust security measures are - in place to protect sensitive information

The release of PCI DSS version 4.0 on March 31, 2022, marked a significant evolution in the standard, introducing requirements and emphasizing areas that were previously under-addressed.

One such critical area is the management of non-human identities—service accounts, application accounts, APIs, and automated scripts that interact with cardholder data environments (CDE) or critical systems.

With the deadline of March 2025 fast approaching, we wrote a blog post to delves into the specific challenges companies face regarding non-human identities in PCI DSS v4.0 and - explores strategies to overcome them.

Will Easton
Will Easton
Identity Security: The problem(s) with federation

Security

/ 30 Sep, 2024

Identity Security: The problem(s) with federation

Federating trust with an identity provider (IdP) is common practice to centralize identity governance.

However, attackers can exploit identity federation to breach organizations or maintain persistence in a system.

This blog post explores common attack vectors against federated identities and effective mitigation strategies.

Vincenzo Iozzo
Vincenzo Iozzo

Ready to start a top-tier security upgrade?

We use cookies to improve your experience. Read our cookie policy.