LendingTree confirms that cloud services attack potentially affected subsidiary

Financial services firm LendingTree confirmed that one of its subsidiaries was potentially affected by a cybersecurity incident following a wider attack on customers of data storage company Snowflake. 

A spokesperson for LendingTree told Recorded Future News that it was informed by Snowflake directly of an incident involving QuoteWizard — an insurance information platform acquired by LendingTree in 2018. 

“We can confirm that we use Snowflake for our business operations, and that we were notified by them that our subsidiary, QuoteWizard, may have had data impacted by this incident. We take these matters seriously, and immediately after hearing from them launched an internal investigation,” the spokesperson said Friday. 

“That investigation is ongoing. As of this time, it does not appear that consumer financial account information was impacted, nor information of the parent entity, Lending Tree. Given that this is an ongoing investigation we are not able to comment further.”

The company did not respond to followup questions about whether data being sold on the dark web was part of what was stolen from Snowflake. On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. 

The alleged database included customer details, partial credit card numbers, insurance quotes and other information. The hacker is offering the information for $2 million. 

The same hacker posted another stolen database allegedly from automotive giant Advance Auto Parts that contained information on 380 million customers. BleepingComputer confirmed that at least some of the data is legitimate and Advance Auto Parts told WIRED that it is investigating the claim. 

The hacker claimed both databases came from breaching accounts that the companies had with Snowflake — which spent last week responding to what it describes as a targeted campaign “directed at users with single-factor authentication.” 

Snowflake initially denied that its products were connected to two other massive data breaches announced over the last week affecting Ticketmaster and Santander Bank. In multiple statements since last week, Snowflake confirmed that the accounts of some of its customers have been under attack by threat actors but denied that it was the result of any issue with the core Snowflake platform.

Mandiant’s take

Snowflake hired CrowdStrike and Mandiant to conduct an investigation. Mandiant published a blog post on Monday explaining that its investigation found a financially motivated threat actor who has “stolen a significant volume of records from Snowflake customer environments.” 

“As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware,” Snowflake official Brad Jones said, denying that there was any vulnerability or issue with the company’s products. 

Mandiant and Snowflake have notified approximately 165 potentially exposed organizations. Mandiant said the hackers behind the campaign are “based in North America, and collaborates with an additional member in Turkey.”

Mandiant CTO Charles Carmakal added that researchers “anticipate this threat actor and others will replicate this campaign across other SaaS solutions.” 

Ticketmaster’s parent company reported a data breach to the Securities and Exchange Commission and the company confirmed to TechCrunch that the data leaked was from a database hosted on Snowflake — one of the largest cloud storage companies. 

In a statement on Friday, Jones said his company’s initial assessment — that the breaches were not caused by an issue with the Snowflake platform and were instead due to stolen login information — remains the same. Jones said the company is working with customers to “harden their security measures to reduce cyber threats to their business.” 

“We are also developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts,” Jones said. 

“While we do so, we are continuing to strongly engage with our customers to help guide them to enable MFA and other security controls as a critical step in protecting their business.”

TechCrunch reported on a website where cybercriminals can access the Snowflake login credentials for more than 500 accounts representing large companies like Ticketmaster and Santander. Cybercriminals used infostealer malware to obtain the credentials used by employees to access Snowflake databases, the news outlet reported. 

Cybersecurity agencies in the U.S. and Australia have released advisories about the campaign targeting companies’ Snowflake environments.