UPDATED 18:56 EST / JUNE 06 2024

SECURITY

Hackers steal and offer for sale 3TB of data from Advance Auto Parts

U.S. auto parts provider Advance Auto Parts Inc. has had 3 terabytes of data containing sensitive customer and employee details stolen and offered for sale on the latest incarnation of BreachForums.

First reported by BleepingComputer, the stolen data is said to include 380 million customer profiles, including names, emails, phone numbers and addresses, 140 million customer orders, 44 million loyalty and gas card numbers with customer details, auto parts and parts numbers, sales history, employment candidate information and transaction tender details.

A user named “Sp1d3r” is advertising the stolen data on BreachForums with an asking price of $1.5 million. BleepingComputer was able to confirm that a large number of the Advance Auto Parts customer records are legitimate.

The attacker claims to have stolen the data as part of an attack on customers of Snowflake Inc. and that the attacks on Snowflake started in mid-April. The claim that Snowflake customers are being compromised follows a breach of Ticketmaster Entertainment LLC on May 29, which was also subsequently linked to Snowflake.

Snowflake has previously said that the hack of Ticketmaster, as well as that of another company, Santander UK plc, was not related to a breach of its platform. It denied involvement, citing findings from CrowdStrike Holdings Inc. and Google LLC’s Mandiant, the two companies hired to investigate the claim.

“To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product,” Snowflake said on June 2. “Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted.”

Snowflake further added that the data theft was directed against users with single-factor authentication, with the threat actor leveraging credentials previously purchased or obtained through information-stealing malware. The lack of multifactor authentication leading to the breaches is also supported by security experts.

“The root cause points to accounts that are not protected by MFA,” Nitin Sonawane, co-founder and chief product officer of Identity security solutions startup Zilla Security Inc., told SiliconANGLE. “Customers may believe they are protected with MFA enabled once they turn on single sign-on. However, there is an SSO bypass vulnerability at play if not configured correctly. New authentication methods do not override previously configured ones, allowing account access with simple password authentication even when SSO is in place.”

Sonawane recommends that Snowflake users should use SSO and MFA for all accounts, including service accounts using keypairs or OAuth for machine authentication. When enforcing SSO, users should remove the account password as per Snowflake’s documentation. They should also identify any Snowflake accounts created outside the enterprise Identity Platform with static passwords by querying the Snowflake Users table to detect if a password is enabled. Additionally, users should scan the environment for compromised activity using Snowflake’s recommended queries.

Photo: Mike Mozart/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU