Identity Breaches: A Growing Threat in Cybercrime
Identities reign supreme on the dark web, fueling billions in fraud annually. High-profile breaches involving Santander, TicketMaster, Snowflake, and recently Advanced Auto Parts and LendingTree illustrate how swiftly attackers exploit vulnerabilities in organizational security. TechCrunch has confirmed that hundreds of Snowflake customer passwords tied to information-stealing malware are now accessible online. Snowflake's choice to make multi-factor authentication (MFA) optional, rather than mandatory, has exacerbated the identity crisis faced by its compromised customers.
Cybercrime Intelligence: A Collaborative Threat Landscape
Cybercrime organizations and nation-states are increasingly confident in executing identity breaches, allegedly collaborating with cybercrime intelligence providers via Telegram. Hudson Rock, a cybercrime intelligence provider, recently published a blog on May 31, detailing how threat actors breached Snowflake. This included a conversation with the hacker responsible for prior breaches at Santander and TicketMaster.
The now-removed blog outlined that the attacker accessed a Snowflake employee’s ServiceNow account using stolen credentials, bypassing OKTA. Once inside, they generated session tokens to navigate Snowflake’s systems undetected and exfiltrated vast amounts of data.
Single-Factor Authentication: A Major Vulnerability
Snowflake’s platform defaults to single-factor authentication, which poses serious security risks. Their documentation states, “By default, MFA is not enabled for individual Snowflake users.” Threat actors have specifically targeted users reliant on single-factor authentication, utilizing credentials acquired through infostealing malware. CISA has issued a warning for all Snowflake customers.
Investigations by Snowflake, CrowdStrike, and Mandiant reveal that attackers accessed demo accounts through a former employee's credentials. These accounts, lacking robust security measures like Okta or MFA, provided an entry point into Snowflake’s systems. However, the firm asserts that there is no evidence of a systemic flaw or breach in their platform.
Widespread Data Breaches Impacting Millions
One of the largest breaches in Santander’s history compromised the credit card and personal information of up to 30 million customers. Meanwhile, 560 million TicketMaster patrons had their data exfiltrated in a separate breach, exposing names, addresses, emails, phone numbers, and credit card details. The hacker group ShinyHunters has been actively selling this stolen data on the revived BreachForums.
Moreover, another BreachForums user, Sp1d3r, claimed to have obtained information from two additional companies linked to the Snowflake incident. This includes data from Advanced Auto Parts, involving 380 million customer details, and lending service providers LendingTree and QuoteWizard, which reportedly contain 190 million profiles.
Proactive Responses: Transparency in Breach Notifications
CISOs and security leaders recognize the importance of transparency when disclosing significant cybersecurity events. Santander and TicketMaster swiftly reported unauthorized access to their third-party cloud databases.
Live Nation, TicketMaster’s parent company, filed an 8-K with the SEC, stating they detected unauthorized activity on May 20 and initiated an investigation. The document revealed that on May 27, a hacker offered alleged company data for sale on the dark web.
Santander echoed this in their statement, confirming unauthorized access to their databases hosted by third-party providers.
Rethinking Trust: Enhancing Identity Security
The confidence of attackers to compromise nearly 600 million records highlights a critical need to reassess identity protection strategies. Over-reliance on authentication methods increases susceptibility to breaches.
Adopting a zero-trust approach, which assumes breaches may have already occurred, is vital. Seventy-eight percent of enterprises report that identity-based breaches have adversely affected operations this year. Among those breached, 96% believe earlier implementation of identity-based zero-trust measures could have prevented the incidents.
IAM (Identity and Access Management) is central to zero trust and aligns with guidelines under NIST SP 800-207. Additionally, identity security is a key aspect of President Biden’s Executive Order 14028.
Organizations are increasingly evaluating advanced authentication methods to mitigate risk. Despite advancements, passwords continue to pose significant challenges. Gartner analysts note, “Despite the advent of passwordless authentication, passwords persist in many use cases and remain a significant source of risk and user frustration.”
CISOs are focused on strengthening authentication controls, emphasizing the following:
- Rapidly implement continuous authentication for every identity.
- Enhance credential hygiene and increase rotation frequency.
- Restrict users to a verified list of applications to mitigate risks.
- Utilize AM systems to monitor all identity-related activities.
- Improve user self-service, BYOI, and expand external use cases.
To combat the identity crisis, CISOs require user-friendly passwordless authentication systems that adapt to any device without compromising on security. Leading solutions include Microsoft Authenticator, Okta, Duo Security, Auth0, Yubico, and Ivanti’s Zero Sign-On (ZSO).
Ranking
