Advance Auto Parts, the sprawling U.S. based auto aftermarket parts company, is sending notices to more than 2.3 million people alerting them that their personal information may have been leaked during a data breach stemming from the incident involving cloud storage services provider Snowflake.

The company, based in North Carolina, filed notices with a range of states saying that among the information taken was Social Security numbers, driver’s licenses or other government-issued identification numbers, and dates of birth.

In a letter to the customers sent this week, Advance Auto Parts said they learned May 23 that a hacker had accessed information the company had kept with Snowflake starting April 14. The bad actor was able to continue accessing the data until May 24.

The company announced the hack June 10, after its investigation was completed, becoming one of more than 160 companies that potentially had data being stored with Snowflake accessed. News of the letters Advance Auto Parts was sending out has been overshadowed by that of AT&T, which announced after that almost all of its customers from 2022 – about 110 million people – had their phone metadata stolen from Snowflake.

“Upon learning of the incident, we promptly terminated the unauthorized access and took proactive measures aimed at preventing future unauthorized access,” the company wrote in the letter. “We also notified law enforcement. In addition, we continue to work with third-party cybersecurity experts to take steps to further harden our systems and emerge from this incident an even more secure organization.”

Many Victims

The Snowflake campaign continues to ripple through companies using the cloud data storage provider, with other victims including such names as Progressive, Neiman Marcus, Pure Storage, Santander Bank, State Farm and Ticketmaster.

Advance Auto Parts is a huge operation, running 4,786 stores and 321 Worldpac branches, with locations also in Canada, Puerto Rico and the U.S. Virgin Islands. It also serves customers in Mexico and some Caribbean Islands as well as more than 1,200 independently owned stores under the Carquest brand.

The company also is offering those affected by the breach 12 months of free access to Experian credit monitoring and identity restoration services.

It also is having to deal with the legal fallout. There are reports of lawsuits being filed and lawyers with ClassAction.org are looking for people who’ve been notified that their information was breached to determine whether a class action lawsuit should be filed.

A Financially Motivated Threat Group

According to Google’s Mandiant cybersecurity unit and security firm CrowdStrike, the threat group behind the Snowflake campaign didn’t actually breach the storage services company. The group, UNC5537, instead used credentials that had previously been stolen – some as far back as 2020 – to get into the Snowflake accounts of companies that did not have multifactor authentication (MFA) activated.

From there, the bad actors stole the data and began extorting the victim companies. Mandiant described UNC5537 as a financially motivated group that stole a “significant volume of records” from Snowflake customers.

“UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims,” Mandiant wrote in its June 10 report.

A Changing Threat Landscape

Nick Biasini, head of outreach for Cisco’s Talos threat intelligence unit, wrote in a blog post last month that the Snowflake campaign is symptomatic of an evolving cyberthreat landscape that is being transformed by the continued rise in ransomware – many cybercriminals want in on the lucrative action – ransomware groups that are more likely to steal data for extortion purposes rather than encrypting it, and threat groups that are increasingly zeroing in on compromised credentials for initial access rather than exploiting known vulnerabilities.

The credentials come from typical phishing campaigns to infostealer malware to insider threats, with the valid credentials giving bad actors cover for their activities. It’s a murky world, Biasini wrote.

“Many defenders think the infostealers landscape is a monolith with individual actors compromising victims and gathering credentials, but the truth is these are highly organized widely distributed campaigns,” he wrote. “The groups have congregated online in Telegram chat rooms where credentials are sold by the thousands or tens of thousands.”

The bad actors run large-scale campaigns that include gathering, vetting and organizing the credentials they steal and getting them ready to sell to the highest bidder. Biasini added that “this ecosystem includes providing tooling for searching and extracting specific types of data from the logs and validating the credentials before offering.”