American automotive aftermarket parts provider Advance Auto Parts is notifying over 2.3 million individuals that their personal information was compromised in the Snowflake incident earlier this year.
As part of the Snowflake campaign, threat actors used stolen credentials harvested using information stealer on non-Snowflake systems to access the accounts of roughly 165 customer accounts at the cloud storage provider.
Starting mid-April, the attackers accessed Snowflake accounts that lacked multi-factor authentication (MFA) protections and network allow lists, and then attempted to extort the victim organizations by threatening to leak the stolen data.
On July 10, Advance Auto Parts disclosed to the Maine Attorney General’s Office that the personal information of 2,316,591 individuals was stolen from its Snowflake account and that it has started sending data breach notifications.
The compromised personal information, the company says, includes names, dates of birth, Social Security numbers, driver’s license numbers, and other government-issued identification numbers.
In a notification letter to the impacted individuals, a copy of which was submitted to the Maine AGO, Advance Auto Parts explained that the attackers accessed and copied data from its Snowflake account between April 14 and May 24.
“Upon learning of the incident, we promptly terminated the unauthorized access and took proactive measures aimed at preventing future unauthorized access. We also notified law enforcement,” the notification letter reads.
Advance Auto Parts is providing the impacted individuals with 12 months of free credit monitoring and identification theft protection services.
The Snowflake campaign also impacted Anheuser-Busch, Allstate, Los Angeles Unified, Mitsubishi, Neiman Marcus, Progressive, Pure Storage, State Farm, Santander Bank, and Ticketmaster.
Australia-based live events and ticketing firm Ticketek Entertainment Group (TEG) might have been affected as well.
Related: Evolve Bank Data Breach Impacts 7.6 Million People
Related: Prudential Financial Data Breach Impacts 2.5 Million
Related: Apple Commissions Study to Highlight Need for End-to-End Encryption
Related: State Bar of Georgia Confirms Breach From Ransomware Attack