Data on 2.3M stolen from our Snowflake instance • The Register
Advance Auto Parts’ CISO just revealed for the first time the number of individuals affected when criminals broke into its Snowflake instance – a hefty 2.3 million.
Ethan Steiger notified Maine’s Attorney General on Wednesday of the extent of the damage – numbering this at 2,316,591 exactly – and the letter sent to victims confirms that the data potentially stolen includes names, dates of birth, social security numbers, and driver’s license or other ID document numbers.
Steiger’s letter also said Advance Auto Parts became aware of the intrusion on May 23, but now understands that the cybercriminal(s) behind the attack maintained access to its Snowflake instance between April 14 and May 24.
Two letter templates were included in the notification to Maine’s AG – one for the 13,858 Maine residents affected by the attack and another which appears to be a general template designed for victims residing in other states.
The general version mentioned that the data accessed by the criminals was gathered and stored as part of the company’s job application process, however, the Maine letter made no mention of this.
“On May 23, 2024, we learned that, like many other companies, an unauthorized third party gained access to certain information maintained by Advance Auto Parts within Snowflake, our cloud storage and data warehousing vendor,” the letter reads. “We began an investigation to determine the nature and scope of the incident with the support of third-party experts and took measures to contain the incident and terminate the unauthorized access.
“Upon learning of the incident, we promptly terminated the unauthorized access and took proactive measures aimed at preventing future unauthorized access. We also notified law enforcement,” it added.
“In addition, we continue to work with third-party cybersecurity experts to take steps to further harden our systems and emerge from this incident an even more secure organization.”
This week’s notification is the first time Advance Auto Parts has officially admitted it was one of the major companies caught up in the large rash of Snowflake break-ins, joining the likes of Ticketmaster and Santander, whose storage was also broken into.
The aftermarket auto parts dealer has been quiet about the incident on social media, its website’s press corner, and hasn’t before confirmed that it was a victim, let alone the scale of the data accessed.
What are the criminals saying?
The individual or group behind the attack uses the online alias Sp1d3r and previously put Advance’s data up for sale on a cybercrime forum, asking for $1.5 million as a payment.
It seems Sp1d3r has done the usual cybercriminal trick of overinflating the figures in its advertisement of the data, though. Its forum post claims 380 million customer profiles were stolen which included names, email and home addresses, phone numbers, and more.
Sp1d3r alleged that among the 3 TB worth of data it stole were part numbers, SSNs, ID document numbers, demographic details, transaction details, loyalty and gas card numbers, and information about 358,000 staff.
The letters penned by CISO Ethan Steiger now suggest the scale was much smaller at just 2.3 million affected individuals, and the rest of the data types allegedly stolen to be bogus claims.
Snowflake latest
Advance Auto Parts’ confirmation comes a day after Snowflake announced new policies available to storage admins that allow multifactor authentication (MFA) to be applied across entire organizations.
Having consistently denied any suggestions that a break-in at Snowflake towers was to blame for the spate of data protection gaffes at its customers, the new measure aims to address the issue said to be at the heart of the incidents – that customers weren’t enabling MFA where they perhaps should have been.
The announcement also suggested that it would make MFA mandatory across all human user accounts in the near future, but for now, it’s just giving admins the opportunity to apply it organization-wide if they want to (they should). By default, MFA is still not enabled on Snowflake accounts and prior to this move, it had to be enabled on a per-user basis.
Just the ticket … or not
Ticketmaster is the other big name still embroiled in the Snowflake saga; it was also one of the first companies suggested to be affected.
The ticketing giant is still reportedly being extorted for $2 million by digi-rascals as part of an ongoing campaign that has recently seen 166,000 Taylor Swift tour ticket barcodes allegedly leaked on a cybercrime forum.
The Register asked Ticketmaster for a statement but it didn’t immediately respond. ®