Scientific American: A Doctor Who superfan explains in detail how the unusual cardiovascular system of the alien Time Lords could evolve and function (archive). Reddit AMA with author.

Voice of Baceprot are a devoutly Muslim all-female Indonesian thrash metal band hell-bent on shattering the genre's masculine image and misconceptions about Islam.

Advance Auto Parts, Inc., one of the big suppliers of automobile aftermarket components in America, has reported a data breach to the US Securities and Exchange Commission (SEC).  Advance Auto Parts data breach was first reported by The Cyber Express on June 6, 2024. In its report to the SEC, the company said that a data breach from its third-party cloud storage had resulted in unauthorized access to consumer and policyholder information. In a June 14 filing to the SEC, the company said, “On May 23, 2024, Advance Auto Parts, Inc. identified unauthorized activity within a third-party cloud database environment containing Company data and launched an investigation with industry-leading experts. On June 4, 2024, a criminal threat actor offered what it alleged to be Company data for sale. The Company has notified law enforcement.” A threat actor going by the handle “Sp1d3r” had claimed to have stolen three terabytes of data from the company’s Snowflake cloud storage. The stolen information was allegedly being sold for US$1.5 million on dark web. [caption id="attachment_78143" align="alignnone" width="815"] (Source: X)[/caption] According to the threat actor, the stolen data included 380 million customer profiles, containing names, emails, mobile numbers, phone numbers, addresses; information on 358,000 employees, 44 million Loyalty/Gas card numbers, the company’s sales history, among other details.

Details of Advance Auto Parts SEC Filing

In its declaration to the SEC, auto parts seller said that “There has been no material interruption to the Company's business operations due to the incident. “Based on the review of files determined to have been impacted, the Company believes that some files contain personal information, including but not limited to social security numbers or other government identification numbers of current and former job applicants and employees of the Company,” the filing said. Advance Auto Parts said that the company would share information about the data breach and would offer free credit monitoring and identity restoration services to the impact parties. The company noted that though it was covered by insurance, the cyberattack could cost damages up to $3 million. “The Company has insurance for cyber incidents and currently expects its costs related to response and remediation to be generally limited to its retention under such policy. The Company currently plans to record an expense of approximately $3 million for the quarter ending July 13, 2024, for such costs,” it said to the SEC. Advance Auto Parts currently operates 4,777 stores and 320 Worldpac branches primarily within the United States, with added locations in Canada, Puerto Rico, and the U.S. Virgin Islands. The Advance Auto Parts data breach is part of a recent series of attacks targeting customers of the cloud storage company Snowflake. These attacks have been taking place since at least mid-April 2024. Snowflake acknowledged the issue in a statement, informing a limited number of customers who they believe may have been impacted by the attacks. Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers.  Many of Snowlflakes’ clients had reportedly taken down their databases after the series of cyberattacks. Infact, a comprehensive report revealed that 165 customers were impacted by the Snowflake data breach. It was on July 26, 2023 that the US Securities and Exchange Commission directed companies to mandatorily declare material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

With companies coming forward every day announcing impacts from their third-party cloud data storage vendor, the Snowflake data breach seems to be snowballing into one of the biggest data breaches of the digital age. Here's everything to know about the Snowflake breach; we'll update this page as new information becomes available.

Why the Snowflake Breach Matters

Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers. Its customer base includes major corporations like Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others. Snowflake holds approximately a 20% share of the data warehouse market and was recently ranked #1 on the Fortune Future 50 List, it an attractive target for cybercriminals. However, it is crucial to note that the breaches are not necessarily due to failures by Snowflake. The correlation does not imply causation, as emphasized by Snowflake’s Chief Information Security Officer Brad Jones. The company, along with its forensic partners, found no evidence of vulnerabilities or breaches within Snowflake’s platform.

Ongoing Investigation and Preliminary Results in Snowflake Breach

On May 31, Snowflake revealed that attackers accessed customer accounts using single-factor authentication. According to preliminary results, these attackers leveraged credentials obtained through infostealing malware.

Compromised Employee Account

Snowflake confirmed that a threat actor obtained credentials from a single former employee, accessing demo accounts that were isolated from production and corporate systems. Snowflake’s core systems are protected by Okta and Multi-Factor Authentication (MFA) but the demo accounts lacked such safeguards.

Test Environments Targeted

Demo accounts are often overlooked as security risks. Despite assurances that these accounts do not contain sensitive data, they remain attractive targets due to their perceived value. Cybercriminals exploit the perception gap, knowing that a claimed breach of a high-profile company like Snowflake can generate significant media attention.

Attack Path

The initial access point for the attackers was almost certainly compromised credentials obtained through infostealing malware. Mandiant, who helped Snowflake in its investigation, confirmed that the compromised credentials were from customer instances and were traced back to infostealer malware logs. Several variants of infostealer malware were used, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER.

Possible Reasons for the Breach

Mandiant confirmed that there was no breach of Snowflake’s enterprise environment. They identified that most credentials used by the attackers originated from historical infostealer infections. The lack of MFA and failure to rotate credentials for up to four years were significant factors. Network allow lists were also not used to restrict access to trusted locations.

Unconfirmed Threat Actor Claims

The threat actor also claimed to have logged into Snowflake’s ServiceNow using the same credentials. This claim has neither been confirmed nor explicitly refuted by Snowflake. Other unknowns include whether similar methods compromised other Snowflake employees, and the definition of "sensitive" data used for determining the impact on demo accounts. The investigation is ongoing, but Snowflake stands by its initial findings.

Affected Customers from Snowflake Breach

The data breaches began in April 2024, and the company claimed it had impacted a “limited” number of Snowflake customers. Snowflake initially did not disclose the exact number or the names of all affected customers. However, a comprehensive report from Mandiant two weeks after the initial disclosure revealed that 165 customers were impacted in the Snowflake data breach. While some victims have been identified through attackers’ offers to sell stolen data, others were revealed via mandatory public disclosures. Most companies have yet to confirm the impact. Following is a list of all companies know to have been impacted in the Snowflake data breach:

• Santander Group: The company confirmed a compromise without mentioning Snowflake.
• Impact: Santander Bank staff and 30 million customers’ data has allegedly been breached.

• TicketMaster (Live Nation Entertainment subsidiary): Confirmed via an SEC 8-K report, with Snowflake identified as the third party involved.
• Impact: 560 Million TicketMaster user details and card info potentially at risk.

• LendingTree: Notified by Snowflake about a potential data impact involving QuoteWizard.
• Impact: On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes and other information.

• Advance Auto Parts: Unconfirmed by the company, but a dark web listing claimed significant data theft.
• Impact: Same actor as LendingTree claimed leak of 380 million customers and 358,000 former and current employees.

• Pure Storage: The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number.
• Impact: The same threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of 3 terabytes of data from the company’s Snowflake cloud storage that was reportedly being sold for $1.5 million.

Tech Crunch discovered over 500 login credentials and web addresses for Snowflake environments on a website used by attackers to search for stolen credentials. These included corporate email addresses found in a recent data dump from various Telegram channels.

Security Measures and Customer Support

Snowflake Chief Information Security Officer Brad Jones reiterated the company's findings, asserting that the breaches were not due to any vulnerabilities, misconfigurations, or breaches of Snowflake’s platform or personnel credentials. Snowflake is collaborating with customers to enhance security measures and plans to mandate advanced security controls such as multi-factor authentication (MFA) and network policies, especially for privileged accounts. The company acknowledges the friction in their MFA enrollment process and is working to streamline it. The shared responsibility model places MFA enforcement on customers, but Snowflake aims to make it a standard prerequisite due to the high sensitivity of the data stored in their cloud environments.

Key Recommendations for Snowflake Customers:

1. Enforce Multi-Factor Authentication: Make MFA mandatory for all accounts, particularly those with privileged access.
2. Regularly Rotate Credentials: Ensure that all credentials are regularly updated to prevent long-term exposure from previous leaks.
3. Implement Network Allow Lists: Restrict access to trusted IP addresses to minimize unauthorized access.
4. Enhance Logging and Monitoring: Improve logging and monitoring capabilities to detect and respond to suspicious activities promptly.

Snowflake has also published indicators of compromise and steps for detecting and preventing unauthorized user access here. Cloud security firm Permiso has developed an open-source tool dubbed "YetiHunter" to detect and hunt for suspicious activity in Snowflake environments based on the IoCs shared by Snowflake, Mandiant, DataDog, and its own intelligence. Editor's Note: This blog will be updated as additional breach information from Snowflake and its customers becomes available or is claimed by threat actors on underground forums for sale. Links and data to any additional IoCs related to the Snowflake breach will be published here too.

Not our fault, says CISO: “UNC5537” breached at least 165 Snowflake instances, including Ticketmaster, LendingTree and, allegedly, Advance Auto Parts.

The post Ticketmaster is Tip of Iceberg: 165+ Snowflake Customers Hacked appeared first on Security Boulevard.

Last week on Malwarebytes Labs:

• Google will start deleting location history
• Advance Auto Parts customer data posted for sale
• Husband stalked ex-wife with seven AirTags, indictment says
• Microsoft Recall snapshots can be easily grabbed with TotalRecall tool
• Financial sextortion scams on the rise
• Say hello to the fifth generation of Malwarebytes
• Big name TikTok accounts hijacked after opening DM
• US residents targeted by utility scammers on Google
• Debt collection agency FBCS leaks information of 3 million US citizens
• 800 arrests, 40 tons of drugs, and one backdoor, or what a phone startup gave the FBI, with Joseph Cox: Lock and Code S05E12
• WhatsApp cryptocurrency scam goes for the cash prize

Last week on ThreatDown:

• Ransomware drives healthcare provider into administration
• FBI has 7,000 LockBit decryption keys available
• Microsoft calls time on NTLM, so should you
• Why complexity has become a security issue
• Azure Service Tags vulnerability could allow attackers to access private data
• ClearFake walkthrough

Stay safe!

Advance Auto Parts, Inc., a significant provider of automobile aftermarket components, has allegedly suffered a massive data breach. A threat actor going by the handle "Sp1d3r" claimed Advance Auto Parts data breach. The threat actor further claims to have stolen three terabytes of data from the company's Snowflake cloud storage. The stolen information is allegedly being sold for US$1.5 million. According to the threat actor, Sp1d3r, post the stolen data includes:

• 380 million customer profiles, containing names, emails, mobile numbers, phone numbers, addresses, and more.
• 44 million Loyalty/Gas card numbers, along with customer details.
• Information on 358,000 employees, though the company currently employs around 68,000 people. This discrepancy suggests the data might include records of former employees.
• Auto parts and part numbers.
• 140 million customer orders.
• Sales history
• Employment candidate information, including Social Security numbers, driver's license numbers, and demographic details.
• Transaction tender details.
• Over 200 tables of various data.

The threat actor has specified that a middleman is required to facilitate the sale of the stolen data, and no dealings will be conducted via Telegram. Furthermore, what’s worth noting is that in its post, the threat actor claimed to sell the stolen information of 358,000 employees, despite the fact that the organization now employs approximately 68,000 people. The disparity could be due to old data from former employees and associates. [caption id="attachment_75319" align="aligncenter" width="815"] Source: X[/caption] [caption id="attachment_75320" align="aligncenter" width="346"] Source: X[/caption] To find answers to these doubts and verify the threat actor's claims, The Cyber Express Team reached out to the officials to verify the breach, however, as of writing this news report no response has been received. Therefore, the confirmation or denial of these claims has yet to be verified. Advance Auto Parts operates 4,777 stores and 320 Worldpac branches primarily within the United States, with additional locations in Canada, Puerto Rico, and the U.S. Virgin Islands. The company also serves 1,152 independently owned Carquest branded stores across these locations, as well as in Mexico and various Caribbean islands.

Advance Auto Parts Data Breach: Linked to Snowflake Cyberattacks

The Advance Auto Parts data breach is part of a recent series of attacks targeting customers of Snowflake, a cloud storage company. These attacks have been ongoing since at least mid-April 2024. Snowflake acknowledged the issue in a statement, informing a limited number of customers who they believe may have been impacted by the attacks. However, Snowflake did not provide specific details about the nature of the cyberattacks or confirm if data had been stolen from customer accounts. This incident follows another significant breach involving Live Nation, the parent company of Ticketmaster. Hackers claimed to have stolen personal details of 560 million customers, and the stolen data was hosted on Snowflake's cloud storage. Live Nation disclosed this breach in a filing to the U.S. Securities and Exchange Commission (SEC), revealing that a criminal actor had offered the company's user data for sale on the dark web. In response to the breach, Snowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, issued a joint statement regarding their ongoing investigation into the targeted threat campaign against some Snowflake customer accounts. They are working diligently to understand the extent of the breach and mitigate its impact. Screenshots shared by the threat actor indicate that the leaked data contains numerous references to 'SNOWFLAKE,' supporting the claim that it was stolen during the recent Snowflake data theft attacks. The full extent of the data breach and its implications for Advance Auto Parts and other companies using Snowflake remains to be seen. With Snowflake's large client base and the significant volume of data they manage, the repercussions could be widespread. Only time will tell how many more companies will disclose their data breaches linked to the recent Snowflake attacks. In the meantime, affected customers and employees are advised to monitor their personal information closely and take necessary precautions to protect their data. Companies utilizing Snowflake's services should stay vigilant and follow cybersecurity best practices to safeguard their data against potential threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A cybercriminal using the handle Sp1d3r is offering to sell 3 TB of data taken from Advance Auto Parts, Inc. Advance Auto Parts is a US automotive aftermarket parts provider that serves both professional installers and do it yourself customers.

Allegedly the customer data includes:

• Names
• Email addresses
• Phone numbers
• Physical address
• Orders
• Loyalty and gas card numbers
• Sales history

The data set allegedly also includes information about 358,000 employees and candidates—which is a lot more than are currently employed by Advance Auto Parts (69,000 in 2023).

The cybercriminal is asking $1.5 Million for the data set.

Advance Auto Parts has not disclosed any information about a possible data breach and has not responded to inquiries. But BleepingComputer confirms that a large number of the Advance Auto Parts sample customer records are legitimate.

Interestingly enough, the seller claims in their post that the data comes from Snowflake, a cloud company used by thousands of companies to manage their data. On May 31st, Snowflake said it had recently observed and was investigating an increase in cyber threat activity targeting some of its customers’ accounts. It didn’t mention which customers.

At the time, everybody focused on Live Nation / Ticketmaster, another client of Snowflake which said it had detected unauthorized activity within a “third-party cloud database environment” containing company data.

The problem allegedly lies in the fact that Snowflake lets each customer manage the security of their environments, and does not enforce multi-factor authentication (MFA).

Online media outlet TechCrunch says it has:

“Seen hundreds of alleged Snowflake customer credentials that are available online for cybercriminals to use as part of hacking campaigns, suggesting that the risk of Snowflake customer account compromises may be far wider than first known.”

TechCrunch also says it found more than 500 credentials containing employee usernames and passwords, along with the web addresses of the login pages for Snowflake environments, belonging to Santander, Ticketmaster, at least two pharmaceutical giants, a food delivery service, a public-run freshwater supplier, and others.

Meanwhile, Snowflake has urged its customers to immediately switch on MFA for their accounts.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

While the Advance Auto Parts data has yet to be confirmed, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.