Why A Bot-Free Policy Is Good For Security

As the dust settled from the Snowflake security incident, it became clear that the reported account compromises were not caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform. This is good news for Snowflake but bad news for some unlucky customers. So what happened?

User Account Security: Growing Threat

The root cause of the exploit was a "financially motivated threat actor" who was "systematically compromising Snowflake customer instances using stolen customer credentials."

Specifically, Mandiant called out that user-level accounts created for third parties are the principal threat;

Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector. These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges

Threat Actors Targeting Third Parties

As Mandiant's investigation revealed, the Snowflake incidents were traced back to compromised customer credentials, often from contractors using personal or non-monitored laptops. This highlights the inherent dangers of allowing third-party services access to user accounts.

Not only is the threat detailed in UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion) but the "Scrape and Pillage" threat assessment details the significant risk backdoor data scraping accounts represent for platforms like Amazon Seller Central, Vendor Central, and Advertising.

Threat actors know it is easier to target third parties, especially since using bots to scrape data violates most platforms' terms of service.

As a result, data scraping bots have emerged as a significant point of attack for threat actors. Services that rely on user-level account access to scrape data are ripe for attack because bots are programmed to mimic human behaviors to gain access to account-specific data.

The risks of programmatic account data scraping cannot be overstated. As detailed in the Scrape and Pillage threat assessment, data scraping bots can expose sensitive information, facilitate financial fraud, and compromise customer trust.

They operate outside of official, approved channels, creating significant vulnerabilities that can be exploited by malicious actors. This is why most platforms do not permit account-level data scraping.

Mitigating Risks: User Account Data Scraping Bots

At Openbridge, we have a long-standing stance against using bots, web scraping, or screen scraping technologies. Our bot-free policy reflects our approach to only use official APIs for authorization and data access.

Openbridge will never ask that you create user accounts to log in to Google, Meta, or any Amazon Vendor, Seller, or Advertiser accounts.

The Snowflake incidents are a stark reminder of the potential consequences of compromised customer login credentials when given to third-party tools.

Be Vigilant For Fake Emails

As the Scrape and Pillage threat assessment mentions, spear-phishing attempts may trick you into creating special accounts or email addresses for third-party services to access your data. They may also ask you to disable security features like two-factor authentication, pass keys, or other enhanced security procedures.

Openbridge will never make such requests.

Openbridge only leverages standard OAuth mechanisms such as Login With Amazon (LWA).

If you happen to receive any communication claiming to be from us that raises these red flags, do not respond to the email and report it to our team as soon as you can.

Security Audit Your Tool Providers

The emerging threat landscape surrounding data scraping bots underscores the risks of sharing user-level account access with third parties.

Tool Provider Checklist:

1. Investigate how third-party tools access your data. Ask them if they use data, web, or scraping tools to access your data.
2. If a tool provides data or reports unavailable through official APIs, have them document their data-sourcing methods for the data or report in question. If data is unavailable via official APIs, they likely use data scraping bots. This is a red flag.
3. Request a legal attestation from the tool provider stating they do not use bots, web scraping, or screen scraping to access data. This legally binding document holds the provider accountable for their data access methods. If a provider is unwilling or unable to provide such an attestation, this is another red flag.

We suggest thoroughly reviewing third-party tools requiring user account logins for their data services to operate. If the service can not operate without having your team create user-based login accounts for data access, you should stop using it immediately.

If you need help or assistance, please let us know.

References:

• Mandiant: 'Exposed credentials' led to Snowflake attacks (TechTarget)
• Snowflake Cloud Accounts Felled by Rampant Credential Issues (Dark Reading)
• Snowflake Account Theft @SOSIntel
• Detecting and Preventing Unauthorized User Access (Snowflake)
• Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake (Wired)