Snowflake continues to push forward in strengthening its users' cybersecurity posture by making multi-factor authentication the default for all new accounts.
The imposition follows a lighter-touch move in July when it enabled admins to mandate MFA across their organization's user accounts.
Incident response and threat intel specialist Mandiant investigated a spate of data thefts at Snowflake customers such as Ticketmaster and Santander Bank in May. Its experts found a commonality between all the customers that had experienced such incidents: MFA wasn't enabled.
The individual(s) behind the online alias ShinyHunters claimed responsibility for the breaches. They allegedly stole 1.3TB of data from Ticketmaster concerning circa 560 million people, while in Santander's case, the claim involved details of 30 million accounts and 28 million credit card details. The bank also told Maine's Attorney General that more than 12,000 US employees were affected.
Following these incidents, Snowflake was pressured to make changes, especially during a time when it was still trying to shake the allegations made by security shop Hudson Rock that the breaches were caused by attackers breaking through the data analytics provider's own security.
These changes came in the form of the mandatory MFA option for admins in July. The latest announcement extends this initiative and then some.
- Snowflake's Unistore still on ice years after announcement
- Snowflake claims Iceberg wins table format wars, and Databricks has just proved it
- Warren Buffett ditches his near-$1B Snowflake investment
- Three words to send a chill down your spine: Snowflake. Intrusion. Alert
"As part of our continuing efforts, we are announcing that MFA will be enforced by default for all human users in any Snowflake account created in October 2024," said Snowflake CISO Brad Jones and principal product manager Anoosh Saboori. "Service users – accounts designed for service-to-service communication – will not be subject to this MFA requirement."
Passwords also got a boost as the minimum length has increased from 8 to 14 characters and the previous five passwords cannot be reused. This will apply to all newly created and changed passwords, also starting in October.
This all feeds into Snowflake's long-term ambition to eliminate password-only authentication from its platform, it said, without providing a date for that change.
In the meantime, users were advised to consult the cloud storage and data analytics company's white paper on security best practices to strengthen accounts further.
Snowflake also recommended using single sign-on (SSO) when possible and enabling MFA through the identity provider. If neither is possible or for "break-glass" scenarios, use Snowflake's built-in MFA.
For service accounts, external OAuth should be used where possible, and failing that, enable key pair authentication with network policies. ®