Advance Auto Parts says more than 2 million impacted by data breach

More than 2.3 million people were impacted by a recent breach affecting Advance Auto Parts — one of the world’s largest automotive products retailers. 

In filings with regulators in Maine, Vermont, Texas and several other states, the company said 2,316,591 people had names, Social Security numbers, driver’s license or other government issued identification numbers as well as dates of birth leaked during a May campaign against customers of data storage giant Snowflake.

Advance Auto Parts previously confirmed that it was one of about 160 companies impacted by a string of attacks against customers of Snowflake. 

Last month a hacker on a popular cybercriminal forum posted a stolen database allegedly from Advance Auto Parts that contained information on 380 million customers. BleepingComputer confirmed that at least some of the data was legitimate, and Advance Auto Parts told WIRED at the time that it was investigating the claim. 

In the breach notification letters sent to victims on Wednesday, the company said that “like many other companies” it discovered the incident affecting Snowflake customers on May 23. The company said it began an investigation alongside hired help to look into the breach.   

“Our investigation determined that an unauthorized third party accessed or copied certain information maintained by Advance Auto Parts from April 14, 2024 to May 24, 2024,” the company said, noting that the review was finished on June 10.  

Victims are being given 12 months of identity protection services. Advance Auto Parts has more than 4,700 stores across the U.S.

One of many

Other affected Snowflake customers include  one of the largest school districts in the US, Neiman Marcus, Santander, Ticketmaster, LendingTree and more. 

Investigations by Snowflake and several cybersecurity companies showed that the data storage platform itself was never hacked — with cybercriminals instead stealing the login credentials for specific Snowflake accounts with malware.

Cisco Talos expert Nick Biasini recently said the incident highlights a growing concern defenders have about cybercriminal groups that are stealing and selling stolen credentials “by the thousands or tens of thousands.”

“These actors operate large scale campaigns, gather, vet, and organize the credentials they harvest ready to sell to the highest bidder,” he said. “This ecosystem includes providing tooling for searching and extracting specific types of data from the logs and validating the credentials before offering.”

TechCrunch reported on a website where cybercriminals could access the Snowflake login credentials for more than 500 accounts representing large companies like Ticketmaster and Santander. Cybercriminals used infostealer malware to obtain the credentials used by employees to access Snowflake databases, the news outlet reported. 

Mandiant previously said the hacking group behind the Snowflake campaign is “based in North America, and collaborates with an additional member in Turkey.”