U.S. auto parts provider Advance Auto Parts Inc. has had 3 terabytes of data containing sensitive customer and employee details stolen and offered for sale on the latest incarnation of BreachForums.

First reported by BleepingComputer, the stolen data is said to include 380 million customer profiles, including names, emails, phone numbers and addresses, 140 million customer orders, 44 million loyalty and gas card numbers with customer details, auto parts and parts numbers, sales history, employment candidate information and transaction tender details.

A user named “Sp1d3r” is advertising the stolen data on BreachForums with an asking price of $1.5 million. BleepingComputer was able to confirm that a large number of the Advance Auto Parts customer records are legitimate.

The attacker claims to have stolen the data as part of an attack on customers of Snowflake Inc. and that the attacks on Snowflake started in mid-April. The claim that Snowflake customers are being compromised follows a breach of Ticketmaster Entertainment LLC on May 29, which was also subsequently linked to Snowflake.

Snowflake has previously said that the hack of Ticketmaster, as well as that of another company, Santander UK plc, was not related to a breach of its platform. It denied involvement, citing findings from CrowdStrike Holdings Inc. and Google LLC’s Mandiant, the two companies hired to investigate the claim.

“To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product,” Snowflake said on June 2. “Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted.”

Snowflake further added that the data theft was directed against users with single-factor authentication, with the threat actor leveraging credentials previously purchased or obtained through information-stealing malware. The lack of multifactor authentication leading to the breaches is also supported by security experts.

“The root cause points to accounts that are not protected by MFA,” Nitin Sonawane, co-founder and chief product officer of Identity security solutions startup Zilla Security Inc., told SiliconANGLE. “Customers may believe they are protected with MFA enabled once they turn on single sign-on. However, there is an SSO bypass vulnerability at play if not configured correctly. New authentication methods do not override previously configured ones, allowing account access with simple password authentication even when SSO is in place.”

Sonawane recommends that Snowflake users should use SSO and MFA for all accounts, including service accounts using keypairs or OAuth for machine authentication. When enforcing SSO, users should remove the account password as per Snowflake’s documentation. They should also identify any Snowflake accounts created outside the enterprise Identity Platform with static passwords by querying the Snowflake Users table to detect if a password is enabled. Additionally, users should scan the environment for compromised activity using Snowflake’s recommended queries.

Photo: Mike Mozart/Flickr