LendingTree / QuoteWizard data breach via Snowflake (UNC5537 / Sp1d3r)

📅 2024-04-14 🏢 Snowflake cloud data platform / LendingTree QuoteWizard subsidiary

Incident Details

UNC5537 threat actor ‘Sp1d3r’ posted on BreachForums 1 June 2024 claiming 190 million individual records and 3 billion tracking pixel data records (2 TB compressed) stolen from LendingTree’s QuoteWizard insurance comparison subsidiary via its Snowflake environment. Data included names, addresses, phone numbers, dates of birth, driver’s licence numbers, SSNs, and financial information. LendingTree confirmed the Snowflake connection on approximately 2 June 2024. Part of the broader Snowflake campaign affecting 165+ organisations. Class action lawsuits filed.

Technical Details

Initial Attack Vector: CWE-307: Improper Restriction of Excessive Authentication Attempts (stolen credentials reused against Snowflake tenant with no MFA)
Vendor / Product: Snowflake cloud data platform / LendingTree QuoteWizard subsidiary

Timeline

2024-04-14 Breach occurred
2024-06-01 Publicly disclosed
2024-07-01 Customers notified