Snowflake's Credential Crisis Hits 165 Companies

Snowflake's Credential Crisis Hits 165 Companies

From The Bit Baker Quarterly Roundup — Q2 2024

PLUS: Ransomware shuts down hospitals on two continents, and Change Healthcare fallout continues

Good morning, Dave. Q1's Change Healthcare nightmare was supposed to be a wake-up call. Instead, Q2 proved nobody heard the alarm. Stolen credentials — harvested by cheap infostealer malware, sitting in underground markets — were used to walk into 165 Snowflake customer environments and walk out with data on hundreds of millions of people. No vulnerability exploitation. No zero-day. Just passwords.

Meanwhile, ransomware kept hammering healthcare. Ascension's 142 hospitals went back to pen and paper after a Black Basta attack. London's NHS trusts canceled thousands of surgeries when Qilin hit their pathology provider. The common thread across every major incident this quarter wasn't technical sophistication — it was missing MFA and unmonitored access.

In this quarter's security Bit Baker:

• Stolen credentials unlock 165 Snowflake customer environments
• Black Basta ransomware takes Ascension Healthcare offline
• Qilin ransomware cripples London hospitals via pathology provider
• Change Healthcare aftermath reveals 100M+ affected individuals

Infostealer Malware + Missing MFA = 165 Breached Companies

The Bit Baker: Starting in mid-April, threat actors used credentials stolen by infostealer malware to access at least 165 Snowflake customer environments — including Ticketmaster, Santander, and AT&T — exfiltrating data on hundreds of millions of people without ever exploiting a Snowflake vulnerability.

Unpacked:

• The attack was embarrassingly simple. Infostealers like Lumma and Vidar had harvested Snowflake credentials from employee machines months earlier. Attackers (tracked as UNC5537/ShinyHunters) logged into customer accounts that lacked MFA, ran SHOW TABLES, and started downloading everything.
• Ticketmaster lost records on 530 million customers — names, emails, partial credit cards, purchase history — exposed in an SEC filing on May 31. Santander confirmed 30 million customers across Chile, Spain, and Uruguay were affected. AT&T later confirmed its breach also traced back to Snowflake.
• Snowflake itself wasn't breached. The company pointed out that affected accounts had no MFA configured and, in some cases, used credentials from demo environments belonging to former employees. Snowflake subsequently moved to require MFA by default.

Bottom line: This wasn't a platform failure — it was an ecosystem failure. Infostealers are a commodity. The credentials were available for purchase. The only thing standing between attackers and 165 corporate databases was a missing checkbox labeled "enable MFA." That's the state of cloud security in 2024.

Black Basta Takes 142 Hospitals Back to Pen and Paper

The Bit Baker: On May 8, the Black Basta ransomware group hit Ascension Healthcare — one of the largest US health systems with 142 hospitals — after an employee downloaded a malicious file, triggering six weeks of disrupted patient care and a $1.1 billion fiscal-year loss.

Unpacked:

• Electronic health records went completely offline. Clinicians across 142 hospitals reverted to handwritten notes, verbal orders, and paper-based workflows. Ambulances were diverted. Elective procedures were canceled. Patients couldn't access their own medical records through portals.
• The attack ultimately compromised data on 5.6 million people — patients, employees, and senior living residents — including Social Security numbers, medical records, insurance information, and payment details.
• Recovery took roughly six weeks to restore core EHR systems. The total financial impact contributed to Ascension's $1.1 billion net loss for the fiscal year, with direct cyberattack costs around $79 million in the initial months.

Bottom line: Two major US health system ransomware attacks in two consecutive quarters — Change Healthcare in Q1, Ascension in Q2. At this point, the pattern isn't surprising anymore. What's alarming is that an employee clicking a single malicious file can still cascade into nationwide patient care disruption.

Qilin Ransomware Cripples London Hospital Services

The Bit Baker: On June 3, the Qilin ransomware group attacked Synnovis, the pathology services provider for southeast London's major NHS hospital trusts, encrypting lab systems and forcing hospitals to cancel over 1,500 operations and 10,000 outpatient appointments — including cancer treatments and organ transplants.

Unpacked:

• Synnovis runs blood testing and transfusion services for Guy's and St Thomas', King's College Hospital, Royal Brompton, and GP practices across six London boroughs. When their systems went down, hospitals lost the ability to match blood types — triggering emergency use of O-type blood and critical supply shortages.
• Qilin demanded $50 million, which went unpaid. On June 20, the group leaked 400 GB of stolen data on the dark web, including HIV test results, STI screenings, cancer diagnoses, names, dates of birth, and NHS numbers for roughly 900,000 patients.
• At least one patient death was attributed to delayed blood test results. An NHS review identified 170 cases of patient harm, including two classified as severe. Full recovery stretched into late 2024.

Bottom line: The Synnovis attack demonstrated that you don't need to breach a hospital directly to shut one down. Attacking a shared service provider — one that handles blood work for an entire metropolitan area — can be even more devastating. Third-party risk in healthcare isn't theoretical anymore.

Change Healthcare Fallout: 100 Million Records and Congressional Scrutiny

The Bit Baker: As Q2 unfolded, the full scope of the Change Healthcare breach from February became staggeringly clear: over 100 million individuals affected, making it the largest healthcare data breach in US history, with UnitedHealth CEO Andrew Witty testifying before Congress.

Unpacked:

• UnitedHealth confirmed that the ALPHV/BlackCat affiliate had exfiltrated data on more than 100 million people — far exceeding initial estimates. The stolen data includes Social Security numbers, medical diagnoses, treatment records, and billing information spanning years of healthcare transactions.
• CEO Andrew Witty testified before both the Senate Finance Committee and House Energy & Commerce Committee in May, confirming the $22 million ransom payment and acknowledging that the compromised Citrix portal lacked MFA — a basic security control.
• The US State Department placed a $10 million bounty on information leading to BlackCat's leaders, while multiple state attorneys general launched investigations into the breach's impact on their residents.

Bottom line: Change Healthcare went from a company nobody had heard of to the subject of congressional hearings in three months. The breach exposed how consolidated the US healthcare payment infrastructure actually is — and how catastrophically that concentration fails when a single provider goes down.

The Shortlist

Dell confirmed a data breach affecting 49 million customer purchase records in May, with names, addresses, and order information exposed — though financial data and passwords were reportedly not accessed.

Dropbox disclosed that Dropbox Sign (formerly HelloSign) was breached, with attackers accessing customer emails, API keys, and OAuth tokens through a compromised service account in the Sign production environment.

Palo Alto Networks patched a critical zero-day in PAN-OS (CVE-2024-3400) that was under active exploitation, allowing unauthenticated remote code execution on GlobalProtect gateway and portal configurations — one of the highest-severity firewall vulnerabilities of the year.

Check Point disclosed a VPN zero-day vulnerability that allowed attackers to access enterprise networks through Check Point Security Gateways with remote access VPN or mobile access enabled, prompting emergency patches across the install base.

References

1. What happened in the Snowflake data breach
2. Unpacking the 2024 Snowflake data breach
3. Ascension cyberattack 2024
4. Ascension cyberattack data breach affects 5.6 million
5. Care disrupted at London hospitals due to ransomware attack on pathology vendor
6. NHS patients notified 18 months after ransomware exposed medical test data
7. Change Healthcare responding to cyberattack
8. Understanding the Change Healthcare breach
9. ALPHV ransomware and $10 million bounty